9 Aggregation and Synthesis
This chapter covers
- Understanding what are some important questions that metadata should answer about your SDLC
- Learning how to answer those critical SDLC questions in a scalable way through a supply chain knowledge graph
- Exploring examples of insights one can get from a supply chain knowledge graph
In chapter 7, we introduced Aggregation and Synthesis as the third layer of the framework for scaling Software Supply Chain Security. In the previous chapter, we covered metadata and attestations, which provided the needed collection of documents to start understanding and making decisions on the SDLC, in this chapter we will go into how we can take the raw data and make sense out of it.
9.1 Metadata, check. What now?
Previously, we’ve seen a sampler of the different types of metadata and attestations that inch us closer to finally answering some questions about the software produced by our organization’s SDLC. Let’s start with a couple use cases and explore how we’d attempt to tackle today. These use cases fall into three main themes of security response, reactive (responding to an incident), preventive (checking for known threats), and proactive (identifying high risk areas for future investment).