Aqua Security and CIS release first formal guidelines for software supply chain security

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!


Today, cloud native security provider, Aqua Security and the Center for Internet Security (CIS) released the first ever formal guidelines for software supply chain security. The new CIS Software Supply Chain Security Guide provides enterprises with over 100 foundational recommendations for securing the supply chain against threat actors. 

The new guidelines can break down the software supply chain into five key areas; Source Code, Build Pipelines, Dependencies, Artifacts and Deployment. 

By codifying guidelines for each category, Aqua Security and CIS aim to establish industry-wide best practices and recommendations for mitigating open source software risks, and to support new standards including Supply-chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF). 

Aqua Security also today announced the launch of a new open source tool called Chain-Bench, which enterprises can use to audit the supply chain in line with the CISA guidelines. 

Bringing supply chain security to all  

The release comes as part of a wider movement to secure the open source supply chain, in the wake of the disruption caused by Log4Shell since its discovery in November of last year. 

Looking back, the widespread security vulnerabilities caused by the vulnerability brought to the forefront concerns over the reliability of open source software. 

Now research shows that 95% of IT leaders say Log4Shell was a wake up call for cloud security, and 87% admitting they feel less confident about their cloud security today than they did prior to the incident. 

This industry-wide lack of confidence has drive organizations, proprietary software vendors, and open source projects into a state of collaboration, to identify and mitigate the security issues present within open source solutions. 

One of the most notable collaborations in the industry occurred earlier this year at the Open Source Software Security Summit II when The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together 37 companies to invest in implementing supply chain security.

Aqua Security and CIS’s role in the open source security movement 

CIS and Aqua Security’s release of the CIS Software Supply Chain Security Guide marks a new collaboration in the industry to set out a series of codified standards to manage and audit any open source tools that enterprises deploy within their environments. 

It’s important to note that this isn’t an isolated partnership either, with Aqua Security and CIS both looking for other organizations to work with to discover new approaches to mitigating security issues in the software supply chain. 

“By publishing the CIS Software Supply Chain Security guide, CIS and Aqua Security hope to build a vibrant community interested in developing the platform-specific Benchmark guidance to come,” said benchmark’s development team manager for CIS, Phil White, 

“Any subject matter experts that develop or work with the technologies and platforms that make up the software supply chain are encouraged to join the effort in building out additional benchmarks. This expertise will be valuable to establishing critical best practices to advance software supply chain security for all,” White said. 

Software supply chain security tools 

The growth in concerns over open source security have led to a wave of solutions cropping up that are designed to address vulnerabilities in open source technologies.

For example, Snyk, provides a developer security platform that can automatically scan for vulnerabilities in code, open source dependencies, containers, and infrastructure as code. 

Last year, Snyk reportedly raised $530 million and achieved a valuation of $8.5 billion. 

Another provider taking a similar approach is Sonatype, a software supply chain security tool that can offer code analysis, identifying risks in open source software automatically so that organizations can mitigate risks in the open source supply chain. 

At the start of this year Sonatype announced it has raised $100 million in annual recurring revenue. 
On the other hand, Legit Security, is helping to secure the supply chain with vulnerability scanning using automated SDLC discovery, to create a visual inventory of software assets to reveal unknown, misconfigured, and vulnerable components of the network. At the start of this year, Legit Security announced it had raised $30 million in funding.

Aqua Security and CIS release first formal guidelines for software supply chain security

Today, cloud native security provider, Aqua Security and the Center for Internet Security (CIS) released the first ever formal guidelines for software supply chain security. The new CIS Software Supply Chain Security Guide provides enterprises with over 100 foundational recommendations for securing the supply chain against threat actors. 

The new guidelines can break down the software supply chain into five key areas; Source Code, Build Pipelines, Dependencies, Artifacts and Deployment. 

By codifying guidelines for each category, Aqua Security and CIS aim to establish industry-wide best practices and recommendations for mitigating open source software risks, and to support new standards including Supply-chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF). 

Aqua Security also today announced the launch of a new open source tool called Chain-Bench, which enterprises can use to audit the supply chain in line with the CISA guidelines. 

Bringing supply chain security to all  

The release comes as part of a wider movement to secure the open source supply chain, in the wake of the disruption caused by Log4Shell since its discovery in November of last year. 

Looking back, the widespread security vulnerabilities caused by the vulnerability brought to the forefront concerns over the reliability of open source software. 

Now research shows that 95% of IT leaders say Log4Shell was a wake up call for cloud security, and 87% admitting they feel less confident about their cloud security today than they did prior to the incident. 

This industry-wide lack of confidence has drive organizations, proprietary software vendors, and open source projects into a state of collaboration, to identify and mitigate the security issues present within open source solutions. 

One of the most notable collaborations in the industry occurred earlier this year at the Open Source Software Security Summit II when The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together 37 companies to invest in implementing supply chain security.

Aqua Security and CIS’s role in the open source security movement 

CIS and Aqua Security’s release of the CIS Software Supply Chain Security Guide marks a new collaboration in the industry to set out a series of codified standards to manage and audit any open source tools that enterprises deploy within their environments. 

It’s important to note that this isn’t an isolated partnership either, with Aqua Security and CIS both looking for other organizations to work with to discover new approaches to mitigating security issues in the software supply chain. 

“By publishing the CIS Software Supply Chain Security guide, CIS and Aqua Security hope to build a vibrant community interested in developing the platform-specific Benchmark guidance to come,” said benchmark’s development team manager for CIS, Phil White, 

“Any subject matter experts that develop or work with the technologies and platforms that make up the software supply chain are encouraged to join the effort in building out additional benchmarks. This expertise will be valuable to establishing critical best practices to advance software supply chain security for all,” White said. 

The growth in concerns over open source security have led to a wave of solutions cropping up that are designed to address vulnerabilities in open source technologies.

For example, Snyk, provides a developer security platform that can automatically scan for vulnerabilities in code, open source dependencies, containers, and infrastructure as code. 

Last year, Snyk reportedly raised $530 million and achieved a valuation of $8.5 billion. 

Another provider taking a similar approach is Sonatype, a software supply chain security tool that can offer code analysis, identifying risks in open source software automatically so that organizations can mitigate risks in the open source supply chain. 

At the start of this year Sonatype announced it has raised $100 million in annual recurring revenue. 
On the other hand, Legit Security, is helping to secure the supply chain with vulnerability scanning using automated SDLC discovery, to create a visual inventory of software assets to reveal unknown, misconfigured, and vulnerable components of the network. At the start of this year, Legit Security announced it had raised $30 million in funding.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Leave a Comment