Cloud security startup Aqua Security has partnered with the Center for Internet Security (CIS) to create guidelines for software supply chain security and followed up by shipping an open source auditing tool to ensure compliance with the new benchmarks.
The open source tool, called Chain-Bench, is available for for auditing an organization’s software supply chain stack for security compliance based on the newly created CIS Software Supply Chain Security Guide.
Chain-Bench can be used by organizations to scan the DevOps stack from source code to deployment and simplify compliance with security regulations, standards, and internal policies, Aqua Security explained.
In a statement, the company said the new Software Supply Chain Security Guide offers more than 100 foundational recommendations that can be applied across a variety of commonly used technologies and platforms.
[ READ: Aqua Security Reaches Unicorn Status After $135 Million Raise ]
The fruits of the collaboration is meant to establish general best practices that support key emerging standards like Supply Chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF) while adding foundational recommendations for setting and auditing configurations on the Benchmark-supported platforms, Aqua Security said.
Within the guide, recommendations span five categories of the software supply chain, including Source Code, Build Pipelines, Dependencies, Artifacts, and Deployment.
The company said CIS plans to expand this guidance into more specific CIS Benchmarks to create consistent security recommendations across platforms.
Aqua Security, a late-stage Israeli startup with U.S. headquarters in Boston, said the guide was reviewed by external experts at CIS, Aqua Security, Axonius, PayPal, CyberArk, Red Hat, and several other technology firms.
Related: Chainguard Bags Massive $50M Series A for Supply Chain Security
Related: Google Intros SLSA Framework to Enforce Supply Chain Integrity
Related: Codecov Bash Uploader Dev Tool Compromised in Supply Chain Attack
Related: Legit Security Raises $30M to Tackle Supply Chain Security
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Backslash Snags $8M Seed Financing for AppSec Tech
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits
- Rapid7 Buys Anti-Ransomware Firm Minerva Labs for $38 Million
- Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
