As software supply chain security becomes increasingly critical, security, DevSecOps, and DevOps teams are more challenged than ever to build transparent trust in the software they deliver or use.
We at Security Scribe recently launched a new platform to address these pressing needs by enabling its users to build trust in their software within teams and organizations. SBOM is a best practice that should become widely required and used to mitigate software supply chain risk. With this in mind, we decided to take the lead and become the first vendor to introduce the concept of a Software Product Security Evidence Hub.
The Scribe platform: what you need to know before diving
- Free and easy to use: Scribe’s platform offers a complete self-service experience. It is easy to implement and use (plugin and CLI). And you can start with a freemium.
- Software Security Evidence Hub: While most other solutions ignore the need to make software product security transparent to customers, buyers and security teams, Scribe’s platform introduces a hub for security evidence. It supports a workflow for sharing SBOM between or within companies. CVE information allows both the software producer and the people they share their security information with to see which CVEs are present in each new release. An interesting experimental feature of the platform is the ability to validate software integrity and share that proof with stakeholders.
Here is an overview of the latest version of the platform:
Software producers can gain visibility into their pipelines and artifacts and choose software consumers (subscribers) for each pipeline. This is the first screen you see. Each part of the interface is explained and illustrated.
For each new product you add, you will get the 3 necessary secrets: product key, client ID and client secret. You will also get a link to the integration explanation of your choice.
What will catch your eye is the “Try Scribe on the command line” button.
The platform displays full CLI commands. The whole truth is revealed.
You can see the date and time when software releases were created and whether their file integrity has been validated in terms. You can make it visible to the consumers and subscribers you have defined for this product. It also allows you to download the SBOM of the build.
According to his DocumentationScribe currently supports GitHub, Jenkins, and other CI pipelines.
I was asked to include two collectors: the first collects information about source code file hashes and the second collects dependency hashes. While the former is optional, the latter is not.
Each time you create a new version, the evidence and SBOM are uploaded to the platform and then processed and presented as part of the My products page.
This is where things get interesting – you can always add another product, with no limit to the number of products (or pipelines) you can manage. The information you can see for each product includes its name, subscribers, versions, when the last build was released, and whether its integrity was validated.
The next step was to navigate to the The subscribers tab, where you invited new subscribers just by their email addresses.
Health Report and SBOM
Clicking on the release line leads to the build release page. There you will find all the context metadata about that specific release, as well as links to the Health Report, Vulnerabilities Report, and SBOM.
After clicking After, we can see the vulnerabilities found in this image with CVE designation and severity. The worst CVEs are designated as critical. You have a filter allowing you to see only high severity CVEs and above. You can also use the search bar to search for a specific CVE.
By clicking After in the Health Report section takes you to the full report. You can easily see the source code validation. Also, you can see the validation of my open source packages based on the second collector you included.
You can also search for a specific package. The search option is separate for source code and open source packages.
You don’t have to post or share a version with a less than perfect report; only the versions you choose to publish will be shared with subscribers to this project.
Evidence store for builds
The platform functions as a repository for past security data and an evidence store for your product. It will have a shareable evidence trail with provenance information about your source files and dependencies.
Providing an attestation store and a sharing hub for product release security information, this product is solid and interesting. Obviously there has been a lot of thought and this is certainly a big step forward. So when (it’s no longer a question of whether) you need to generate, manage, and share SBOMs and associated security information for your software products, you should give it a try.
Visit the Scribe website.