JETSTACK CONSULTING

Software Supply Chain Security

How secure are your software build pipelines? Are they tamper-proof? And would you know if they weren't? Our Assessment Toolkit can help you find out.

View Toolkit Book Assessment

Why did we build the toolkit?

As shown by the recent number of high profile outages - Log4j or Solarwinds anyone? - every link in a software supply chain matters.

This online assessment toolkit is our attempt to give organisations the insights and advice they need to understand where the vulnerabilities in their chains exist and how to fix them. The toolkit consolidates the recommendations and guidance from several existing frameworks and whitepapers - including SLSA and the CNCF - and is presented in a form that offers clarity in an increasingly complex problem space.

Broken down into four key areas (Build Pipelines, Source Code, Provenance and Deployment), the toolkit grades potential action points based on their priority and complexity.

BUILD PIPELINES

Securing the automated processes and tooling that you use to build and package your software components.

SOURCE CODE

Ensuring the authenticity and integrity of the software code used within your applications.

PROVENANCE

Publishing the steps taken to build your software components.

DEPLOYMENT

Enabling consumers of your software to verify its integrity before deployment and usage.

Version 1.0

The software supply chain toolkit

An interactive guide on how to secure your third-party software

Build Pipelines
Deployments
Source Code
Provenance
High
Priority Medium
Priority Low
Priority
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
High
Priority Medium
Priority Low
Priority
50
51
52
53
54
High
Priority Medium
Priority Low
Priority
36
37
38
39
40
41
42
43
44
45
46
47
48
49
High
Priority Medium
Priority Low
Priority
26
27
28
29
30
31
32
33
34
35
High Medium Low COMPLEXITY Low Medium High

How to use the toolkit:

1. Select one of coloured circles listed on the toolkit (we recommend starting with high priority, low complexity items).

2. Read through the recommendation written on the card.

3. Open useful links in a new tab if you’d like to explore the topic in further detail.

4. Close the card or select a new circle to explore a new action point.

SLSA
Cloud Native
Jetstack
Venafi

Recommendations are based on our own experiences and the existing work of the above.

Working with Jetstack

Whilst the radar serves as an excellent starting point for someone who wants to secure their software supply chain - this is by no means an exhaustive list. The world of software supply chains is only just getting started. And whilst we will be making every effort we can to update and maintain the radar on a regular basis - this is a rapidly evolving problem area.

We thought long and hard as to how we can make the information contained within the radar not only actionable, but user friendly and palatable at the same time (kudos to the engineer who finally told us to check out the Thoughtworks Technology Radar). That said, there are still 52 potential action points for a person to work through.

As big exponents of open source, we’d love nothing more than for this page to serve as the strategic guidance people need to independently push through their own software supply chain projects.

However, if you’d like to work with the brains behind the radar (and the people who brought you the hugely popular cert-manager project), well, that’s where our super smart Field Engineers and Solution Architects come in.

We’d be more than happy to come into your organisation and tailor the recommendations described above to better reflect where you are on your own journey to secure third-party software. 

As we work with more and more organisations on this topic, we hope to improve our own understanding and maturity around the topic. Insights we hope to be able to share through later editions of the supply chain radar.

If you’re interested in working with Jetstack and would like to book a software supply chain assessment with our team, please complete the form at the bottom of the page.



Book Assessment

More on Secure Software Supply Chain

Building a managed GKE platform for developers

Case Study

Building a managed GKE platform for developers

Download PDF
3 lessons organisations must learn from Log4Shell

Blog

3 lessons organisations must learn from Log4Shell

Read More
Is Open Source being weaponised?

Blog

Is Open Source being weaponised?

Read More

Book an Assessment

To book a software supply chain security assessment - or to ask us a question - simply complete the form on this page so a member of my team can reach out and talk about next steps.

Please add any specific questions you might have in the comments box so we can direct your query to the most qualified member of the team.

We look forward to speaking with you soon.

Cameron More

Cameron More

HEAD OF GROWTH

Get started with Jetstack

Enquire about Subscription

Contact us