BOSTON— June 22, 2022 — Aqua Safety, the main pure-play cloud native safety supplier, and the Middle for Web Safety (CIS), an unbiased, nonprofit group with a mission to create confidence within the related world, at this time launched the trade’s first formal pointers for software program provide chain safety. Developed via collaboration between the 2 organizations, the CIS Software program Provide Chain Safety Information supplies greater than 100 foundational suggestions that may be utilized throughout quite a lot of generally used applied sciences and platforms. As well as, Aqua Safety unveiled a brand new open supply device, Chain-Bench, which is the primary and solely device for auditing the software program provide chain to make sure compliance with the brand new CIS pointers.
Establishing Finest Practices for Software program Provide Chain Safety
Though threats to the software program provide chain proceed to extend, research present that safety throughout improvement environments stays low. The brand new pointers set up basic greatest practices that assist key rising requirements like Provide Chain Ranges for Software program Artifacts (SLSA) and The Replace Framework (TUF) whereas including foundational suggestions for setting and auditing configurations on the Benchmark-supported platforms.
Throughout the information, suggestions span 5 classes of the software program provide chain, together with Supply Code, Construct Pipelines, Dependencies, Artifacts, and Deployment (hyperlink to weblog with overview).
CIS intends to broaden this steerage into extra particular CIS Benchmarks to create constant safety suggestions throughout platforms. As with all CIS steerage, the information will likely be printed and reviewed globally. Suggestions will assist make sure that future platform-specific steerage is correct and related.
“By publishing the CIS Software program Provide Chain Safety Information, CIS and Aqua Safety hope to construct a
vibrant neighborhood focused on creating the platform-specific Benchmark steerage to come back,” stated Phil White, Benchmarks Growth Group Supervisor for CIS. “Any subject material specialists that develop or work with the applied sciences and platforms that make up the software program provide chain are inspired to hitch the hassle in constructing out further benchmarks. Their experience will likely be helpful to establishing vital greatest practices to advance software program provide chain safety for all.”
Thus far, the information has been reviewed by specialists at CIS, Aqua Safety, Axonius, PayPal, CyberArk, Purple Hat, and different main expertise companies.
Ofir Shapira, Cyber Safety Product Supervisor, Axonius: “The work Aqua is doing round software program provide chain safety, not solely as an organization however for the broader neighborhood, is paving the way in which for safer software program releases.”
Erez Dasa, Cyber & Utility Safety Architect, main digital cost group: “Implementing these pointers over improvement processes offers us far more confidence within the safety of releases.”
The Business’s First Open Supply Device for Software program Provide Chain Safety
To assist organizations adopting the CIS steerage, Aqua launched Chain-Bench. Chain-Bench scans the DevOps stack from supply code to deployment and simplifies compliance with safety laws, requirements, and inner insurance policies to make sure groups can persistently implement software program safety controls and greatest practices.
“Constructing software program at scale requires sturdy governance of the software program provide chain, and robust governance requires efficient instruments. That is the place we noticed a possibility so as to add worth,” stated Eylam Milner, Director Argon Know-how, Aqua Safety. “We needed to leverage our experience in software program provide chain safety to assist construct vital steerage for certainly one of trade’s most urgent challenges, in addition to a free, accessible device to assist different organizations adhere to it. The work doesn’t cease right here. We’ll proceed working with CIS to refine this steerage, in order that organizations worldwide can profit from stronger safety practices.”
To study extra in regards to the CIS Software program Provide Chain Safety Information, go to the CIS WorkBench. To obtain Chain-Bench, go to GitHub.
About Middle for Web Safety, Inc. (CIS®)
The Middle for Web Safety, Inc. (CIS®) makes the related world a safer place for individuals, companies, and governments via our core competencies of collaboration and innovation. We’re a community-driven nonprofit, liable for the CIS Essential Safety Controls® and CIS Benchmarks™, globally acknowledged greatest practices for securing IT programs and knowledge. We lead a world neighborhood of IT professionals to constantly evolve these requirements and supply services and products to proactively safeguard towards rising threats. Our CIS Hardened Photographs® present safe, on- demand, scalable computing environments within the cloud. CIS is residence to the Multi-State Info Sharing and Evaluation Middle® (MS-ISAC®), the trusted useful resource for cyber menace prevention, safety, response, and restoration for U.S. State, Native, Tribal, and Territorial (SLTT) authorities entities, and the Elections Infrastructure Info Sharing and Evaluation Middle® (EI-ISAC®), which helps the quickly altering cybersecurity wants of U.S. election places of work. To study extra, go to CISecurity.org or observe us on Twitter: @CISecurity.
About Aqua Safety
Aqua Safety stops cloud native assaults. Because the pioneer and largest pure-play cloud native safety firm, Aqua helps clients unlock innovation and construct the way forward for their enterprise. The Aqua Platform is the trade’s most built-in Cloud Native Utility Safety Platform (CNAPP) securing the complete software lifecycle via prevention, detection and response. Based in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 clients in over 40 international locations. For extra data, go to www.aquasec.com.
