Secure your entire software supply chain, including the code you write, the libraries you use, and the platforms you run on.
Modern software relies on a collection of original code, libraries, open source tools, plugins, packages, and platforms. Securing the Software Supply Chain
teaches you to secure those dependencies to the same rigorous standards as the rest of your systems.
Inside this insightful guide, you’ll learn how to:
- Understand your whole software supply chain
- Model threats to your software development lifecycle
- Implement controls to preempt and protect against attack
- Use cutting-edge security tools and scalable processes
- Organize and plan improvements
- Supply chain tools likeSigstore, in-toto, and Kyvernofor
It’s easy to be blissfully unaware of the dangerous vulnerabilities lurking in your software systems. This book reveals techniques securing all components of the software delivery lifecycle.
about the book
Securing the Software Supply Chain
teaches you everything you need to know to identify and protect the code, data, and infrastructure of your applications. You’ll get a comprehensive breakdown of the kind of threats your software supply chain faces, and how they can be dramatically different from traditional dangers. Learn how to implement a chain of custody throughout your software development lifecycle, with techniques ranging from securing developer workstations to implementing dependency proxies.
Real-world examples from a financial services company illustrate each concept, including key signing ceremonies, establishing trust roots, and generating a Software Bill of Materials (SBOM)—vital documentation for supply chain risk management.
about the reader
For software senior engineers and architects with experience in DevSecOps.
about the authors
is CTO and co-founder of Kusari, a cybersecurity startup focused on software supply chain security. Michael has previously worked in the financial industry, architecting cloud migrations with a focus on security. In addition, he is an OpenSSF TAC member; a member of the SLSA steering committee, an emerging supply chain security standard; as well as a CNCF Security TAG lead.
is a co-chair of the CNCF Security TAG, and as a part of Google’s Open Source Security Team, he works on improving the security of the Open Source ecosystem. Previously at IBM Research, Brandon worked on various security areas, such as container content protection via encryption and image signing, identity, Zero Trust architectures, and kernel attack surface reduction.