Codenotary, a software supply chain security provider, has announced new features to its cloud offering, including built-in vulnerability scanning. With the addition of scanning, the company’s cloud solution can provide end-to-end protection for a supply chain, from checking for vulnerabilities to ensuring the provenance of software artifacts.
According to the company, Codenotary Cloud, which was announced last month, can almost instantly identify and remove unwanted artifacts by up to 80%. What’s more, it’s compliant with President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity.
The solution can be scaled to millions of integrity verifications per second. One deployment of the service, for example, supports an organization with 20,000 developers who daily produce 40,000 software builds that each contain 3,000 dependencies.
Builds the SBOM without uploading data to the service
Codenotary Cloud also gives developers a way to attach a tamper-proof software bill of materials for development artifacts that include source code, builds and repositories. The SBOM can make artifacts instantly visible to customers, auditors and compliance professionals.
The service builds the SBOM without uploading any data to the service. Instead, it notarizes the artifacts using tamper-proof cryptographic verification to uniquely identify them. Each development artifact retains a cryptographically strong identity stored in the service’s open-source immutable database.
Codenotary’s service can be integrated with most popular cloud-native CI/CD systems. The company’s DevOps attestation service runs as a managed service or customers can host it themselves. Pricing starts at $5,500 for a workgroup of 10 developers.
Software supply chain a target for attackers
Protecting software supply chains has become more important because they’ve become an attractive target of threat actors. “The perimeter of organizations has become increasingly difficult to penetrate,” says Codenotary co-founder and CEO Moshe Bar. “On top of that, a lot of the workloads have shifted to Google Cloud, AWS and Azure. They’re even more difficult to penetrate because they have hundreds of people in the cloud very carefully monitoring them.”
“On the other hand,” Bar adds, “as we’ve seen the last couple of years, no one really checks what’s going on with all these open-source tools and packages. It’s much easier to put something in there and from there have the developers import the bad stuff. You infect one supply chain, you can be in thousands of places tomorrow while breaking through a thousand perimeters is going to be very difficult.”
“The longevity of a hack in the DevOps process can be huge,” Bar says. “With the SolarWinds hack, to this day, about 40% of the infections remain unmitigated. So, a software supply chain is a much juicier target for the bad guys.”
Copyright © 2022 IDG Communications, Inc.