Austin, TX: We have been studying the onerous method that, as Slim.AI CEO John Amaral places it, “Your software program provide chain is simply as safe as its weakest hyperlink.” Amen, brother!
Quite a few high-profile assaults, breaches, and exploits such because the SolarWinds fiasco and the Log4J vulnerability are prime examples. Certainly, it is gotten so dangerous, that President Joseph Biden issued an govt order calling for us to all safe the software program provide chain. When politicians take note of software program, stuff has gotten actual.
Slim.AI is rising to this problem by saying at Open Supply Summit in Austin, Texas, its beta software program provide chain safety service. This service will assist organizations repeatedly and routinely optimize and safe their containers and reduce software program provide chain danger.
This service is being constructed on the muse of Slim.AI’s open-source mission, DockerSlim. This standard developer program optimizes and secures your containers by analyzing your code and throwing away pointless code, thus “slimming” down your containers’ assault floor. It can also cut back the scale of your container by as much as 30x.
That is spectacular. As Amaral stated, “At present, tens of 1000’s of builders and groups use Slim’s open supply and free SaaS software program to grasp what’s of their containers, cut back containers’ assault floor, take away vulnerabilities, and ship solely the code they want.” However, the open-source mission would not scale. So with this new service, Amaral continued, “We’re shifting from serving to particular person builders and small groups to an answer that allows organizations to repeatedly and routinely obtain these outcomes at scale.”
That is being achieved by integrating the code with container registries, Steady Integration/Steady Deployment (CI/CD) pipelines, and instruments so you’ll be able to automate and combine it into present workflows to shortly ship safe software program into manufacturing.
Present and deliberate integrations embrace Docker, AWS ECR, Google GCR, GitHub, DigitalOcean, and Quay registries and the Jenkins, GitLab, and GitHub CI/CD platforms. Utility Programming Interfaces (APIs)s are additionally being made obtainable to Early Entry Companions.
As well as, due to its APIs, the service allows you to use a number of vulnerability scanners in your containers to seek out safety issues earlier than they chew you.
That is all a part of what Amaral calls “The 4 Ss of Software program Provide Chain Safety.”
The excellent news in regards to the open-source software program provide chain is, Amaral defined, “it is very easy for builders to include huge libraries of code into functions, bundle that into containers, and ship to manufacturing with the clicking of a button. The code working in manufacturing is the kid of the large provide chain.” The dangerous information is that “It bears the advantages and dangers of all the selections, contributions, options, and flaws manifested by its creators in combination.”
As CodeNotary, a software program provide chain firm, not too long ago noticed, “Software program is rarely full and the code base together with its dependencies is an at all times updating doc. That routinely means that you must observe it, good and dangerous, preserving in thoughts that one thing good can flip dangerous.” Sure, precisely so!
The reply, in line with Amaral, is to construct a complete, automated software program provide chain safety (SSCS) program: “The 4 Ss.” These are:
- Software program Invoice of Supplies: It is a checklist of all of the parts in a chunk of software program reminiscent of open-source libraries and third-party parts. Properly-known SBOM approaches embrace the Linux Basis’s Software program Package deal Information Trade (SPDX) and Provide chain Ranges for Software program Artifacts, or SLSA (salsa)
- Signing: Signing is a method of digitally attaching a verified, immutable developer identification to a chunk of code. Coupled with different instruments, it permits for making a clear, cryptographically safe report of software program modifications and manifests a everlasting, and dependable digital chain of custody for software program and associated artifacts. Sigstore and Notary.
- Slimming: This minimizes your manufacturing code footprint by eradicating pointless code. It additionally inherently reduces software program provide chain complexity, software program assault floor, and combination danger.
- Sharing: Nobody particular person or group can present a complete SSCS answer. Communication about SSCS and collaborating on options each inside your group and with different teams is crucial to advancing the business and defending our software-reliant world ecosystem. In relation to open-source safety, we’re all on this collectively.
At Slim, Amaral concluded, “Our core worth is ‘Know Your Software program.’ Slim.AI’s instruments can be utilized alongside vulnerability scanners and SBOM turbines to create a holistic view of the software program provide chain.” With Slim’s optimization, you may make positive groups ship solely what they want for manufacturing.
Wish to know extra? Contact the Slim.AI workforce for early entry. Should you’re at Open Supply Summit you’ll be able to go to the Slim.AI workforce and study extra about this system at Sales space B2.