Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

Today, cloud native security provider, Aqua Security, and the Center for Internet Security (CIS) released the first-ever formal guidelines for software supply chain security. The new CIS Software Supply Chain Security Guide [registration required] provides enterprises with over 100 foundational recommendations for securing the software supply chain against threat actors. 

The new guidelines can break down the software supply chain into five key areas: source code, build pipelines, dependencies, artifacts and deployment. 

By codifying guidelines for each category, Aqua Security and CIS aim to establish industry-wide best practices and recommendations for mitigating open-source software risks, and to support new standards including supply-chain levels for software artifacts (SLSA) and the update framework (TUF). 

Aqua Security also today announced the launch of a new open-source tool called Chain-Bench, which enterprises can use to audit the supply chain in line with the CIS guidelines. 


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.


Register Now

Bringing supply chain security to all  

The release comes as part of a wider movement to secure the open-source supply chain, in the wake of the disruption caused by Log4Shell since its discovery in November of last year. 

Looking back, the widespread security issues caused by the Log4Shell vulnerability brought to the forefront concerns over the reliability of open-source software. Now research shows that 95% of IT leaders say Log4Shell was a wake-up call for cloud security, with 87% admitting they feel less confident about their cloud security today than they did prior to the incident. 

This industry-wide lack of confidence has driven organizations, proprietary software vendors and open-source projects into a state of collaboration, to identify and mitigate the security issues present within open-source solutions. 

One of the most notable collaborations in the industry occurred earlier this year at the Open Source Software Security Summit II when the Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together 37 companies to invest in implementing supply chain security.

Aqua Security and CIS’s role in the open-source security movement 

CIS and Aqua Security’s release of the guide for software supply chain security marks a new collaboration in the industry to set out a series of codified standards to manage and audit any open-source tools that enterprises deploy within their environments. 

It’s important to note that this isn’t an isolated partnership either, with Aqua Security and CIS both looking for other organizations to work with to discover new approaches to mitigating security issues in the software supply chain. 

“By publishing the CIS Software Supply Chain Security guide, CIS and Aqua Security hope to build a vibrant community interested in developing the platform-specific Benchmark guidance to come,” said benchmark’s development team manager for CIS, Phil White, 

“Any subject matter experts that develop or work with the technologies and platforms that make up the software supply chain are encouraged to join the effort in building out additional benchmarks. This expertise will be valuable to establishing critical best practices to advance software supply chain security for all,” White said. 

Software supply chain security tools 

The growth in concerns over open-source security have led to a wave of solutions cropping up that are designed to address vulnerabilities in open-source technologies.

For example, Snyk provides a developer security platform that can automatically scan for vulnerabilities in code, open-source dependencies, containers and infrastructure as code. Last year, Snyk reportedly raised $530 million and achieved a valuation of $8.5 billion. 

Another provider taking a similar approach is Sonatype, a software supply chain security tool that can offer code analysis, identifying risks in open-source software automatically so that organizations can mitigate risks in the open-source supply chain. At the start of this year, Sonatype announced it had raised $100 million in annual recurring revenue

On the other hand, Legit Security is helping to secure the supply chain with vulnerability scanning using automated software development lifecycle (SDLC) discovery to create a visual inventory of software assets to reveal unknown, misconfigured and vulnerable components of the network. At the start of this year, Legit Security announced it had raised $30 million in funding.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.