Show HN: Chainloop, A Software Supply Chain Attestation solution devs won't hate https://ift.tt/B4EcWqu
Show HN: Chainloop, A Software Supply Chain Attestation solution devs won't hate Hi, my name is Miguel and I am very happy to share what's been months worth of work :) The project has rough edges for sure, but any early feedback, comments or concerns are appreciated! === The Problem === You work on the Security and Operations (SecOps) team in charge of your organization's Software Supply Chain Security. You feel pretty good about the state of things already, your developer teams are signing their commits, deliverables, scanning for vulnerabilities,… Life is good! Then you realize that you are not compliant with the latest security requirements. You get referred to slsa.dev and are told that you need to be at least level 3, whatever that means! Aha! I “just” need to implement an attestation and artifact layer in our Software Supply Chain, which you complete after a couple of months of work. Now to the easy part (or what you think). To make the developer teams adopt it. You quickly realize that standardizing best practices and security requirements is very hard. Development and SecOps team dynamics are clashy and poorly defined due to priorities mismatch. Also, from the developer's point of view, it’s very time-consuming and frustrating to pollute your CI/CD systems with convoluted, error-prone and complex processes to comply with the SecOps team. So there has to be a better way that satisfies both sides... === The Solution === Enter Chainloop. You can think of it as an API for your organization's Software Supply Chain that both parties can use to interact effectively to meet their mismatched priorities. SecOps teams regain security compliance, visibility, standardization and control by having a mechanism to define and propagate attestation requirements. Developers, on the other hand, get jargon-free tooling that can be used to meet compliance with minimum friction and effort. === Give it a try === Eager for feedback from the community so please reach out. Happy to chat! Thanks! PS: You can see an attestation end-to-end demo here https://www.youtube.com/watch?v=Q_0dlBqKtIU&t=384s https://ift.tt/su3mRrq March 16, 2023 at 06:34AM
Labels: Hacker News
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home