A lot of prominence is being given to software supply chain security. In particular, here’s a quote from a recent presidential Executive Order on improving the nation’s cybersecurity:
“The Federal Government must … advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including … Platform as a Service (PaaS)…”
Software supply chain security is a critical aspect of modern software development, with a growing emphasis on mitigating security risks. This article delves into the importance of software supply chain security and the role of open source tools like Kubernetes and Cloud Foundry in enhancing security measures across the supply chain.
Here’s what we’ll cover:
- Non-Technical and Technical Aspects of a Trusted Software System
- Building a Secure Software Platform
- Open Source Tools for Software Supply Chain Security
Non-Technical and Technical Aspects of a Trusted Software System
The solution towards a truly trusted software system comes in two parts — non-technical areas and technical areas.
Non-technical aspects of the solution involve having individuals or teams focused on software supply chain security and audit compliance. Internal company policies that act as a regulatory system and set standards for developers are a must, as are efforts to enforce compliance with security best practices. While this can bode well for large organizations, small software engineering teams and startups do not have the bandwidth, budget, or culture to make this a reality.
Developer tools that are open source, governed strictly, and enable automation of secure build and deployment are the components that form the technical aspect of the solution. Engineering teams must find a way of envisioning robust security practices and find a way to apply them without unduly affecting the developer workflow. This is a founding principle of the DevSecOps efforts within the larger community of software development professionals.
Building a Secure Software Platform
The ideal technology stack for building a secure software platform should:
- Comprise open source components
- Provide automated builds
- Reduce dependencies on developers
- Allow security operators to extend control
- Be actively supported by the community
Our focus is on describing a robust stack that will sit above compute and power applications to run. The stack will comprise fully customizable open source components that put reliability and security at the forefront.
Application source code is the single source of truth when working with this stack. It is the start of the whole software supply chain. Git is a popular version control system that is free and open source. The use of git will allow developers to work with a source code management system from which all the downstream steps will be triggered.
Open Source Tools for Software Supply Chain Security
Kubernetes is a container orchestration tool, and will serve as an abstraction over the infrastructure and compute that will power the system from underneath. Kubernetes is an open source project belonging to the Cloud Native Computing Foundation (CNCF). In terms of popularity, it has managed to gather a large community following — second only to the Linux OS itself! Using Kubernetes will bring homogeneity above the infrastructure layer and will simplify further operations.
Cloud Foundry is an open source PaaS tool. The use of Kubernetes introduces complexity that is a bit of overhead for developers who work with the platform. Cloud Foundry provides a countermeasure that simplifies the developer experience and greatly eases the pain points commonly associated with Kubernetes adoption. The Cloud Foundry platform does the job of deploying all the applications to the Kubernetes infrastructure. The cf push command triggers the exporting of a container image from application source code.
When building these containers to deploy to the runtime within Kubernetes, Cloud Foundry uses Paketo Buildpacks internally. Paketo Buildpacks are an implementation of the Cloud Native Buildpacks specification. The aim is to provide a unified means to generate OCI-compatible container images for all languages and frameworks commonly used to build applications. Paketo Buildpacks are also open source and fully customizable according to the needs of software development teams.
Together, this platform, built on open tools, supported actively by the community, and facilitating the exact needs of software developers helps promote a trusted architecture upon which to stage applications. It satisfies all the requirements implied and enumerated in the various measures taken towards improving software security, especially across the supply chain.
Get Started With the Cloud Foundry Platform
To learn more about the Cloud Foundry platform, you can get started here. Join the ongoing conversation on Slack with the ever-welcoming CF community, who’re always looking for folks interested in contributing to the improvement of the Cloud Foundry ecosystem.