Software Supply Chain Security

A software attestation is an authenticated statement about a software artifact or collection of software artifacts. The primary goal of software supply chain security is to ensure the security and reliability of software components, especially as they traverse through different stages from development to deployment. Securing the software supply chain involves addressing threats at various stages of the Software Development Lifecycle and throughout the CI/CD pipeline. SDLC is a topic dating back to 1980, while CI/CD emerged around 2010, and Software Supply Chain Security became prominent around 2020. We can consider SBOM as the dawn of Software Supply Chain Security. Sigstore improves the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies. One analogy is that SLSA is to supply chain security as CMMI is to software development process maturity.