PEOPLE.md

September 9, 2023 ยท View on GitHub

The Software Supply Chain Stages

PeopleLocal ReqsSource CodeIntegrationDeploymentRuntimeHardwareDNSServicesCloud
DevelopersIDELanguagesSCM providersBuild solutionsServersEmbedded PCURLSaaS solutionsCDN
QA teamSCVFrameworksPull requestsDeployment platformsOperating systemsPCBhostnameThird party APIsCloud services
DevOps teamLocal testsLibrariesSecrets mgmtReleasesWebserversUSB donglePayment gateways
Package MaintainersGit reposPackage ManagersGit reposFunctional testsApplication serversGPU/CPUIdentity Providers
Page BuildersPackagesSecurity testsWeb enginesAnalytics
Open sourceAPI test frameworksDatabasesProxies
Proprietary CodeUnit tests
PeopleLocal ReqsSource CodeIntegrationDeploymentRuntimeHardwareDNSServicesCloud

People

These are the individuals or teams of people that are needed to write, build and deploy software.

What's in scope?

  • Software engineers
  • QA engineers
  • DevOps team
  • Package maintainers

Examples

Developers

collaborators-github

Who owns it?

  • Individual engineers

What are the security concerns?

  • How do we help our software engineers see security as a "skill" not a burden?
  • Package maintainers are a high profile targets.
  • What security controls can we suggest that don't slow down devs?
  • Security awareness training needs to be ongoing, not once a year
  • Help devs understand that finding security issues early saves them significant time later

How do I secure it?

  • Secure Code Training
  • Security chanpion mentoring
  • Peer code review
  • Threat modeling