Scribe Security unveils a pair of tools to secure software supply chains


Scribe Security today unveiled a Scribe Integrity tool that analyzes software artifacts to ensure they comply with IT organizations’ security policies before they are integrated into an application.

The Scribe Integrity tool authenticates open source and proprietary source code before it is uploaded into a build. It assumes all artifacts are “guilty” until they can be proven innocent, said Rubi Arbel, CEO of Scribe Security. This approach helps ensure that the integrity of the overall software supply chain is maintained in a way that does not negatively affect developer productivity, he added.

Additionally, the company launched GitGat, an open-source policy-as-code tool based on Open Policy Agent (OPA) software that allows DevOps teams to periodically run reports that provide insight into security posture. code residing in GitHub repositories.

Arbel said that over time, the scope of GitGat will be extended to add support for additional continuous integration/continuous delivery (CI/CD) platforms.

The first release of Scribe Integrity addresses Node.js code and the npm package manager with support for additional code types planned.

The Scribe Integrity tool also identifies all dependencies to allow DevOps teams to generate an accurate software bill of materials (SBOM) as every software artifact is included in the application, he noted. This is essential because it allows developers, IT operations and cybersecurity teams to simultaneously see what artifacts, including containers, make up an application, Arbel noted. In the future, the company plans to make available a Scribe Hub that will make it easier to share information about these software artifacts, he added.

A series of high-profile security breaches have clearly demonstrated the ability of cybercriminals to inject malware into software artifacts and compromise any application that embeds that artifact into an application. This malware can then be activated at a later date to potentially compromise a number of downstream applications.

These incidents have led to a greater appreciation of DevSecOps best practices for maintaining the integrity of software supply chains. The problem that DevOps teams are trying to solve is how to build more secure apps without slowing down the speed at which those apps are built and deployed. Thus, DevOps teams are adding tools to the application development process that make it easier for developers to analyze code before it is included in an application and verify the integrity of any software component that is part of it. a DevOps workflow.

It is unclear how long it will be before the adoption of DevSecOps best practices will have a significant impact on application security. However, it is far too late to focus on security after an application has been deployed. Today, cybercriminals can discover flaws and misconfigurations in applications within minutes. As more applications are deployed, developers may find themselves spending more time patching vulnerabilities than writing new code. A new approach to building secure applications from scratch is clearly needed.


Comments are closed.