International Data Corporation (IDC) published an IDC Innovators report profiling three start-up companies offering enhanced capabilities for open source software supply chain management that extend beyond static software bills of materials (SBOMs). The three companies are: Chainguard, Codenotary, and Endor Labs.
Open source software (OSS) has become increasingly popular in the development of new commercial products as well as internally-developed software solutions for enterprises. While OSS may be free to acquire, the costs of long-term maintenance and support are potentially greater than the money saved at the time of acquisition. In addition, there are growing concerns about the security of the software chain associated with OSS.
To address these concerns, the companies profiled in this report have developed software supply chain management platforms that utilize DevSecOps capabilities to better manage the security of the open source components used in their software development and deployment operations. These solutions intend to reduce the complexity and time required to properly vet OSS componentry for currency and the active nature of the project itself, identifying known vulnerabilities, as well as potential vulnerabilities not yet exposed, and more routine aspects such as licensing compliance issues.
Read More: Using Value Selling to Stay Afloat in Turbulent Economic Waters
“The challenge of securing the OSS software supply chain is significant and complex for virtually every organization,” said Katie Norton, senior research analyst, DevOps & DevSecOps. “The many entry points into the software supply chain constitute a significant risk that has gone unaccounted for in many organizations.”
“The time has come for organizations to get serious about securing the supply chain of open source software components, tools, or applications they may be using from public repositories,” said Al Gillen, group vice president, Software Development and Open Source at IDC. “The vendors and products highlighted in this IDC Innovators document are showing truly interesting and compelling ways to address these security concerns using a modern approach.”
The report, IDC Innovators: Open Source Software Supply Chain Security, 2023 (Doc #US50138923), profiles three companies that help customers manage the security of the software supply chain of open source components used in their software development and deployment operations. The three companies are:
Chainguard provides optimized and minimized container base images that are designed to reduce surface area and lower potential vulnerabilities. The company’s products also leverage the Supply Chain Levels for Software Artifacts (SLSA) Framework to enforce policy, generate SBOMs, and verify deployed images to ensure compliance with defined policies and alert on deviations.
Codenotary integrates OSS awareness into the SBOMs scanning and monitoring process, ensuring that all artifacts are known from source to product and subsequently logging that knowledge into an immutable database, ensuring the results are trustworthy.
Endor Labs helps dev and security teams to maximize software reuse by managing SBOMs to segment potential accessible vulnerabilities and muting non-reachable vulnerabilities, allowing a focus on potential vulnerabilities that could result in a compromise.
Read More: SalesTechStar Interview with Mikel Lindsaar, CEO & Founder of StoreConnect