Integrating software supply chain security in DevSecOps CI/CD pipelines
NIST released its final guidelines for integrating software supply chain security in DevSecOps CI/CD pipelines (SP 800-204D).
In this Help Net Security video, Henrik Plate, Security Researcher at Endor Labs, talks about this report, which provides actionable measures to integrate the various building blocks of software supply chain security assurance into CI/CD pipelines to enhance the preparedness of organizations to address supply chain security in the development and deployment of cloud-native applications.
This framework comes right in time, as organizations seek guidance on how to implement high-level recommendations such as the SSDF, especially in the context of the upcoming self-attestation, which has been postponed for now but which will at some point require software suppliers for federal agencies to self-declare adherence to the SSDF secure development practices. In this regard, the document clarifies the expectations for what is necessary in DevSecOps and CI/CD pipelines.