Scribe Platform: End-to-end Software Supply Chain Security
As software supply chain security becomes more and more crucial, security, DevSecOps, and DevOps teams are more challenged than ever to build transparent trust in the software they deliver or use. In fact, in Gartner recently published their 2022 cybersecurity predictions - not only do they anticipate the continued expansion of attack surfaces in the near future, they also list digital supply chain as a major rising attack surface and one of the top trends to follow in 2022.
After all, any software is only as secure as the weakest link in its supply chain. One bad component, any malicious access to your development environment—or any vulnerability in your software's delivery life cycle—and you risk your code's integrity, your customers, and your reputation.
Scribe Security recently launched a new platform that claims to address these urgent needs by enabling its users to build trust in their software across teams and organizations. According to Scribe Security, SBOM is a best practice that is expected to become widely required and used to mitigate software supply chain risks. With that in mind, they decided to take the lead and become the first vendor to introduce the concept of a Hub for security evidence about software products and have launched a friendly and easy-to-use platform.
Our team recently explored Scribe's platform in more detail.
First things first
Scribe's platform: What you need to know before diving in:
- Free and easy to use: Scribe's platform offers a complete self-serve experience. It is easy to implement and use, as it is plugin and CLI-based. And finally, you can start with a freemium, no strings attached.
- Software security evidence hub: While most other Software Supply Chain security solutions ignore the need to make software products' security transparent to customers, buyers, and security teams, Scribe's platform introduces a hub for security evidence. As such, the platform supports a workflow for sharing SBOMs across or within enterprises. A number of insights will soon be added to the platform so stakeholders will receive ongoing updates about the software they use. One such insight, CVEs, is already included, allowing both the software producer and the people they share their security insights with to see what CVEs are present in each new release. An interesting experimental feature of the platform is the ability to validate software integrity and share that evidence with stakeholders.
To facilitate this product review, the team at Scribe Security gave us access to the latest version of their platform. Here's what we found:
Getting Started
Using the Scribe platform, software producers can gain visibility into their pipelines and artifacts and choose software consumers—subscribers—for each pipeline. Let's say I'm a software producer interested in trying the service. This is the first screen I see. Each part of the interface is explained and illustrated.
Notice that even when you first start there is already a demo product you can use as an example of how the Scribe platform works. You can either play around with the existing demo product or you can add a new product of your own.
The highlighted 'add product' button on the top right allows you to add new products. For each new product, you'll get the 3 needed secrets: Product Key, Client ID, and Client Secret. You'll also get a link to the integration explanation of your choice; currently, you can choose either GitHub, Jenkins, or a general CI option. We'll cover that in more detail in a bit.
Using this example product, I can test what the platform can offer.
By clicking on it, I can see the product builds that have already been uploaded. With the intention of testing out the platform's interface, I started with one, and created several more after.
The highlighted 'Setup' button on the top right gives you access to the current product information.
You can see the 3 product secrets, Product Key, Client ID, and Client Secret, just in case you lost them or forgot them.
You also get access to the integration instructions, so if you changed your pipeline you can now see how to integrate the Scribe tool into your new pipeline.
What caught my attention was a link at the top right stating 'Try Scribe on the command line', so I decided to click on it to see what would happen.