• krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseoSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • krseolinkSpider
  • Sigstore explained: How it helps secure the software supply chain
    Home SecurityApplication Security Sigstore explained: How it helps secure the software supply chain

    Sigstore explained: How it helps secure the software supply chain

    Source Link

    Notable incidents such as SolarWinds and Log4j have placed a focus on software supply chain security. They have also sent security teams in search of tools to ensure the integrity of software from third parties. Software use is ubiquitous, with digital platforms now accounting for 60% of GDP per the World Economic Forum (WEF). While the way we use software has and is changing the world, the methods to ensuring the integrity of software sourced from across the ecosystem is lacking. The software supply chain often lacks the use of digital signatures, and when it doesn’t it typically uses traditional digital signing techniques which can be challenging to automate and audit.

    Sigstore definition

    Enter sigstore. As sigstore co-creator and Chainguard founder Dan Lorenc has put it, sigstore is “a free signing service for software developers that improves the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies.”

    Who has adopted sigstore?

    It isn’t just the sigstore team who see the value in the proposed technology. Kubernetes announced that it was standardizing on sigstore, using it in its latest 1.24 release. This allows Kubernetes consumers to ensure the distribution they’re using is what is intended. Adding to that endorsement, the Linux Foundation and OpenSSF recently published “The Open Source Software Security Mobilization Plan,” which emphasizes digital signatures to enhance trust in the software supply chain. The proposed approach includes using the sigstore project due to its critical components such as a certificate authority, transparency logs and ecosystem-specific libraries.

    How does sigstore work? 

    Sigstore is set up to help address some of the existing gaps in the open-source software (OSS) supply chain and how we handle integrity, digital signatures and verifying the authenticity of OSS components. This is critical since 90% of IT leaders are using OSS. Organizations are prioritizing hiring OSS talent, and we’ve seen several notable software supply chain incidents as mentioned above.

    Sigstore brings together several OSS tools such as Fulcio, Cosign and Rekor to assist with digital signing, verification and checks of code provenance. Code provenance is the ability to have a chain of custody showing where code originated and from whom. The Uber Privacy and Security team has published an excellent blog post discussing how they approach the path to code provenance.

    Unpacking some of the core sigstore components, let’s start with Fulcio. Fulcio is a root certificate authority (CA) that focuses on code signing. It is free and issues certifications tied to OpeID Connect (OIDC) and often uses existing identifiers that developers are already associated with. With the rapid adoption and growth of cloud-native architectures and deployment of containers, signing containers have become a key security best practice.

    Copyright © 2022 IDG Communications, Inc.

    Related Articles

    Leave a Comment

    techhipbettruvabetnorabahisbahis forumutaraftarium24edusedusedueduedusedusedusedusedusedus
    kingbetting
    cashwin giris
    pin up aviator
    plinko romania
    lüks casino giriş
    betwild giris
    betmatik
    rexbet giriş
    neyine
    casinomilyon giriş
    padişahbet giriş
    biabet giriş
    rokubet casino
    padişahbet giriş
    vegabet
    biabet giris
    imajbet giriş
    sugar rush 1000
    свит бонанза
    betwild giris