Software Supply Chain

The software supply chain refers to developing, delivering, and maintaining your software products and services and includes activities such as design, coding, testing, deployment, distribution, update, and patching. The security of the software supply chain is essential for any business that relies on software to provide value to its customers,  stakeholders and staff.  Since the rise in popularity of open source software and libraries, you may not have full control over all the inputs of your own software as malicious actors can exploit vulnerabilities or introduce malware at any stage outside of your control.

A secure software development lifecycle (SDLC) implements the process and technology solutions to protect your enterprise software as it’s being constructed, as well as the infrastructure the software runs on.  Some of the areas we can assist are:

  • Secure Source Code Management (SCM) – Designing and implementing a secure solution for your source code must protect the integrity of the data so only deliberate changes can be made by authorised users. The SCM tools and processes must also protect the confidentiality of your source code, making it difficult to remove from your environment.
  • Secure Pipeline Design – We have helped large enterprises design and build secure CI/CD pipelines, or assess an existing pipeline for its maturity against industry frameworks such as DSOMM. We can then build a roadmap which starts you on the journey of hardening your existing pipeline while making recommendations on how to consolidate your tooling to save on cost.
  • Secrets Scanning – Secrets must not be stored with the source code, or even worse, hard coded into the source files. Your source repository should be continuously scanned for any hardcoded secrets and raise alerts if any are found.
  • Cloud Blueprint and Security Policies – Providing consistent advice and published guardrails on configuring cloud services
  • Security CI/CD Processes – Security should be a business enabler, not the ‘handbrake to happiness’. Any develop and deploy processes need to be made secure by default, while at the same time making it easy for developers to onboard and use.

These solutions may involve setting up a new process or procedure, educating the users on best practices, configuring the appropriate policies and monitoring on existing software or setup, installation and configuration of a new platform.

Secure Build

Automation of the build and deployment process allows for smaller but more frequent deployments with almost continuous incremental improvements to your software applications.  But moving at a high speed of change means that the security technology and processes need to operate at the same speed to support development and deployment.  You don’t want security slowing the process down unnecessarily, but you do need it to identify any insecure code or infrastructure that’s about to be deployed.  This can be achieved by security controls such as:

  • Policy as Code (PoC) – The is the implementation of the security policies that have been defined in the Secure SDLC, using code. This will guarantee that the guardrails that have been defined are enforced in your pipeline, which makes it significantly more difficult to deploy an insecure application.
  • Infrastructure as Code (IaC) – Will ensure that all your infrastructure is defined and managed as source code, with appropriate change management and approval processes with the end goal of eliminating ‘click ops’. This guarantees that all the infrastructure that you deploy will be compliant with the security blueprints and policies and that you have a consistent configuration across your dev, test and production environments.
  • Static Application Security Testing (SAST) – Code scanning integrated into the pipeline will identify and manage any vulnerabilities your developers have introduced and will ensure they are writing code that is free of security vulnerabilities.
  • Software Composition Analysis (SCA) – Any public libraries or open source software must be retrieved from “known good” sources, catalogued into a Software Bill of Materials (SBOM) and scanned for vulnerabilities before being introduced into your application environment.
  • Container and Image Scanning – Any images for virtual machines that you are using must be scanned for vulnerabilities, even ones you have built yourself. Once containers have been built, they must be scanned as well as any vulnerabilities that are introduced at an infrastructure level are already deep inside your environment where they can cause the most damage.
  • Continuous Vulnerability Management – All of the vulnerabilities that are discovered as part of the scanning process need to be collected and managed as part of a patch management program. Other vulnerability scanning tools can also be used to continuously scan your deployed infrastructure and applications so that vulnerabilities aren’t only detected at build-time but at run-time as well.

All the scanning tools can be configured to identify and stop a deployment when a serious vulnerability is discovered, or simply identify and log the concern.  Analysis can be performed post deployment which can determine the impact of the vulnerability in the context of your specific environment and identify if there is another control that compensates for the vulnerability, or if remedial action should be taken.

2025 Global Sentynel, All Rights Reserved | Privacy Policy | Terms and Conditions