LOCAL.md

September 9, 2023 ยท View on GitHub

The Software Supply Chain Stages

PeopleLocal ReqsSource CodeIntegrationDeploymentRuntimeHardwareDNSServicesCloud
DevelopersIDELanguagesSCM providersBuild solutionsServersEmbedded PCURLSaaS solutionsCDN
QA teamSCVFrameworksPull requestsDeployment platformsOperating systemsPCBhostnameThird party APIsCloud services
DevOps teamLocal testsLibrariesSecrets mgmtReleasesWebserversUSB donglePayment gateways
Package MaintainersGit reposPackage ManagersGit reposFunctional testsApplication serversGPU/CPUIdentity Providers
Page BuildersPackagesSecurity testsWeb enginesAnalytics
Open sourceAPI test frameworksDatabasesProxies
Proprietary CodeUnit tests
PeopleLocal ReqsSource CodeIntegrationDeploymentRuntimeHardwareDNSServicesCloud

Local Requirements

This includes any local applications, configurations, or other dependencies that are needed to for the people building software to successfully do their job.

What's in scope?

  • IDE
  • Source code versioning tools
  • Local tests
  • Local git repositories
  • Page builders

Examples

IDE

SCV Tools

Local tests

Linting, static analysis, software composition analysis

Local git repositories

Source code stored on devs laptop, private packages, install scripts, deployment scripts

Who owns it?

  • Individual engineers

What are the security concerns?

  • Choice of tools has different security outcomes
  • Git has several local security features which are typically not used
  • If an IDE is used, what extensions or plugins are enhancing security?
  • How do you encouage automated security tests in local environments?
  • The development environment should be secured
  • What challenges does BYOD bring with it?

How do I secure it?

  • Use of git or other version control systems
  • .gitignore files
  • Endpoint detection and response (EDR)
  • Linting
  • Local secret scans
  • Local SCA scans
  • Pre-commit git hooks