Securing the Software Supply Chain (MEAP V06)

Secure your entire software supply chain, including the code you write, the libraries you use, and the platforms you run on.

Modern software relies on a collection of original code, libraries, open source tools, plugins, packages, and platforms. Securing the Software Supply Chain teaches you to secure those dependencies to the same rigorous standards as the rest of your systems.

Inside this insightful guide, you’ll learn how to
Understand your whole software supply chain
Model threats to your software development lifecycle
Implement controls to preempt and protect against attack
Use cutting-edge security tools and scalable processes
Organize and plan improvements
Supply chain tools likeSigstore, in-toto, and Kyvernofor

It’s easy to be blissfully unaware of the dangerous vulnerabilities lurking in your software systems. This book reveals techniques securing all components of the software delivery lifecycle.

about the book
Securing the Software Supply Chain teaches you everything you need to know to identify and protect the code, data, and infrastructure of your applications. You’ll get a comprehensive breakdown of the kind of threats your software supply chain faces, and how they can be dramatically different from traditional dangers. Learn how to implement a chain of custody throughout your software development lifecycle, with techniques ranging from securing developer workstations to implementing dependency proxies.

Real-world examples from a financial services company illustrate each concept, including key signing ceremonies, establishing trust roots, and generating a Software Bill of Materials (SBOM)—vital documentation for supply chain risk management.

about the reader
For software senior engineers and architects with experience in DevSecOps.

about the authors
Michael Lieberman is CTO and co-founder of Kusari, a cybersecurity startup focused on software supply chain security. Michael has previously worked in the financial industry, architecting cloud migrations with a focus on security. In addition, he is an OpenSSF TAC member; a member of the SLSA steering committee, an emerging supply chain security standard; as well as a CNCF Security TAG lead.