Free digital signing service aims to bolster software supply chain security

by | Oct 25, 2022 | Technology

Register now for your free virtual pass to the Low-Code/No-Code Summit this November 9. Hear from executives from Service Now, Credit Karma, Stitch Fix, Appian, and more. Learn more.

The bulk of code in today’s modern software artifacts is open-source in origin. Still, the security controls around that code aren’t as sophisticated or widespread as they should be. For this reason, strong, verifiable signatures must be captured — these provide insight into components, their authors, and any potential tampering. 

“You wouldn’t bake a cake without a reasonable certainty that the ingredients you used were pure,” said Trevor Rosen, staff engineering manager and package security lead at GitHub. “But that’s basically what software authors using open-source without signatures are forced to do today: Use the ingredient and hope for the best.”

To support more widespread adoption of software signatures and further protect the software supply chain, the Sigstore community today announced at SigstoreCon the general availability of its free software signing service. 

The tool is designed to improve supply chain security by making it easy to sign, verify and check the software that developers are building and consuming. 

Event
Low-Code/No-Code Summit
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.

Register Here

Signatures are “immensely useful” within a software supply chain, where code and artifacts are passed along a chain of systems, said Luke Hinds, founder of the project and security engineering lead at Red Hat in the office of the CTO.

“With digital signatures, we can ensure the software is tamper-free and have certainty on its source of origin,” he said.

Proper verification to avoid data breaches

Supply chain attacks now account for one-fifth of all data breaches, which are at an all-time high of $4.35 million. 

“Supply chain security issues are pervasive because the attack surface is vast, the pay …

Article Attribution | Read More at Article Source

Share This