The Solarwinds software supply chain attack is the one everyone knows about. But supply chain attacks are becoming commonplace, and that’s bad news. There are efforts afoot, such as the Linux Foundation’s Software Package Data Exchange® (SPDX) project, which ensures transparency and improves compliance for software bill of materials (SBOM). But, we need SBOMs now.
As President Joseph Biden’s Executive Order on Improving the Nation’s Cybersecurity says, we must provide “a purchaser with an SBOM for each application.” Codenotary Community Attestation Service wants to help you with that.
It is a free, open-source notarization and verification service. Its parent company Codenotary promises it will enable businesses to easily create an SBOM, attesting to the provenance and safety of their code.
The Community Attestation Service provides end-to-end protection for software development and workloads. Codenotary also promises that it’s scalable to millions of transactions per second, which makes it ideal for continuous integration/continuous delivery (CI/CD) services. It gives developers a way to attach a tamper-proof SBOM for development artifacts that include source code, builds, repositories, and Docker container images.
These SBOMs are built without uploading any data to the service. Instead, it notarizes these artifacts using cryptographic verification to uniquely