DeployHub Whitepaper

Versioning Your Software Supply Chain for Improved Software Security.

Have you thought about what your future looks like when you’re managing the security of hundreds of containers that make up a single version of your software solution? Let’s just say, you’re going to need more than an Excel spreadsheet to get the job done.

Software Supply Chain Management

Cloud native, decoupled architecture is a game changer in terms of how software is developed and delivered. In a monolithic approach, everything is compiled and released at the same time. With a decoupled architecture, applications are deconstructed into individual pieces, allowing for each part to be independently developed and deployed. Security details, like Software Bill of Materials and vulnerabilities are reported at the container level. The pivot to cloud native requires a pivot in how we manage the versioning and configuration of applications in a decoupled implementation. This whitepaper will cover why versioning is critical to understand vulnerability exposure at the logical application level.

Loss of Traditional Configuration Management

While solving many problems, a decoupled approach also creates its own set of issues. One primary problem is the loss of the application version and the configuration management that was done at the build compile/link. With monolith, careful decision making goes into what versions of source code and libraries will be linked into a binary object. With decoupled, this decision making occurs at runtime.

What is a Decoupled Architecture?

Let’s start from the top. What is a decoupled architecture with microservices and how do we decompose a monolithic application into services? Chris Richardson from Cloud Foundry defines a Service as:

  • A service should implement a small set of strongly related functions;
  • Services that change together should be packaged together;
  • The service can be changed without affecting clients; 
  • And, each team that owns one or more services must be autonomous. A team must be able to develop and deploy their services with minimal collaboration with other teams.

While solving many problems, a decoupled approach also creates its own set of issues. One primary problem is the loss of the application version and the configuration management that was done at the build compile/link. With monolith, careful decision making goes into what versions of source code and libraries will be linked into a binary object. With decoupled, this decision making occurs at runtime.

Software Supply Chain Versioning

In a decoupled architecture, the term “versioning” refers to the tracking of changes in your container, including all attributes such as key-value pairs, SBOMs, CVEs, licenses, swagger details, consuming applications, and deployment requirements. In order to manage your software supply chain, it is essential to begin tracking components and their meta data each time they are pushed through the DevOps pipeline. Each new version of a component has unique meta data that must be versioned over time to understand trends and history. Ownership, deployment logic, dependencies, security compliance, and usage all define a particular version of a component which in turn impacts the consuming logical application version.

DeployHub, Continuous Security Intelligence

DeployHub is a Continuous Security Intelligence solution that exposes all the pieces of software moving across your DevOps pipeline, providing the critical insights needed for responding to vulnerabilities and issues fast.

DeployHub performs automated versioning of your software supply chain. Important to remember in a decoupled architecture is that each component is deployed independently and often. Second, a component is more than just a container image. It has many attributes that need to be known for each update. DeployHub follows these best practices for component versioning:

1

Versions the SBOM, licensing, Swagger details, key-value pairs, deployment logic, and endpoint configurations.

2

Does not change the name of your component. It only update the image value with the image tag.

3

Logically tracks a version number for every release. Uses semantic versioning.

4

Uses the Git Commit SHA in the semantic versioning number. This helps connect back to the developer’s change.

5

Logically tracks the component’s consuming applications. This tracking gives a clear picture of their impact.

6

Generates a Software Bill of Materials (SBOM) at the consuming application level.

7

Versions the inventory of the component across environments to expose and avoid drift. (See below)

To expand on the organization of the software supply chain, DeployHub also includes:

  • Domain-Driven Design (DDD) with sub-domains to easily find and share components.
  • Tracking of ownership with contact details for improving incident response.
  • Supports external deployment engines for inventory tracking, each service is unique.
  • Tracks a component version to a logical application providing a comprehensive view of all application changes overtime.

Conclusion

A cloud native, decoupled architecture is changing the way we develop, build, secure, and deploy software. While solving many problems, this new way of building software also creates new challenges around tracking and versioning all the pieces of software in the supply chain. New methods for managing the software supply chain, and all configurations are required to develop the business agility that customers demand, with the insights to minimize the risk of software vulnerabilities across the entire organization.

DeployHub’s Continuous Security Intelligence is designed to version your supply chain overtime. It uses a back-end version control engine that tracks the changes and history of all component configurations. Its domain design facilitates the organization and sharing of your software pieces cross diverse teams, simplifying the management of the supply chain across organizational siloes

About DeployHub

DeployHub’s mission is to empower organizations to respond to supply chain attacks within hours not months.

Learn more about DeployHub and DeployHub Pro and start rapidly responding to vulnerabilities by quickly identifying where the threat is running and who is using it.

Visit Our Website

The members of the DeployHub Team are recognized experts in DevOps and Software Supply Chain Security and have applied that knowledge to DeployHub’s CSI.

Get Started With Ortelius OS

Ortelius SAAS Sign-Up

DeployHub Pro is based on the open-source Ortelius project incubating at the Continuous Delivery Foundation (Linux Foundation).

This version can be used to track and configure unlimited components within your supply chain, with unlimited end users & endpoints.

Learn More
Tracy Ragan

About the Author

Tracy Ragan is CEO of DeployHub and has served on the Continuous Delivery Foundation and OpenSSF Governing Boards.

Tracy is a supply chain security evangelist with expertise in software configuration management, builds and release. Tracy was a consultant to Wall Street firms on build and release management for 7 years prior to co-founding OpenMake Software in 1995. She was a founding member of the Eclipse organization and served on the board for 5 years. She is a recognized leader and has been published in multiple industry publications as well as presenting to audiences at industry conferences. Tracy co-founded DeployHub in 2019 to solve security complexities in modern architecture.