6 Architecting Supply Chain Security
This chapter covers
- Understanding how components of a Software Supply Chain interact with each other
- The challenges of scalable Software Supply Chain Security
- Learning a framework for developing a strong scalable foundation of Software Supply Chain Security
In the previous chapters, we’ve gone through steps of the SDLC and provided concepts, methodologies and tooling to secure them. In this chapter, we will explore what it means to integrate these practices in concert, the challenges in doing so and how to scale them.
6.1 The SSC Integrated Architecture
Software Supply Chain Security applies to the end to end flow of the SDLC, from the keystrokes first entered into a developer’s laptop to the lines of software being executed on a server. This encompasses developer workstations, the productivity tools and services used in both writing and managing software, the development of software, building and packaging of software, and to the eventual running of the software. Each step of the SDLC brings about risk of software supply chain compromise, and with each, a set of security practices and controls to mitigate them.
In this chapter, we will use a simple example of a financial company. Let's say you work at Secure Bank, that runs a payment service written in golang that requires a client to interact with it written in Python. You've been tasked with making sure the entire system is secure. Let’s get started!