The Muggles Guide to Software Supply Chain Security

Software supply chain security is rapidly gaining attention, thanks to major vulnerabilities like dependency confusion, as well as software supply chain attacks against critical and pervasively used tools like SolarWinds and Codecov. In particular, open source software has faced the brunt of the attackers, forcing the industry to increase efforts in securing the software supply chain.

In this series of blog posts, I cover software supply chain security - what it is, how it is different from the traditional software development life cycle, and various industry efforts to improve trust and integrity of the software supply chain.

Software Supply Chain Threats and Vulnerabilities
A brief on the software supply chain, and its associated threats and vulnerabilities.
So, The Software Supply Chain is Broken. How Do We Fix It?
The software supply chain is broken, resulting in a spate of recent vulnerabilities and attacks. This post discusses a logical model to improve trust and transparency in supply chain security.
15 Things I Learnt from Google on Shifting Left in Security
Google’s white paper on shifting left in security offers high-signal insights that you can adopt today.
What is Sigstore?
A brief on sigstore - a new approach for signing, verifying and protecting software.
Sign Software Artifacts with Sigstore Cosign
A step-by-step guide on signing code and software artifacts with Sigstore Cosign.
Immutable Transparency Logs with Sigstore Rekor
A step-by-step guide on creating an immutable ledger and storing transparency logs with Sigstore Rekor.
What is SBOM?
A brief on software bill of materials, or SBOM, and why it is important to software supply chain security.
Generate SBOMs for Container Images using Syft
A brief on generating SBOMs (software bill of materials) for container images using Syft.
Security Scorecards for Open Source Software
A brief on security scorecards for open source software.