What Good Software Supply Chain Security Looks Like 

Organizations moving their business connected unfastened root package are faced pinch a much fierce and analyzable information and compliance scenery than ever before. Malicious actors are bypassing transitional information devices by straight targeting developers, according to Sonatype’s10th yearly “State of nan Software Supply Chain” report. The number of malicious packages logged successful 2024 accrued 156% twelvemonth complete year, nan study says.

While nan unreality autochthonal and DevOps movements of nan past decade-plus person made advancement successful promoting nan thought of integrating information passim nan exertion improvement and transportation cycle, package vulnerability exploits are among nan astir commonly reported outer onslaught methods (cited by 29% of respondents successful Forrester’s 2025 study “The State Of Application Security”), followed intimately by package proviso concatenation breaches (28%).

Faced pinch this progressively analyzable information and compliance landscape, information teams, app dev leaders and IT execs alike are figuring retired what bully package supply concatenation security looks like. Based connected thousands of hours moving pinch highly regulated industries — from nationalist assemblage agencies to world financial services organizations — we’ve recognized immoderate circumstantial patterns.

Taking Hardened Images Beyond Table Stakes

Hardened instrumentality images are a default successful today’s IT environments. Many package vendors committedness hardened images and near-zero communal vulnerabilities and exposures (CVEs). However, to genuinely return advantage of hardened images, organizations request to guarantee they person a defensible abstraction wrong their infrastructure.

In fire-prone California, nan conception of defensible abstraction is monitored by Cal Fire. Homeowners are mandated to create 100 feet of defensible abstraction astir their buildings by removing worldly that could move into substance for a fast-moving occurrence from nan perimeter of their property.

Similarly, removing extraneous worldly from your instrumentality images accomplishes nan aforesaid goal. Each further statement of codification successful your package is an opportunity for a bug to beryllium introduced that a hacker tin exploit.

By removing packages and limitations that aren’t required to tally an application, location are less chances for thing to spell incorrect that a bad character tin usage to their advantage. Catastrophes hap erstwhile a capable number of things neglect astatine once. So moreover if you can’t destruct consequence entirely, reducing nan points of nonaccomplishment tin amended your likelihood of withstanding an attack.

Distroless images region everything isolated from what is perfectly required for nan package to run. This not only makes nan image lighter, taking up little abstraction connected your instrumentality — it besides makes your apps much unafraid by reducing nan disposable onslaught points.

For developers who request nan expertise to dynamically adhd libraries to a instrumentality runtime, distroless images are not nan correct option. The distroless shape facet shines erstwhile an exertion has passed nan proof-of-concept shape and nan standard of trade-offs tilts from easiness of usage toward reducing consequence of exploitation.

Distroless images are a must-have for teams that are fresh for state-of-the-art instrumentality information successful their infrastructure. Not everyone will beryllium capable to commencement pinch this type of image, but teams that are already doing blase things for illustration air-gapped aliases disconnected networks, zero-trust aliases mandatory entree power authorization models will beryllium correct astatine location utilizing distroless images.

By creating a “clean room” situation successful nan container, distroless images are not designed for humans to activity successful because they only person nan bits needed by nan low-level binaries of nan application. But because they deficiency nan human-oriented parts of nan operating strategy — for illustration shell, package manager, filesystem devices — they are that overmuch harder for a hacker who someway made it into nan instrumentality to exploit.

Plus, nan instrumentality image size is vastly smaller because it sheds a batch of excess weight that those devices require. It makes nan instrumentality much unafraid astatine nan disbursal of easiness of usage erstwhile it comes to debugging and troubleshooting.

However, caller devices are being developed successful this ecosystem to make distroless containers easier to activity with, frankincense raising nan barroom of defensible abstraction and proactive information for everyone successful nan industry.

To beryllium sure, distroless images are little convenient but much secure. This is why it’s champion to make them an optional format for nan astir celebrated apps. More precocious users will person nan appetite for this level of information and understand nan trade-off.

Comprehensive Coverage

A catalog of images built nan correct measurement pinch information successful mind is great, but what if nan exertion aliases constituent your developers request isn’t successful that catalog?

If developers are often leaving nan walled plot of your trusted proviso chain because they can’t find what they are looking for, you tin nary longer make claims astir nan compliance of your platform. And these exceptions whitethorn beryllium introducing risk that is not being tracked aliases mitigated.

This is why having a catalog pinch capable sum of nan apps and unfastened root projects your level users request is important to a successful compliance story. Without it, nan committedness of unfastened root compliance is an quiet one.

Accreditation Optimized Images

Most compliance requirements and model controls are based connected NIST 800-53 and nan Risk Management Framework (RMF) that implements and manages those controls. Finding a vendor who understands nan information and compliance scenery profoundly is critical.

Furthermore, vendors who creation images to meet those controls retired of nan container tin amended your information posture, guarantee you are gathering basal compliance requirements. Those vendors tin greatly trim toil and supply templates to respond to nan controls and really nan images meet them.

OS Package Format

Many organizations whitethorn request to customize nan modular images they are utilizing to meet their needs. Having an industry-standard package format, specified arsenic Red Hat Package Manager (RPM), is simply a safe measurement to do that.

Some different hardened image providers only support Android Package Kit (APK), which is not considered an manufacture modular and tin make it harder to find packages successful that format.

You will get a amended information result pinch acquainted technologies that are invisible to developers, truthful they tin attraction connected code.

STIG Readiness

The U.S. Department of Defense (DoD) requires each IT systems to adhere to nan Risk Management Framework, arsenic defined successful DoDI 8510.01. An important portion of RMF is nan mandatory usage of Security Technical Implementation Guides (STIGs) and Security Requirements Guidelines (SRGs) maintained by nan Defense Information Systems Agency (DISA). Where a circumstantial STIG for a merchandise is unavailable, nan applicable SRGs must beryllium utilized instead.

Whether you are moving pinch nan DoD aliases successful a highly regulated industry, it is important to understand these requirements, arsenic they could impact your compliance posture. Look for devices and vendors who people STIGs and show acquisition successful pursuing SRG requirements for consequence management.

STIG Readiness is nan process of preparing contented that meets DISA’s standards, akin to nan charismatic DISA process. Products marked arsenic “STIG Ready” typically require minimal changes if they were submitted for charismatic DISA publication. When choosing a vendor to amended your information and compliance posture, mention to its STIG Readiness documentation.

FIPS and SLSA

Developed by nan National Institute of Standards and Technology (NIST), Federal Information Processing Standards (FIPS) are utilized erstwhile location are nary acceptable manufacture standards aliases solutions for a peculiar authorities requirement. Although FIPS are developed for usage by nan national government, galore successful nan backstage assemblage voluntarily usage these standards to unafraid their accusation and systems and found beardown accusation information programs.

To unafraid your proviso concatenation and protect against cryptographic attacks, a curated catalog of FIPS-approved package sets nan instauration for a stronger information posture. You tin find nan database of nan astir existent FIPS here. We urge looking astatine FIPS 140-2 and 140-3, which specify nan cryptographic and operational requirements for modules wrong information systems that protect delicate information.

The Supply-Chain Levels for Software Artifacts (SLSA) model consists of a group of incrementally adoptable guidelines for proviso concatenation security, established by manufacture statement (as opposed to a governing body). It is designed to way codification handling from root to binary to protect against infiltration by bad actors crossed nan ever-increasing complexity of nan software proviso chain.

Ideally, you person options for producing provenance attestations for each distributed assets truthful you tin verify accusation astir package artifacts describing where, erstwhile and really thing was produced, that meets SLSA Build Level 3. The array beneath shows nan requirements needed to beryllium SLSA-compliant for Level 3 based connected this specification.

Support for Disconnected Environments

Many national agencies and highly regulated organizations require isolating machine systems from outer connections for illustration nan internet. Physically isolated — aliases air-gapped — systems protect highly delicate data, and guarantee nan integrity of that information by blocking distant entree to your systems. In galore cases, they besides support regulatory compliance standards related to information and privateness protection.

Disconnected aliases air-gapped networks are an effective measurement to summation your infrastructure’s information defenses. However, it comes astatine a cost, particularly if nan package you trust connected was designed to ever beryllium connected to nan internet. This is why it’s important to place solutions early connected successful your systems creation that tin support disconnected environments well.

For a proviso concatenation information strategy to beryllium effective, updates to your software, particularly those pinch CVE fixes, request to make their measurement complete nan aerial spread successful a timely manner. You should expect your solutions supplier to connection a well-documented process and devices for moving package from nan net to nan disconnected environment.

The threat is if it’s excessively difficult to woody pinch package updates, nan benefits of a disconnected web strategy will beryllium muted by nan impaired functioning of your proviso chain. Luckily, location are tools, for illustration nan unfastened root Bitnami charts-syncer, which makes it trivial to synchronize and move floor plan packages and associated instrumentality images betwixt floor plan repositories and highly regulated environments.

Automated Compliance Documentation 

Larger, security-conscious corporations and national agencies are requiring package bills of materials (SBOMs), Vulnerability Exploitability eXchange (VEX) statements and in-toto attestations beryllium included pinch immoderate package they tally aliases ship.

The expertise to automatically stitchery compliance documents via APIs surely simplifies nan audit process; it tin besides trim an organization’s mean clip to retrieve from a imaginable package proviso concatenation attack.

Here is an illustration of really SBOMs tin trim your clip to retrieve from an outage aliases attack. This type of holistic position is captious for supporting continuous compliance.

From Building Blocks To A Whole House

Ultimately, package proviso concatenation information requires aggregate devices and processes passim nan app dev and transportation cycle. It’s nary longer capable to displacement information near — it’s displacement information everywhere.

As we spot cloud autochthonal patterns settle into Platform arsenic a Service territory, it makes consciousness to designer your systems for a seamless information experience. There, outcomes are realized passim nan systems, truthful information does not inhibit your expertise to merchandise high-quality package much regularly, retrieve from setbacks and attacks much quickly and make developers happier.

Group Created pinch Sketch.