6 Architecting Supply Chain Security

 

This chapter covers

  • Understanding how components of a Software Supply Chain interact with each other
  • The challenges of scalable Software Supply Chain Security
  • Learning a framework for developing a strong scalable foundation of Software Supply Chain Security

In the previous chapters, we’ve gone through steps of the SDLC and provided concepts, methodologies and tooling to secure them. In this chapter, we will explore what it means to integrate these practices in concert, the challenges in doing so and how to scale them.

6.1 The SSC Integrated Architecture

Software Supply Chain Security applies to the end to end flow of the SDLC, from the keystrokes first entered into a developer’s laptop to the lines of software being executed on a server. This encompasses developer workstations, the productivity tools and services used in both writing and managing software, the development of software, building and packaging of software, and to the eventual running of the software. Each step of the SDLC brings about risk of software supply chain compromise, and with each, a set of security practices and controls to mitigate them.

In this chapter, we will use a simple example of a financial company. Let's say you work at Secure Bank, that runs a payment service written in golang that requires a client to interact with it written in Python. You've been tasked with making sure the entire system is secure. Let’s get started!

6.1.1 Software Development starts with Developers

6.1.2 How do we know what’s written hasn’t been tampered?

6.1.3 We’re secure, but what about the rest of the world we’re relying on?

6.1.4 How do I know what’s produced

6.1.5 What am I running?

6.1.6 Exercise: matching components of the Secure Software Supply Chain architecture

6.2 Applying these practices to your organization

6.2.1 Endpoints

6.2.2 Securing Endpoints

6.2.3 Development

6.2.4 Securing Development

6.2.5 A tangent: a mixed bag, overlap and unclear boundaries

6.2.6 Ingestion

6.2.7 Securing Ingestion

6.2.8 Software Factory

6.2.9 Securing the Software Factory

6.2.10 Addressing Software Authorization

6.2.11 Exercise

6.3 Putting it all together

6.3.1 Framework for scaling Software Supply Chain Security

6.4 Summary