Let’s face it—the term "software supply chain" can feel like navigating a maze of tech jargon. Commit signing, Software Composition Analysis (SCA), eBPF monitoring, SBOM generation, provenance attestations… the list goes on. But at its core, the software supply chain is the backbone of modern development, and its security is non-negotiable.
A single vulnerability in this chain can ripple through entire systems, leading to breaches, downtime, and reputational damage. Think of it like quality control in manufacturing—every part must be checked and verified to avoid catastrophic failures down the line. So, how do we safeguard this sprawling system? Let’s break it down into four key areas and discuss solutions.
1. Keeping Exploits Out of Open Source and Third-Party Dependencies
We all rely on open-source software (OSS)—it’s like the unsung hero of modern development. But how do we know those libraries are secure? How can we trust that no one has slipped an exploit into a dependency?
This is where attestations come in. They’re like a digital stamp of approval, proving where an artifact came from and ensuring it hasn’t been tampered with. Tools like Sigstore act as public trust anchors, helping verify software authenticity.
For example, GitHub Artifact Attestation and npm audit signatures let you generate and verify these digital signatures during the build process. While adoption is still in its early days, these tools are paving the way for widespread trust in OSS.
Here’s a real-world example from one of our repositories:
NPM Audit Signatures...
----------------------------------------------------------------------------------------
audited 3163 packages in 16s
3163 packages have verified registry signatures
14 packages have verified attestations
As you can see, while registry signatures are widespread (3163 verified packages), only 14 packages had verified attestations. This highlights the need for greater adoption of attestation practices across the ecosystem.
At Cribl, we walk the talk. Every build artifact—binaries, SBOMs, container images—is signed using Cosign, and we make the corresponding signatures and public keys available for verification. Transparency builds trust, after all.
For example, you can find links to our Cribl binary tar, its signature, and public key here:
2. Transparency and Secure-by-Demand Practices: A Cultural Shift
Supply chain attacks are particularly sneaky. They exploit trust between organizations and their vendors, often hiding in lower-level dependencies.
One way to counter this is by adopting SBOMs (Software Bill of Materials). These provide a detailed record of all components in your application, making it easier to spot and patch vulnerabilities.
Transparency matters here. Sharing SBOMs and provenance attestations with customers and vendors creates a ripple effect of trust. At Cribl, every release includes a detailed SBOM, and we encourage customers to monitor them while requesting the same from our vendors.
Here are links to our Cribl SBOMs, their signatures, and the corresponding public key:
We’re also exploring tools like OpenSSF GUAC to streamline SBOM management and enhance supply chain visibility, ensuring every component is accounted for and secure.
3. Reducing the Attack Surface
Let’s talk containers. They’re convenient but often bloated with unnecessary dependencies, which increases the attack surface.
The solution? Minimal base images. Packaging only what’s essential reduces vulnerabilities, improves resource efficiency, and enhances security.
At Cribl, we offer two options:
A minimal Wolfi OS-based image for those who want a lean, secure foundation.
A full-featured Ubuntu-based image for flexibility and convenience.
Both are signed with HSM-backed keys to ensure integrity and authenticity. We want to give you the choice without compromising on security.
4. Securing Build Environments
Build environments and CI/CD pipelines often go unnoticed regarding security, but attackers know they’re a goldmine.
Here’s the thing: simply putting your build system behind a VPN isn’t enough. These environments need to be treated with the same rigor as production systems.
Here’s what works:
Run SCA scans on build containers and final products to catch vulnerabilities early.
Monitor network activity with dedicated sensors and analyze logs from ephemeral build environments.
Adopt zero-trust authentication to secure access to credential stores.
Implement frameworks like SLSA (Supply Chain Levels for Software Artifacts) to enhance the integrity of your build pipelines.
At Cribl, we’ve integrated these practices into our build processes to stay ahead of potential risks.
Wrapping It Up
Securing the software supply chain might sound overwhelming, but it’s absolutely doable with the right strategies. By focusing on trust (through attestations), transparency (via SBOMs), minimalism (reducing the attack surface), and robust defenses (hardening build environments), we can build a safer software ecosystem.
It’s not just about technology; it’s about culture. Transparency, accountability, and proactive risk management are key. At Cribl, we’re committed to leading by example and encourage everyone—developers, vendors, and customers alike—to join us in strengthening the software supply chain.
