Aqua Security Partners with Center for Internet Security to Introduce First Guide to Security in the Software Supply Chain; Chain-Bench is the first open source tool to validate the software supply chain to ensure compliance with these new CIS guidelines
Aqua Security, the leader in cloud native security, and the Center for Internet Security (CIS), today released the industry's first formal guidelines for software supply chain security. CIS is an independent, non-profit organization dedicated to creating more trust in the connected world. The CIS Software Supply Chain Security Guide, developed in collaboration between the two organizations, provides more than 100 essential recommendations that can be applied to a variety of commonly used technologies and platforms. In addition, Aqua introduced Security Chain-Bench, the first tool to audit the software supply chain to ensure compliance with the new guidelines.
Best practices for security in the software supply chain
Although threats to the software supply chain continue to increase, numerous studies show that security in development environments still needs improvement. The CIS's new guidelines establish general best practices that support important emerging standards such as Supply Chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF). At the same time, the guidelines provide basic recommendations for defining and testing configurations on the platforms supported by the benchmarks.
Within the guide, the recommendations cover five categories of the software supply chain. This includes source code, build pipelines, dependencies, artifacts, and deployment. The CIS intends to expand this guide to include more specific CIS benchmarks, creating consistent security recommendations across platforms. As with all CIS guidance, this guidance will be published and reviewed worldwide. Feedback will then help ensure future platform-specific guidance is accurate and relevant.
Chain Bench: Open source security tool
To help companies implement the CIS guidelines, Aqua Security has released the open source tool Chain-Bench. Chain-Bench scans the DevOps stack from source code to deployment and simplifies compliance with security regulations, standards and internal policies to ensure teams can consistently implement software security controls and best practices.
“Developing software at scale requires strong governance of the software supply chain, and strong governance in turn requires effective tools. This is where we saw an opportunity to add value,” says Eylam Milner, Director Argon Technology, Aqua Security. “We wanted to use our expertise in software supply chain security to create an essential guide to one of the industry's most pressing challenges and to create a free, accessible tool to help other companies become compliant. But the work doesn't stop there. We will continue to work with CIS to refine this guide so organizations around the world can benefit from stronger security practices.”
CIS Security Guide
"With the release of the CIS Software Supply Chain Security Guide, CIS and Aqua Security hope to create a vibrant community interested in the development of future platform-specific benchmark standards," said Phil White, Benchmarks Development Team Manager at CIS . “All subject matter experts working with the technologies and platforms that make up the software supply chain are encouraged to participate in the development of further benchmarks. Their expertise will be valuable in establishing key best practices that improve software supply chain security for all.”
More at Aquasec.com
About Aqua Security Aqua Security is the largest pure cloud native security provider. Aqua gives its customers the freedom to innovate and accelerate their digital transformation. The Aqua platform provides prevention, detection, and response automation across the application lifecycle to secure the supply chain, cloud infrastructure, and ongoing workloads—regardless of where they are deployed.