CODE.md

September 2, 2023 ยท View on GitHub

The Software Supply Chain Stages

PeopleLocal ReqsSource CodeIntegrationDeploymentRuntimeHardwareDNSServicesCloud
DevelopersIDELanguagesSCM providersBuild solutionsServersEmbedded PCURLSaaS solutionsCDN
QA teamSCVFrameworksPull requestsDeployment platformsOperating systemsPCBhostnameThird party APIsCloud services
DevOps teamLocal testsLibrariesSecrets mgmtReleasesWebserversUSB donglePayment gateways
Package MaintainersGit reposPackage ManagersGit reposFunctional testsApplication serversGPU/CPUIdentity Providers
Page BuildersPackagesSecurity testsWeb enginesAnalytics
Open sourceAPI test frameworksDatabasesProxies
Proprietary CodeUnit tests
PeopleLocal ReqsSource CodeIntegrationDeploymentRuntimeHardwareDNSServicesCloud

Source Code

This includes any software that is needed to successfully write, build or deploy an application.

What's in scope?

  • Programming languages
  • Frameworks
  • Libraries
  • Package managers
  • Open source components
  • Proprietary code

Examples

Programming Languages

Frameworks & libraries

Package managers

Who owns it?

  • Development teams
  • DevOps team

What are the security concerns?

  • Knowing what's in your software is the first key
  • Source code components are coming from many different sources and used in applications
  • Dependency origin for the source code we use is critically important
  • Package managers are a primary target for attackers

How do I secure it?

  • Use secure package repositories
  • Analysis source code composition
  • Software bill of materials