Application Security

Aqua Security Ships Open Source Tool for Auditing Software Supply Chain

Cloud security startup Aqua Security has partnered with the Center for Internet Security (CIS) to create guidelines for software supply chain security and followed up by shipping an open source auditing tool to ensure compliance with the new benchmarks.

Ryan Naraine

June 22, 2022

The open source tool, called Chain-Bench, is available for for auditing an organization’s software supply chain stack for security compliance based on the newly created CIS Software Supply Chain Security Guide.

Chain-Bench can be used by organizations to scan the DevOps stack from source code to deployment and simplify compliance with security regulations, standards, and internal policies, Aqua Security explained.

In a statement, the company said the new Software Supply Chain Security Guide offers more than 100 foundational recommendations that can be applied across a variety of commonly used technologies and platforms.

[ READ: Aqua Security Reaches Unicorn Status After $135 Million Raise ]

The fruits of the collaboration is meant to establish general best practices that support key emerging standards like Supply Chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF) while adding foundational recommendations for setting and auditing configurations on the Benchmark-supported platforms, Aqua Security said.

Within the guide, recommendations span five categories of the software supply chain, including Source Code, Build Pipelines, Dependencies, Artifacts, and Deployment.

The company said CIS plans to expand this guidance into more specific CIS Benchmarks to create consistent security recommendations across platforms.

Advertisement. Scroll to continue reading.

Aqua Security, a late-stage Israeli startup with U.S. headquarters in Boston, said the guide was reviewed by external experts at CIS, Aqua Security, Axonius, PayPal, CyberArk, Red Hat, and several other technology firms.

Written By Ryan Naraine

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Latest News

Click to comment

CIEM Chat: How to Reduce Cloud Identity Risk

March 26, 2024

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Virtual Event: Ransomware Resilience & Recovery Summit

April 17, 2024

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

You Against the World: The Offenders Dilemma

Foreign attackers have many more toolsets at their disposal, so we need to make sure we’re selective about our modeling, preparation and how we assess and fortify ourselves. (Tom Eston)

Why Intelligence Sharing Is Vital to Building a Robust Collective Cyber Defense Program

With automated, detailed, contextualized threat intelligence, organizations can better anticipate malicious activity and utilize intelligence to speed detection around proven attacks. (Marc Solomon)

Know Your Audience When Speaking to Security Practitioners

How can security practitioners make sense of the vendor landscape and separate those who talk a good game from those who can execute, perform, and solve real problems for enterprises? (Joshua Goldfarb)

Cybersecurity Mesh: Overcoming Data Security Overload

A significant cybersecurity challenge arises from managing the immense volume of data generated by numerous IT security tools, leading organizations into a reactive rather than proactive approach. (Torsten George)

The OODA Loop: The Military Model That Speeds Up Cybersecurity Response

The OODA Loop can be used both by defenders and incident responders for a variety of use cases such as threat assessment, threat monitoring, and threat hunting. (Etay Maor)

Vulnerabilities

Full Disclosure List Gets a Fresh Start – Reborn Under New Operator

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

SecurityWeek NewsMarch 26, 2014

Application Security

Source Code Security Firm Cycode Launches With $4.6 Million in Funding

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Eduard KovacsSeptember 24, 2019

Cybercrime

Comodo Forums Hacked via Recently Disclosed vBulletin Vulnerability

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Eduard KovacsOctober 1, 2019

Cybercrime

Cyber Insights 2023 | Ransomware

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Kevin TownsendFebruary 2, 2023

Quantum computing and the cryptopocalypse

Data Protection

Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Kevin TownsendFebruary 2, 2023

Zero Trust and Identity and Access Management

Identity & Access

Cyber Insights 2023 | Zero Trust and Identity and Access Management

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Kevin TownsendFebruary 6, 2023

Incident Response

Amazon’s Shuttering of Alexa Ranking Service Hits Cybersecurity Industry

Amazon has shut down Alexa.com.

Eduard KovacsMay 6, 2022

Data Breaches

ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Eduard KovacsMarch 28, 2023

SECURITYWEEK NETWORK:

ICS:

SecurityWeek

Application Security

Aqua Security Ships Open Source Tool for Auditing Software Supply Chain

More from Ryan Naraine

Latest News

Trending

CIEM Chat: How to Reduce Cloud Identity Risk

Virtual Event: Ransomware Resilience & Recovery Summit

People on the Move

Expert Insights

You Against the World: The Offenders Dilemma

Why Intelligence Sharing Is Vital to Building a Robust Collective Cyber Defense Program

Know Your Audience When Speaking to Security Practitioners

Cybersecurity Mesh: Overcoming Data Security Overload

The OODA Loop: The Military Model That Speeds Up Cybersecurity Response

Related Content

Vulnerabilities

Full Disclosure List Gets a Fresh Start – Reborn Under New Operator

Application Security

Source Code Security Firm Cycode Launches With $4.6 Million in Funding

Cybercrime

Comodo Forums Hacked via Recently Disclosed vBulletin Vulnerability

Cybercrime

Cyber Insights 2023 | Ransomware

Data Protection

Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse

Identity & Access

Cyber Insights 2023 | Zero Trust and Identity and Access Management

Incident Response

Amazon’s Shuttering of Alexa Ranking Service Hits Cybersecurity Industry

Data Breaches

ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation

SECURITYWEEK NETWORK:

ICS:

More from Ryan Naraine

Latest News

Trending

Daily Briefing Newsletter

CIEM Chat: How to Reduce Cloud Identity Risk

Virtual Event: Ransomware Resilience & Recovery Summit

People on the Move

Expert Insights

You Against the World: The Offenders Dilemma

Why Intelligence Sharing Is Vital to Building a Robust Collective Cyber Defense Program

Know Your Audience When Speaking to Security Practitioners

Cybersecurity Mesh: Overcoming Data Security Overload

The OODA Loop: The Military Model That Speeds Up Cybersecurity Response

Related Content

Vulnerabilities

Full Disclosure List Gets a Fresh Start – Reborn Under New Operator

Application Security

Source Code Security Firm Cycode Launches With $4.6 Million in Funding

Cybercrime

Comodo Forums Hacked via Recently Disclosed vBulletin Vulnerability

Cybercrime

Cyber Insights 2023 | Ransomware

Data Protection

Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse

Identity & Access

Cyber Insights 2023 | Zero Trust and Identity and Access Management

Incident Response

Amazon’s Shuttering of Alexa Ranking Service Hits Cybersecurity Industry

Data Breaches

ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation