Arming the Defender Force and Securing the Software Supply Chain: Helping Developers Implement CISA Best Practices – Part 1


I often refer to civilian DevSecOps practitioners working on critical infrastructure programs as the “Defender Force.” We live in an era where they are more important than ever. Through critical infrastructure, the Homeland has become vulnerable to assault from our adversaries via cyber attacks. For those of you reading this who are unfamiliar with critical infrastructure, the Cybersecurity and Information Agency (CISA) defines 16 critical infrastructure sectors which are overwhelmingly privately owned in the USA.

As of late, these exact same adversaries have been targeting the software supply chain. This means that it’s now critical for DevSecOps practitioners of all roles and skill levels to have access to relevant knowledge and guidance in order to provide the best levels of protection possible.

However, even the highest levels of knowledge and guidance are useless without the platforms necessary to put those skills to use as nation-states and syndicates continue mounting offensive operations.

Enter Sonatype
At Sonatype, we provide a platform that serves as a force multiplier to the Defender Force, securing the software supply chain. Capabilities available in Sonatype’s Nexus platform include:

  • Nexus Repository Manager
  • Nexus Firewall
  • Nexus Lifecycle

In August 2022, the Cybersecurity and Information Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released “Securing the Software Supply Chain: Recommended Practices Guide for Developers.” This document acts as an extension of CISA’s work in support of Executive Order 14028.

In Part 1 of this series, we will walk through the diagram labeled figure 3, found on page 15 of the original document, and explain in more detail how Sonatype’s Nexus Platform helps avert these attempts to undermine the security of the software supply chain. We will define the capabilities in the form of use cases, corresponding to (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Eric Hill. Read the original post at: