ActiveState Delivers the First Open Source Software Development Platform to Include Attestations in its Supply Chain Security Lineup
Today, ActiveState announced the availability of open source software attestations, making it the first open source software platform to deliver this essential component of software supply chain security. The ability to obtain self-attestation for all third-party software, as well as producing a software bill of materials (SBOM), is part of sweeping guidance from the National Institute of Standards and Technology (NIST) that has been adopted by the White House. According to a recent White House order, all critical software that touches government data or systems in any way must be compliant with these new security standards no later than June 12, 2023. All software must adhere to these strict standards no later than September 14, 2023.
ActiveState builds and fervently maintains a curated catalog of trusted artifacts that meets the requirements for Supply Chain Levels for Software Artifacts (SLSA) level 4, including software bill of materials (SBOM) and attestations, to proactively secure customers’ software supply chains. In addition, ActiveState’s secure build service delivers isolated, ephemeral, hermetic and verifiably reproducible builds from source code, so developers no longer need to install potentially compromised binaries or deal with security issues.
“Nearly every software vendor in the US may soon see a drop in revenue if they don’t comply with the WH security order.”
ActiveState adds open source attestations, alongside its existing software bill of materials (SBOM) capabilities, to enable customers to comply with White House orders regarding software supply chain security.
The White House order applies to more than just government suppliers. Since it includes software that touches government data or systems in any way, it actually affects all upstream and downstream suppliers, as well. That means the order affects the majority of the software development market.
While some very large organizations may have the systems and processes in place to comply with the order, this will be an expensive process for everybody else because most organizations do not meticulously track open source provenance. This puts them at serious risk for missing the White House deadline for compliance. The ActiveState Platform solves this problem automatically by building every artifact from source with a cloud-scale vendoring solution to deliver:
- A clear chain of custody and provenance
- Attestations for all packages
- SBOM that lists all software components
- Automated solving and management of complex open source dependencies
As a result, employing ActiveState as a trusted vendor takes the time, hassle, and risk out of using open source, enabling software vendors to secure their supply chain and comply with even the most stringent security requirements.
Loreli Cadapan, Vice President, Product, ActiveState, said: “We believe the White House order signals a larger trend that will soon become industry standard. That’s why today’s announcement is so important. By delivering attestations for all open source packages, ActiveState enables software vendors to verify that their application has been built in a secure manner using an untampered process for producing trusted artifacts and binaries.”