Austin, TX: We learned the hard way that, as Slim.AI CEO John Amaral said, “Your software supply chain is only as secure as its weakest link.” Amen, my brother!
John Amaral, CEO of Slim.AI: “Our core value is ‘Know Your Software’.” Slim.AI
Many high profile attacks, breaches and exploits such as the SolarWinds fiasco and the Log4J vulnerability are prime examples of this. Indeed, the situation has become so serious that President Joseph Biden has issued a executive order calling on all of us to secure the software supply chain. When politicians pay attention to software, things get real.
Slim.AI is taking up this challenge by announcing to Open Source Summit in Austin, Texas, its beta software supply chain security service. This service will help organizations continuously and automatically optimize and secure their containers and minimize software supply chain risk.
This service is built on the basis of the open-source project of Slim.AI, DockerSlim. This popular developer program optimizes and secures your containers by analyzing your code and discarding unnecessary code, thus “reducing” the attack surface of your containers. It can also reduce your container size by up to 30 times.
It’s impressive. As Amaral said, ‘Currently, tens of thousands of developers and teams are using Slim’s free, open-source SaaS software to understand what’s inside their containers, reduce the attack surface of containers, remove vulnerabilities, and send only the code they need.” But, the open source project is not scaling. So with this new service, Amaral continued, “We are moving from helping individual developers and small teams to a solution that enables organizations to continuously and automatically achieve these results at scale.”
This is done by integrating the code with container registries, Continuous Integration/Continuous Deployment (CI/CD) pipelines and tools so you can automate it and integrate it into existing workflows to quickly deliver secure software to production.
Current and planned integrations include Docker, AWS ECR, Google GCR, GitHub, DigitalOcean, and Quay registries, as well as Jenkins, GitLab, and GitHub CI/CD platforms. Application programming interfaces (APIs) are also made available to early access partners.
Additionally, through its APIs, the service allows you to use multiple vulnerability scanners on your containers to find security issues before they bite you.
It’s all part of what Amaral calls “The four S’s of software supply chain security.“
The good news about the open source software supply chain is, Amaral explained, “it’s really easy for developers to embed large libraries of code into applications, package them in containers, and ship them in production with a single click. The code running in production is the child of the massive supply chain.” The bad news is that “it bears the benefit and risk of all decisions, contributions, features, and faults manifested by its creators as a whole”.
As CodeNotarya company specializing in the software supply chain, recently observed: “Software is never complete and the the codebase, including its dependencies, is an always-updated document. This automatically means you have to follow it, good and bad, keeping in mind that something good can turn bad. ” Yes exactly !
The answer, according to Amaral, is to create a comprehensive, automated Software Supply Chain Security (SSCS) program: “The Four Ss”. These are:
-
Software nomenclature: This is a list of all software components, such as open source libraries and third-party components. Well-known SBOM approaches include Linux Foundation Firmware data exchange (SPDX) and Supply Chain Tiers for Software Artifacts, or SLSA (salsa)
-
Signature: Signing is a way to digitally attach a verified, immutable developer identity to a piece of code. Coupled with other tools, it helps create a transparent and cryptographically secure record of software changes and manifests a permanent and reliable digital chain of custody for software and related artifacts. Signstore and Notary.
-
Slimming: This minimizes your production code footprint by removing unnecessary code. It also inherently reduces software supply chain complexity, software attack surface, and overall risk.
-
Share: No single person or organization can provide a complete SSCS solution. Communicating about SSCS and collaborating on solutions both within your organization and with other groups is critical to advancing the industry and protecting our software-dependent global ecosystem. When it comes to open source security, we’re all in it.
At Slim, Amaral concluded, “Our core value is ‘Know Your Software.'” Slim.AI’s tools can be used with vulnerability scanners and SBOM generators to create a holistic view of the software supply chain. ” With Slim’s optimization, you can ensure teams only ship what they need for production.
Want to know more? Contact the Slim.AI team for early access. If you’re at the Open Source Summit, you can visit the Slim.AI team and learn more about the program at booth B2.
Related stories: