9 Aggregation and Synthesis

 

This chapter covers

  • Understanding what are some important questions that metadata should answer about your SDLC
  • Learning how to answer those critical SDLC questions in a scalable way through a supply chain knowledge graph
  • Exploring examples of insights one can get from a supply chain knowledge graph

In chapter 7, we introduced Aggregation and Synthesis as the third layer of the framework for scaling Software Supply Chain Security. In the previous chapter, we covered metadata and attestations, which provided the needed collection of documents to start understanding and making decisions on the SDLC, in this chapter we will go into how we can take the raw data and make sense out of it.

9.1 Metadata, check. What now?

Previously, we’ve seen a sampler of the different types of metadata and attestations that inch us closer to finally answering some questions about the software produced by our organization’s SDLC. Let’s start with a couple use cases and explore how we’d attempt to tackle today. These use cases fall into three main themes of security response, reactive (responding to an incident), preventive (checking for known threats), and proactive (identifying high risk areas for future investment).

9.1.1 Reactive: Log4shell, how is my organization affected?

9.1.2 Preventive: How do I prevent running of insecure software?

9.2 Let’s solve it!

9.2.1 What is Software Supply Chain Knowledge Graph

9.3 Getting started with your own Supply Chain knowledge graph

9.4 Starting with Aggregation

9.4.1 Example ingestion for organization with GUAC: Tearing down metadata silos

9.4.2 It’s impossible!?

9.4.3 Getting it done

9.5 Synthesizing the data

9.5.1 Responding to vulnerabilities and compromises

9.5.2 Knowing your supply chain

9.5.3 Finding the next big risk

9.6 Getting more out of your Software Supply Chain Knowledge graph

9.6.1 Getting as much data as possible (good quality data), getting more sources

9.6.2 Conflicts and Counterfactuals

9.7 Taking the next steps with your supply chain knowledge graph

9.8 Summary