Laying out the elements of a secure software supply chain

August 10, 2021
Today’s columnists, Eric Brewer and Royal Hansen, discuss Google’s efforts to invest in the open source ecosystem to improve software supply chain security. (Photo by Spencer Platt/Getty Images)
  • Strong controls against unilateral access for all components of the chain; two person review is required.
  • Hermetic builds: All inputs (including transitive dependencies) are declared at the start.
  • Deployment artifacts carry tamper-evident digitally signed metadata.
  • Deployment is gated by a policy engine that enforces requirements for the target environment.
  • Crucially, the components of this source-build-deploy workflow, and the platform it runs on top of, are themselves built and deployed using this secure workflow.
prestitial ad