Guest: Dennis Zimmer (LinkedIn)
Company: Codenotary (LinkedIn, Twitter)
Show: Let’s Talk
Keywords: Software Supply Chain Security, Open Source, Cybersecurity, Software Bill Of Material (SBOM)
Codenotary, the software supply chain security company, recently added a new vulnerability scanning feature to its Codenotary Cloud platform. The supply chain solution aims to help simplify vulnerability scanning for developers and bring together all the capabilities for securing code into one platform.
In this episode of TFiR Let’s Talk, Swapnil Bhartiya sat down with Dennis Zimmer, CTO of Codenotary, to discuss how the new feature is helping to secure the software supply chain. Zimmer says, “Our goal from the beginning was that everything that is being trusted, being developed, built, and deployed is also stored in an auditable fashion so nothing can be tempered, and nothing can be changed in hindsight.”
Key takeaways from this video interview are:
- Customers had previously used external software to scan for vulnerabilities but now that this capability has been integrated into Codenotary Cloud, all the capabilities are built into one platform. The new feature aims to make scanning for vulnerabilities easier for developers.
- The solution can be integrated into a single line of a DevOps pipeline, enabling notifications, verifications, SBOM (software bill of materials) report and referencing, and vulnerability scanning.
- Although cybersecurity risks are a concern for securing the software supply chain, security risks are not always in the form of active attacks. They can also be from downloading a new version of something which breaks the functionality or the whole application that is being deployed.
- Codenotary Cloud automatically generates an SBOM, so that developers can see exactly what they are using and can ensure nothing is in it that should not be, such as, if a component or vulnerability is going to affect their application.
- Best practices can help ensure supply chains are secure, such as assessing if there are any exposed secrets or passwords. Make sure there is a policy in place that defines the versions that are supported.
- It is important to have automated vulnerability scanning in place to check against security advisories.
- Developers should make sure they are storing only the applications that are still being used. Any that cannot be trusted, outdated or duplicated should be removed. Maintaining good code hygiene will reduce security risks in the supply chain.
About Dennis Zimmer: Dennis Zimmer has a strong reputation as a technology visionary across the Globe. He was founder and CEO of Opvizor Inc., a virtualization monitoring company. He’s been working for over 20 years in the IT industry, wrote 10 books and hundreds of magazine articles and video trainings, that are read and used by leading IT professionals. Dennis has been awarded the VMware vExpert recognition (only 30 worldwide) for 11 years in a row. He’s also a thought leader within the Virtualization Community.
About Codenotary: Codenotary brings easy to use trust and integrity into the software lifecycle by providing end-to-end cryptographically verifiable tracking and provenance for all artifacts, actions, and dependencies. Codenotary can be set up in minutes and is fully integratable with modern CI/CD platforms. It is the only immutable and client-verifiable solution available that is capable of processing millions of transactions a second.
The summary of the show is written by Emily Nicholls.