Recent attacks highlighted the importance of and the need to collaborate on addressing challenges with the Software Supply Chain. Governments, standards developing organizations, and communities have started focusing on this topic to improve the situation and publishing new announcements, guidelines, and directives. It is imperative to take actions to ensure security, integrity, and compliance of the Software Supply Chain which includes all source code that is incorporated into an artifact, irrespective of whether it is open source or proprietary software. Additionally, the systems involved in getting software from developers’ IDEs into the hands of end-users, such as Supply Chain Management (SCM) and CI/CD systems, must also be subject to the same level of scrutiny.
One key consideration to take into account while working with Software Supply Chain is CI/CD. There are many parts of the software lifecycle that need attention and the focus of this Special Interest Group (SIG) is the CI/CD to avoid overlaps and contribute to other initiatives aiming to improve the security posture for the products and production systems from CI/CD perspective.
New SIG: Software Supply Chain
The CD Foundation’s Technical Oversight Committee (TOC) has recently approved the formation of a new special interest group, Software Supply Chain SIG to foster collaboration among the projects it hosts as well as other communities working on improving the status of the supply chain. Initial members of the SIG Software Supply Chain come from Ericsson, Red Hat, Chainguard, Storebrand, JFrog, Elastic, and Codefresh.
The reason for this is that the practices employed and the technologies used by organizations while establishing software flows heavily depend on CI/CD. The activities that start, once code contributions leave the developer’s workstations and land in the production environments serving end users’ needs, are orchestrated by CI/CD systems. Various industry best practices such as policy-driven CD and Software Bill of Materials (SBOMs) are all important aspects to take into consideration to ensure security, integrity, and compliance for the products that are deployed to production.
Another critical aspect to highlight is the importance of securing the CI/CD systems themselves as these systems are essentially production systems. CI/CD systems are also constructed using open source and/or commercial software and any issues with security, integrity, and compliance within these systems could have great impacts on the products produced using them. In addition to this, CI/CD systems interact with or operate against various environments such as staging and production. Such environments could be hosted on-premise, private and public clouds which increases the complexity and importance of securing CI/CD systems themselves. The Software Supply Chain SIG aims to study different aspects of CI/CD systems, securing it to prevent bad actors from exploiting these systems and the products produced and deployed by them for malicious intentions.
In addition to identifying and working with relevant topics, the SIG will take a practice-oriented approach by implementing proof of concepts and sample pipelines using various CI/CD technologies and tools to highlight how such tools could be used in a Software Supply Chain, how good practices could be employed and what kind of opportunities there are. A critical requirement for success is collaboration between DevOps practitioners and CDF-hosted projects such as Tekton and Jenkins. Additionally, collaborating with the existing CDF SIGs including but not limited to Interoperability, Events, and Best Practices is critical for the SIG since some of the topics driven by these SIGs such as metadata standardization and events are relevant for the topics this SIG will work on, such as SBOMs and notification of vulnerabilities. The Software Supply Chain SIG will also look for synergies between CDF and other communities such as OpenSSF and projects and working groups hosted by it such as Sigstore, SLSA, Security Tooling WG, and Supply Chain Integrity WG to ensure CI/CD aspects are not overlooked.
Join the Conversation
- CDF Slack Channel: #sig-software-supply-chain
- GitHub Repo: https://github.com/cdfoundation/sig-software-supply-chain
- Mailing List: https://lists.cd.foundation/g/sig-software-supply-chain
- Meeting Schedule: Second and Fourth Thursdays of each month at 15:00 UTC.
- CDF Public Calendar (UTC): here
Upcoming Presentations/Discussions
March 24, 16:00 UTC
- Michael Lieberman will present SSF (The Secure Software Factory)
- SIG Software Supply Chain Meeting Details
April 14, 15:00 UTC
- Priya Wadhwa presenting TektonCD Chains
- SIG Software Supply Chain Meeting Details
April 28, 15:00 UTC
- Thomas Schuetz presenting CNCF TAG App Delivery and Pod-tato Head
- SIG Software Supply Chain Meeting Details