The creation of fresh, for-sale products as well as in-house software solutions for businesses using open source software (OSS) has grown in popularity.
A report on three startup companies that offer improved open source software supply chain management capabilities that go beyond static software bills of materials was released today by International Data Corporation (IDC) (SBOMs). Three businesses that assist clients in managing the security of the software supply chain of open source components used in their software development and deployment operations are profiled in the study IDC Innovators: Open Source Software Supply Chain Security, 2023 (Doc #US50138923). These three businesses are:
- Chainguard: Chainguard offers container base images that have been optimised and shrunk in order to decrease surface area and potential vulnerabilities. Products from the company also make use of the Supply Chain Levels for Software Artifacts (SLSA) Framework to enforce policy, create SBOMs, and check deployed images for compliance with established policies and notify on deviations.
- Codenotary: Assuring that all artefacts are known from source to product and then logging that information into an immutable database, Codenotary integrates OSS awareness into the SBOMs scanning and monitoring process, guaranteeing the results are reliable.
- Endor Labs: By managing SBOMs to segregate prospective accessible vulnerabilities and muting non-reachable flaws, Endor Labs assists development and security teams in maximising software reuse. This allows a focus on potential vulnerabilities that could lead to a compromise.
Although OSS may not cost anything to purchase, the price of ongoing maintenance and support may outweigh the money saved at the time of purchase. In addition, worries regarding the security of the software chain connected to OSS are growing.
The businesses highlighted in this research have created platforms for software supply chain management that make use of DevSecOps capabilities to better control the security of the open source components used in their software development and deployment processes in order to allay these worries. These solutions aim to lessen the difficulty and time involved in thoroughly vetting OSS componentry for currency and the active nature of the project itself, as well as for identifying known vulnerabilities as well as potential vulnerabilities that have not yet been exposed and more mundane issues like licencing compliance problems.
“The time has come for organizations to get serious about securing the supply chain of open source software components, tools, or applications they may be using from public repositories,” said Al Gillen, group vice president, Software Development and Open Source at IDC. “The vendors and products highlighted in this IDC Innovators document are showing truly interesting and compelling ways to address these security concerns using a modern approach.”