As software supply chain security becomes more and more crucial, security, DevSecOps, and DevOps teams are more challenged than ever to build transparent trust in the software they deliver or use.
We at Scribe Security recently launched a new platform to address these urgent needs by enabling its users to build trust in their software across teams and organizations. SBOM is a best practice expected to become widely required and used to mitigate software supply chain risks. With that in mind, we decided to take the lead and become the first vendor to introduce the concept of a Hub for security evidence about software products.
Scribe’s platform: What you need to know before diving in
- Free and easy to use: Scribe’s platform offers a complete self-serve experience. It’s easy to implement and use (plugin and CLI-based). And you can start with a freemium.
- Software security evidence hub: While most other solutions ignore the need to make software products’ security transparent to customers, buyers, and security teams, Scribe’s platform introduces a hub for security evidence. It supports a workflow for sharing SBOMs across or within enterprises. CVE’s insights allow both the software producer and the people they share their security insights with to see what CVEs are present in each new release. An interesting experimental feature of the platform is the ability to validate software integrity and share that evidence with stakeholders.
Here’s a look at the latest version of the platform:
Getting started
Software producers can gain visibility into their pipelines and artifacts and choose software consumers—subscribers—for each pipeline. This is the first screen you see. Each part of the interface is explained and illustrated.
For each new product you add, you’ll get the 3 needed secrets: Product Key, Client ID, and Client Secret. You’ll also get a link to the integration explanation of your choice.
What will catch your attention is the ‘Try Scribe on the command line’ button.
The platform displays the full CLI commands. The whole truth is revealed.
You can see the date and time software builds were created and know if their file integrity was validated in terms. You can make it visible to the consumers and subscribers you have defined for this product. It also allows you to download the build’s SBOM.
According to its documentation, Scribe currently supports GitHub, Jenkins, and other CI pipelines.
I was asked to include two collectors: The first collects information about the hashes of source code files, and the second about dependency hashes. While the first is optional, the second one isn’t.
Every time you create a new build, evidence and SBOM are uploaded to the platform, then processed and presented as part of the My Products page.
This is where things get interesting – you can always add another product, with no limit to the number of products (or pipelines) you can manage. The information you can see for each product includes its name, subscribers, versions, last build version date, and whether its integrity was validated.
The next step was to navigate to the Subscribers tab, where you invited new subscribers simply by their email addresses.
Integrity report and SBOM
Clicking the version line leads to the build version page. There you can find all the context metadata about that specific build, as well as links to the integrity report, vulnerabilities report, and the SBOM.
After clicking More, we can see the vulnerabilities found in this image with the CVE designation and severity. The worst CVEs are designated as critical. You have a filter allowing you to see only the High Severity CVEs and up. You can also use the search bar to look for a specific CVE.
Clicking More in the Integrity Report section takes you to the full report. You can easily see the validation of the source code. Additionally, you can see the validation of my open-source packages based on the second collector you’ve included.
You can also search for a specific package. The search option is separate for source code and open-source packages.
You’re not obligated to release or share a build with a less-than-perfect report; only the versions you choose to release will be shared with that project’s subscribers.
Evidence store for builds
The platform operates as a repository for past security data and evidence store for your product – it will have a sharable evidence trail with provenance information about your source files and dependencies.
Conclusion
Providing an attestation store and sharing hub for product builds’ security information, this product is solid and interesting. Clearly, a lot of thought went into it and it’s definitely a great step forward. So when (it’s no longer a question of if) you need to generate, manage and share SBOMs and related security insights for your software products you should give it a try.
Source: https://www.helpnetsecurity.com/2022/10/18/product-showcase-scribe-security/