When molten steel is immersed in water it transforms into one of the world’s strongest materials. A resilient software supply chain is no different. Hardened steel requires combining alloys; a hardened software supply chain requires combining specialized tools “to examine both internally and externally sourced code” that reinforce, remediate, and strengthen the individual pieces of the whole supply chain.
Just as with steel, the process to create a resistant software supply chain requires intentional, precise steps. This happens not once, but continuously, for maximum effect; it makes the software supply chain more secure and, ultimately, more valuable.
Gartner’s recent report, Technology Insight for Software Composition Analysis makes clear the importance of a resilient software supply chain with SCA tools. As the Gartner report explains:
Mitigate risk by hardening the software supply chain. This includes examination of both internally and externally sourced code (and supporting scripts, configuration files and other artifacts) and creation of an internal repository of trusted components. Govern the use of external repositories.
Development velocity is another consideration. As development timetables continue to speed up, so must the ability to review the provenance (code origins) and veracity (code integrity) of everything in the production pipeline.
Benefits of a Hardened Software Supply Chain
As Gartner explains, a reinforced software supply chain is paramount to a successful software composition analysis (SCA) program. The best SCA tools, like the Sonatype Platform, “help ensure that the enterprise software supply chain includes only secure components and, therefore, supports secure application development and assembly.”
In short, a hardened software supply chain produces exemplary results.
Specifically, Gartner shares that a stronger, regulated software supply chain:
Software supply chain tools should draw from multiple, verifiable sources when evaluating open source components, to enhance the overall security of an application. Reports Gartner:
In evaluating (Read more…)