Many prominent attacks, breaches and exploits such as Solarwinds fiasco and Double Log4J are prime examples. In fact, it has gotten so bad that President Joseph Biden has issued An executive order calling on all of us to secure the software supply chain. When politicians care about software, things get real.
Slim.AI rises to this challenge by advertising in open source summit In Austin, Texas, its beta software supply chain security service. This service will help organizations continuously and automatically improve and secure their containers and reduce software supply chain risks.
This service is built on the basis of the open source Slim.AI project, Docker. This popular developer program optimizes and secures your containers by parsing your code and eliminating unnecessary code, thus “slimming” below your containers’ attack surface. It can also reduce the volume of your container by up to 30 times.
This is impressive. As Amaral said, “Currently, tens of thousands of developers and teams are using the open source Slim and free SaaS software to understand what’s in their containers, reduce the container attack surface, remove vulnerabilities, and ship only the code they need. “An open source project is not scaling. So with this new service, we are moving from helping individual developers and small teams to a solution that enables organizations to continuously and automatically achieve these results at scale.”
This is done by integrating the code with container records, Continuous Integration / Continuous Deployment (CI / CD) Pipelines and tools so you can automate and integrate them into existing workflows to quickly deliver secure software into production.
Current and planned integrations include Docker, AWS ECR, Google GCR, GitHub, DigitalOcean, Quay, Jenkins platforms, GitLab, and GitHub CI/CD. APIs are also provided for early access partners.
Plus, thanks to its APIs, the service allows you to use several vulnerability scanners on your containers to find security issues before they bite you.
This is all part of what he calls Amaral.The Four Criteria for Software Supply Chain Security.“
Amaral explained that the good news about the open source software supply chain is that “it is really easy for developers to integrate huge libraries of code into applications, compile it into containers, and ship it to production with a click of a button. In production it is the child of a massive supply chain.” The bad news is that it “carries the benefits and risks of all the decisions, contributions, advantages and disadvantages that its creators have collectively demonstrated.”
as such nutari codea software supply chain company, recently noted that “software is never complete and The codebase including its dependencies is a document that is always updated. This automatically means that you need to keep track of it, good and bad, bearing in mind that a good thing can turn into a bad thing. “Yes exactly!
The answer, according to Amaral, is to build a comprehensive and automated software supply chain (SSCS) security program: “The Four Ss”. here they are:
Software bill of materials: This is a list of all components in a part of the software such as open source libraries and third-party components. Well-known SBOM curricula include Linux Foundation software package data exchange (SPDX) And the Supply Chain Levels for Software Business, or SLSA (SALSA)
Signature: A signature is a way to digitally attach a verified, immutable developer identity to a piece of code. Along with other tools, it allows the creation of a transparent and cryptographically secure log of software changes and shows a permanent and reliable digital chain of custody of software and related artifacts. sigstore And the Notary.
slimming: This reduces the footprint of your production code by removing unnecessary code. It also inherently reduces the complexity of the software supply chain, the software attack surface, and the overall risk.
to share: No person or organization can provide a comprehensive solution to SSCS. Communication around SSCS and solution collaboration within your organization and with other groups is essential to advancing the industry and protecting our global software ecosystem. When it comes to open source security, we’re all in this together.
At Slim, Amaral concluded, “Our core value is ‘Know Your Software.’ Slim.AI tools can be used in conjunction with vulnerability scanners and SBOM generators to create a comprehensive view of the software supply chain.” With Slim Optimization, you can ensure teams are shipping only what they need him for production.
I want to know more? Contact the Slim.AI team for early access. If you are at the Open Source Summit, you can visit the Slim.AI team and learn more about the program at Booth B2.