Today's software development landscape heavily relies on open-source components and third-party libraries. While this reliance streamlines development and expedites product delivery, it simultaneously exposes the software supply chain to potential risks, including security vulnerabilities, licensing discrepancies, and the looming threat of supply chain attacks.
Also, high-profile breaches, like those experienced by SolarWinds and Codecov, have further underscored the importance of software supply chain security. While standard security techniques for detecting vulnerabilities in source code are essential, they don't fully address the risks of tampering throughout the supply chain journey - from source to distribution.
To address these challenges, the Harness Software Supply Chain Assurance (SSCA) module is designed to secure the software supply chain, ensuring a layer of security that extends beyond conventional measures.
Software Supply Chain Assurance objectives
Harness SSCA module provides a robust solution for establishing trust in the software supply chain, managing open-source components, ensuring policy compliance, and enabling rapid response to new threats. The SSCA module aims to achieve the following objectives:
- Prevent: Stop the use of harmful or unauthorized open-source components.
- Report: Generate compliance reports adhering to both internal governance policies and external regulations.
- Trust: Establish trust in the software supply chain so that the artifacts produced can be trusted.
Software Supply Chain Assurance features
To realize the objectives, the SSCA module offers features such as:
- SBOM generation and management.
- Supply chain security policy enforcement.
- SLSA Level 2 compliance with provenance generation and verification.
For more information about these features and how SSCA integrates with the Harness Platform, go to the SSCA key concepts.