PEOPLE.md
September 9, 2023 ยท View on GitHub
The Software Supply Chain Stages
| People | Local Reqs | Source Code | Integration | Deployment | Runtime | Hardware | DNS | Services | Cloud |
|---|---|---|---|---|---|---|---|---|---|
| Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
| QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
| DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | Payment gateways | ||
| Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | Identity Providers | ||
| Page Builders | Packages | Security tests | Web engines | Analytics | |||||
| Open source | API test frameworks | Databases | Proxies | ||||||
| Proprietary Code | Unit tests | ||||||||
| People | Local Reqs | Source Code | Integration | Deployment | Runtime | Hardware | DNS | Services | Cloud |
People
These are the individuals or teams of people that are needed to write, build and deploy software.
What's in scope?
- Software engineers
- QA engineers
- DevOps team
- Package maintainers
Examples
Developers

Who owns it?
- Individual engineers
What are the security concerns?
- How do we help our software engineers see security as a "skill" not a burden?
- Package maintainers are a high profile targets.
- What security controls can we suggest that don't slow down devs?
- Security awareness training needs to be ongoing, not once a year
- Help devs understand that finding security issues early saves them significant time later
How do I secure it?
- Secure Code Training
- Security chanpion mentoring
- Peer code review
- Threat modeling