Highlights

  • Aqua Security has also released Chain-Bench, the first and only open-source tool for auditing the software supply chain to ensure compliance with the new CIS guidelines.
  • The guide has been reviewed by professionals working at leading technology firms like Aqua Security, CIS, PayPal, Red Hat, Axonius, and CyberArk.

Aqua Security, a notable pure-play cloud-native security provider, and the Center for Internet Security (CIS), a nonprofit organization that aims to create a confidently connected world, have released the first set of formal guidelines for software supply chain security. The CIS Software Supply Chain Security Guide developed through this collaboration provides 100+ foundational recommendations pertaining to various commonly used technologies and platforms.

In addition, Aqua Security has released Chain-Bench, the first and only open-source tool for auditing the software supply chain to ensure compliance with the new CIS guidelines.

Setting Up Best Practices for Software Supply Chain Security

The threats to the software supply chain keep increasing, yet studies show that security in development environments remain low. The new guidelines establish best practices to support key emerging standards such as TH Update Framework (TUF) and Supply Chain Levels for Software Artifacts (SLSA). The guidelines also add functional recommendations to set up and audit configurations on the Benchmark-supported platforms.

The companies have divided the recommendations into five software supply chain categories: Dependencies, Source Code, Artifacts, Build Pipelines, and Deployment.

To maintain consistency in security recommendations across all platforms, CIS plans to expand the guidance into more specific CIS Benchmarks. The guide will be published and reviewed globally, just like all CIS guidelines. The feedback will help ensure that future platform-specific guidance is accurate and relevant.

The guide has been reviewed by professionals working at leading technology firms like Aqua Security, CIS, PayPal, Red Hat, Axonius, and CyberArk.

The First-ever Software Supply Chain Security Open-source Tool

Aqua released Chain-Bench to support those organizations that are adopting the CIS guidance. The tool scans the DevOps stack from source code until deployment and simplifies compliance with security standards, regulations, and internal policies. This ensures that the teams consistently practice software security controls and best practices.

Experts’ Take

“Building software at scale requires strong governance of the software supply chain, and strong governance requires effective tools. This is where we saw an opportunity to add value,” said Eylam Milner, Director Argon Technology, Aqua Security. “We wanted to leverage our expertise in software supply chain security to help build critical guidance for one of industry’s most pressing challenges, as well as a free, accessible tool to help other organizations adhere to it. The work doesn’t stop here. We will continue working with CIS to refine this guidance, so that organizations worldwide can benefit from stronger security practices.”

“By publishing the CIS Software Supply Chain Security Guide, CIS and Aqua Security hope to build a vibrant community interested in developing the platform-specific Benchmark guidance to come,” said Phil White, Benchmarks Development Team Manager for CIS. “Any subject matter experts that develop or work with the technologies and platforms that make up the software supply chain are encouraged to join the effort in building out additional benchmarks. Their expertise will be valuable to establishing critical best practices to advance software supply chain security for all.”