Engineering teams must be responsible for the design and implementation while giving security teams the visibility and assurance that controls are operational and that policies are being enforced.
The Blueprint is designed to engineer out the attacker, enabling developers and their automated pipelines to move faster, from idea to production. So, security teams and controls will be playing catchup forever. They are shifting left to target developers and supply chains to yield more successful outcomes, whether highly targeted or wide-ranging in impact. Most of the focus of security in the last few years has been on infrastructure and as everything has become software-defined, attackers have moved to attack surfaces that are less secure and not well understood by traditional security teams. Attackers are developers who have grown up with an open source, cloud native mindset.
#BLUEPRINT SOFTWARE SOFTWARE#
Attack on software developmentĪttacks are changing. The speed and agility built on open source, cloud native design, multi-cloud architectures, and CI/CD pipelines are the ingredients for success. Situation Speed + agilityĮngineers are the competitive advantage. The Blueprint gives engineering teams an actionable architecture that security teams can get behind and support. The outcome of adopting the Blueprint? The delivery of assured software at lower risk of supply chain tampering, reduction of attacks during development, and manipulation in staging and production.
the integrity of software artifacts are tested at appropriate stages.authentication and authorization are properly managed throughout the pipeline.We can achieve a more secure pipeline by ensuring that
#BLUEPRINT SOFTWARE PASSWORD#
As examples, consider the attack that's trojanizing SolarWinds Orion software updates or the Codecov Bash Uploader attack or the more recent Passwordstate password manager compromise. Our goal? Minimize the possibility supply chain attacks. We propose a standard set of controls to secure software development pipelines for continuous integration and continuous deployment (CI/CD) against attack. The design of this Blueprint places a priority on the speed and agility of modern software development, providing businesses with a competitive advantage while incorporating a security-always mindset. This Blueprint has been created by engineers for engineering leaders, architects and product security engineers. We encourage your contributions to the Blueprint and project, including examples that implement any of the Controls. These diverse controls drammatically reduce risk and align with agile, high performance software developlment pipelines. Our collective intent is to define a vendor-neutral map of standard controls. This document was authored by Veracode and Venafi with contributions and support from Sophos and Cloudbees. This document is for engineers and security teams who are driving fast and secure software supply chains. We welcome and appreciate all contributions. In addition, use Pull Requests to contribute actual bug fixes or proposed enhancements. Issues and if you have a suggestion for fixing the issue, please include those details, too. To report a problem or share an idea, use This open source project is community-supported. Blueprint for building modern, secure software development pipelines
0 kommentar(er)
