10 Policy and Insight

 

This chapter covers

  • Understanding how policy as code and governance as code enable consistent and scalable enforcement of supply chain security practices
  • Exploring the benefits and challenges of automating policy enforcement across the SDLC
  • Applying policy as code to secure ingestion, ensuring only approved and trusted dependencies are used
  • Enforcing best practices within the secure software factory through codified policies
  • Leveraging policy as code to ensure compliant deployments and runtime security
  • Discussing the tools and technologies available for implementing policy as code, such as Open Policy Agent (OPA) and SLSA
  • Tying together all the elements of software supply chain security discussed throughout the book using policy as code and automation

Throughout this book, we have explored various aspects of software supply chain security, from threat modeling and secure ingestion to building a secure software factory and leveraging software metadata. We have seen how each of these elements contributes to a comprehensive strategy for mitigating the risks associated with modern software development. However, implementing these practices consistently and at scale requires a unified approach that ties everything together. This is where policy as code and automation come into play.

10.1 What is Policy as Code and Governance as Code?

10.1.1 The Benefits of Policy as Code and Governance as Code

10.2 Challenges and Considerations in Adopting Policy as Code and Governance as Code

10.2.1 Complexity and Learning Curve

10.2.2 Policy Management and Versioning

10.2.3 Integration with Existing Tools and Processes

10.2.4 Policy and Governance Testing and Validation

10.3 Applying Policy as Code to the SDLC

10.3.1 Development Policies and Insights

10.3.2 Source Policies and Insights

10.3.3 Build Policies and Insights

10.3.4 Packaging Policies and Insights

10.3.5 Deployment Policies and Insights

10.3.6 Runtime Policies and Insights

10.4 Tying It All Together

10.4.1 Integrating the Supply Chain Knowledge Graph

10.4.2 One Policy, Multiple Enforcement Points

10.4.3 The Feedback Loop

10.5 Future Developments in Supply Chain Security

10.5.1 SDLC Control Plane

10.5.2 Securing the AI Supply Chain

10.5.3 Using AI to Secure the Software Supply Chain

10.5.4 A Final Few Words on People

10.6 Summary