Connect with us

Blogs

Product showcase: Scribe platform’s end-to-end software supply chain security

Published

on

As software supply chain security becomes more and more crucial, security, DevSecOps, and DevOps teams are more challenged than ever to build transparent trust in the software they deliver or use.

We at Scribe Security recently launched a new platform to address these urgent needs by enabling its users to build trust in their software across teams and organizations. SBOM is a best practice expected to become widely required and used to mitigate software supply chain risks. With that in mind, we decided to take the lead and become the first vendor to introduce the concept of a Hub for security evidence about software products.

Scribe’s platform: What you need to know before diving in

  • Free and easy to use: Scribe’s platform offers a complete self-serve experience. It’s easy to implement and use (plugin and CLI-based). And you can start with a freemium.
  • Software security evidence hub: While most other solutions ignore the need to make software products’ security transparent to customers, buyers, and security teams, Scribe’s platform introduces a hub for security evidence. It supports a workflow for sharing SBOMs across or within enterprises. CVE’s insights allow both the software producer and the people they share their security insights with to see what CVEs are present in each new release. An interesting experimental feature of the platform is the ability to validate software integrity and share that evidence with stakeholders.

Here’s a look at the latest version of the platform:

Getting started

product showcase scribe security

Software producers can gain visibility into their pipelines and artifacts and choose software consumers—subscribers—for each pipeline. This is the first screen you see. Each part of the interface is explained and illustrated.

Each part of the interface is explained and illustrated

For each new product you add, you’ll get the 3 needed secrets: Product Key, Client ID, and Client Secret. You’ll also get a link to the integration explanation of your choice.

Product Key, Client ID, and Client Secret

What will catch your attention is the ‘Try Scribe on the command line’ button.

product showcase scribe security

The platform displays the full CLI commands. The whole truth is revealed.

product showcase scribe security

You can see the date and time software builds were created and know if their file integrity was validated in terms. You can make it visible to the consumers and subscribers you have defined for this product. It also allows you to download the build’s SBOM.

According to its documentation, Scribe currently supports GitHub, Jenkins, and other CI pipelines.

I was asked to include two collectors: The first collects information about the hashes of source code files, and the second about dependency hashes. While the first is optional, the second one isn’t.

Collectors

Every time you create a new build, evidence and SBOM are uploaded to the platform, then processed and presented as part of the My Products page.

This is where things get interesting – you can always add another product, with no limit to the number of products (or pipelines) you can manage. The information you can see for each product includes its name, subscribers, versions, last build version date, and whether its integrity was validated.

Information

The next step was to navigate to the Subscribers tab, where you invited new subscribers simply by their email addresses.

Integrity report and SBOM

product showcase scribe security

Clicking the version line leads to the build version page. There you can find all the context metadata about that specific build, as well as links to the integrity report, vulnerabilities report, and the SBOM.

product showcase scribe security

After clicking More, we can see the vulnerabilities found in this image with the CVE designation and severity. The worst CVEs are designated as critical. You have a filter allowing you to see only the High Severity CVEs and up. You can also use the search bar to look for a specific CVE.

product showcase scribe security

Clicking More in the Integrity Report section takes you to the full report. You can easily see the validation of the source code. Additionally, you can see the validation of my open-source packages based on the second collector you’ve included.

You can also search for a specific package. The search option is separate for source code and open-source packages.

You’re not obligated to release or share a build with a less-than-perfect report; only the versions you choose to release will be shared with that project’s subscribers.

Evidence store for builds

The platform operates as a repository for past security data and evidence store for your product – it will have a sharable evidence trail with provenance information about your source files and dependencies.

Conclusion

Providing an attestation store and sharing hub for product builds’ security information, this product is solid and interesting. Clearly, a lot of thought went into it and it’s definitely a great step forward. So when (it’s no longer a question of if) you need to generate, manage and share SBOMs and related security insights for your software products you should give it a try.

Source: https://www.helpnetsecurity.com/2022/10/18/product-showcase-scribe-security/

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO