Aqua unveils Chain-Bench, the first and only open source software supply chain auditing tool to ensure compliance with new CIS guidelines
BOSTON, June 22, 2022 (GLOBE NEWSLETTER) — Aqua Security, the leading pure-play cloud native security provider, and the Center for Internet Security (CIS), an independent nonprofit with a mission to build trust in the connected world, today released the first formal guidelines for securing software supply chains. Developed through collaboration between the two organizations, the CIS Software Supply Chain Security Guide provides over 100 fundamental recommendations that can be applied to a variety of commonly used technologies and platforms. In addition, Aqua Security has unveiled a new open source tool, chain benchthe first and only tool for auditing the software supply chain to ensure compliance with the new CIS guidelines.
Identifying software supply chain security best practices
While threats to the software supply chain continue to increase, show studies that security in development environments remains low. The new guidelines establish common best practices that support key emerging standards such as Supply Chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF), while adding fundamental recommendations for setting and auditing configurations on the Benchmark-supported platforms.
Within the guide, recommendations span five categories of the software supply chain, including source code, building pipelines, dependencies, artifacts, and implementation (link to overview blog).
CIS plans to extend these guidelines to more specific CIS benchmarks to create consistent security recommendations across platforms. As with all CIS guidelines, the guide will be published and reviewed worldwide. Feedback helps ensure future platform-specific guidelines are accurate and relevant.
“By publishing the CIS Software Supply Chain Security Guide, CIS and Aqua Security hope to build a vibrant community interested in developing the platform-specific Benchmark guidelines to come,” said Phil White, Benchmarks Development Team Manager for CIS . “All subject matter experts who develop or work with the technologies and platforms that make up the software supply chain are encouraged to participate in developing additional benchmarks. Their expertise will be valuable in establishing critical best practices to improve software supply chain security for everyone.”
To date, the guide has been reviewed by experts from CIS, Aqua Security, Axonius, PayPal, CyberArk, Red Hat, and other leading technology companies.
Ofir Shapira, Cyber Security Product Manager, Axonius: “The work Aqua is doing around securing the software supply chain, not just as a company but for the wider community, is paving the way for more secure software releases.”
Erez Dasa, Cyber & Application Security Architect, leading digital payments organization: “Implementing these guidelines on development processes gives us much more confidence in release security.”
The industry’s first open source tool for software supply chain security
To support organizations applying the CIS guidelines, Aqua has released Chain-Bench. Chain-Bench scans the DevOps stack from source code to implementation and simplifies compliance with security regulations, standards, and internal policies to ensure teams can consistently implement software security controls and best practices.
“Building software at scale requires strong software supply chain management, and strong governance requires effective tools. This is where we saw an opportunity to add value,” said Eylam Milner, Director Argon Technology, Aqua Security. “We wanted to use our expertise in software supply chain security to develop critical guidelines for one of the industry’s most pressing challenges, as well as a free, accessible tool to help other organizations comply. The work doesn’t stop here. We will continue to work with CIS to refine these guidelines so that organizations around the world can benefit from stronger security practices.”
For more information on the CIS Software Supply Chain Security Guide, visit the CIS WorkBench† To download Chain-Bench go to: GitHub†
About Center for Internet Security, Inc. (CIS†
The Center for Internet Security, Inc. (CIS)) makes the connected world a safer place for people, businesses and governments through our core competencies of collaboration and innovation. We are a community-driven non-profit organization responsible for the CIS Critical Security Controls and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and deliver products and services to proactively protect against emerging threats. Our CIS hardened graphics provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), the trusted source for cyber threat prevention, protection, response, and remediation for U.S. State, Local, Tribal, and Territorial States (SLTT) government agencies, and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which supports the rapidly evolving cybersecurity needs of US election offices. For more information, visit CISecurity.org or follow us on Twitter: @CISecurity.
About Aqua Security
Aqua Security stops cloud native attacks. As a pioneer and largest pure-play cloud-native security company, Aqua helps customers unlock innovation and build the future of their business. The Aqua Platform is the industry’s most integrated Cloud Native Application Protection Platform (CNAPP) that secures the entire application lifecycle through prevention, detection, and response. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in more than 40 countries. For more information visit www.aquasec.com†
Contact:
Jennifer Tanner
Look to the left Marketing
jtanner@lookleftmarketing.com
