The Muggles Guide to Software Supply Chain Security

The muggles guide to software supply chain security, a short compendium.

Software supply chain security is rapidly gaining attention, thanks to major vulnerabilities like dependency confusion, as well as software supply chain attacks against critical and pervasively used tools like SolarWinds and Codecov. In particular, open source software has faced the brunt of the attackers, forcing the industry to increase efforts in securing the software supply chain.

In this series of blog posts, I cover software supply chain security - what it is, how it is different from the traditional software development life cycle, and various industry efforts to improve trust and integrity of the software supply chain.

15 Things I Learnt from Google on Shifting Left in Security
Google’s white paper on shifting left in security offers high-signal insights that you can adopt today.
What is Sigstore?
A brief on sigstore - a new approach for signing, verifying and protecting software.
Sign Software Artifacts with Sigstore Cosign
A step-by-step guide on signing code and software artifacts with Sigstore Cosign.
Immutable Transparency Logs with Sigstore Rekor
A step-by-step guide on creating an immutable ledger and storing transparency logs with Sigstore Rekor.
What is SBOM?
A brief on software bill of materials, or SBOM, and why it is important to software supply chain security.
Generate SBOMs for Container Images using Syft
A brief on generating SBOMs (software bill of materials) for container images using Syft.
Security Scorecards for Open Source Software
A brief on security scorecards for open source software.

Subscribe to alphasec

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.