9 Aggregation and Synthesis

In chapter 7, we introduced Aggregation and Synthesis as the third layer of the framework for scaling Software Supply Chain Security. In the previous chapter, we covered metadata and attestations, which provided the needed collection of documents to start understanding and making decisions on the SDLC, in this chapter we will go into how we can take the raw data and make sense out of it.

9.1 Metadata, check. What now?

Previously, we’ve seen a sampler of the different types of metadata and attestations that inch us closer to finally answering some questions about the software produced by our organization’s SDLC. Let’s start with a couple use cases and explore how we’d attempt to tackle today. These use cases fall into three main themes of security response, reactive (responding to an incident), preventive (checking for known threats), and proactive (identifying high risk areas for future investment).

9.1.1 Reactive: Log4shell, how is my organization affected?

9.1.2 Preventive: How do I prevent running of insecure software?

9.2 Let’s solve it!

9.2.1 What is Software Supply Chain Knowledge Graph

9.3 Getting started with your own Supply Chain knowledge graph

9.4 Starting with Aggregation

9.4.1 Example ingestion for organization with GUAC: Tearing down metadata silos

9.4.2 It’s impossible!?

9.4.3 Getting it done

9.5 Synthesizing the data

9.5.1 Responding to vulnerabilities and compromises

9.5.2 Knowing your supply chain

9.5.3 Finding the next big risk

9.6 Getting more out of your Software Supply Chain Knowledge graph

9.6.1 Getting as much data as possible (good quality data), getting more sources

9.6.2 Conflicts and Counterfactuals

9.7 Taking the next steps with your supply chain knowledge graph

9.8 Summary