What we have heard from customers:
Delivering business value through software requires that an organization is able to ship code to production consistently, reliably, and securely. This capability enables the software organization to meet the immediate needs of their customers. Whether this amounts to delivering software for the first time, or reacting to a security vulnerability in a timely manner, consistency will create better customer outcomes.
Unfortunately, for many organizations the primary development focus is often centered on product features alone. Delivery systems are very often an afterthought, usually implemented in an ad hoc fashion, and, as a result, become a fragile component that stands between development teams and the customers seeking to derive value from their work. When properly implemented, a secure software supply chain has the ability to close this gap across the entirety of your software portfolio.
A secure software supply chain is a term that refers to the full suite of software that will move your code from a developer’s laptop, through source control, and eventually onto production systems. This is not a one-way transaction. This supply chain, when implemented properly, will become a closed-loop system, whereby the same tools that will drive code to production will also help to address critical production events.
There are a few basic tenets to consider when implementing a secure software supply chain:
When most people think of software security, they often immediately consider how software performs in a production setting. However, the process for creating secure software begins long before your code is deployed.
There are 4 pillars for developing and deploying secure software:
Optionally, organizations may also choose to implement additional security features within their software supply chain. Code linters, open source license checks, automated vulnerability tests, and change management updates are all common tasks that may also be incorporated into a software supply chain.
Getting code into production is the most obvious goal for a software supply chain, but mature organizations implement this as a closed loop. Not only will this system be used for new feature development and promotion to production, but it will also allow operations teams to quickly identify and address vulnerabilities.