Featured Post

Show HN: LegendAI-Amazon Sales Tracker https://ift.tt/Qmk4XB9

Show HN: LegendAI-Amazon Sales Tracker Get Actual Not Estimate Amazon Product Data! Real-Time Amazon Sales and Data Insights. Get accurate s...

Thursday, March 16, 2023

Show HN: Chainloop, A Software Supply Chain Attestation solution devs won't hate https://ift.tt/VFJ1AbO

Show HN: Chainloop, A Software Supply Chain Attestation solution devs won't hate Hi, my name is Miguel and I am very happy to share what's been months worth of work :) The project has rough edges for sure, but any early feedback, comments or concerns are appreciated! === The Problem === You work on the Security and Operations (SecOps) team in charge of your organization's Software Supply Chain Security. You feel pretty good about the state of things already, your developer teams are signing their commits, deliverables, scanning for vulnerabilities,… Life is good! Then you realize that you are not compliant with the latest security requirements. You get referred to slsa.dev and are told that you need to be at least level 3, whatever that means! Aha! I “just” need to implement an attestation and artifact layer in our Software Supply Chain, which you complete after a couple of months of work. Now to the easy part (or what you think). To make the developer teams adopt it. You quickly realize that standardizing best practices and security requirements is very hard. Development and SecOps team dynamics are clashy and poorly defined due to priorities mismatch. Also, from the developer's point of view, it’s very time-consuming and frustrating to pollute your CI/CD systems with convoluted, error-prone and complex processes to comply with the SecOps team. So there has to be a better way that satisfies both sides... === The Solution === Enter Chainloop. You can think of it as an API for your organization's Software Supply Chain that both parties can use to interact effectively to meet their mismatched priorities. SecOps teams regain security compliance, visibility, standardization and control by having a mechanism to define and propagate attestation requirements. Developers, on the other hand, get jargon-free tooling that can be used to meet compliance with minimum friction and effort. === Give it a try === Eager for feedback from the community so please reach out. Happy to chat! Thanks! PS: You can see an attestation end-to-end demo here https://www.youtube.com/watch?v=Q_0dlBqKtIU&t=384s https://ift.tt/9ztNLOv March 16, 2023 at 07:34AM

No comments:

Post a Comment