Microsoft is taking proactive measures to reduce the expanding software supply chain is one of the most serious issues confronting software development today. Microsoft’s Secure Supply Chain Consumption Framework, which Microsoft recently open sourced for managing open source in software development, is one such step.
Microsoft wants to secure the software supply chain by using tools such as Software Bills Of Materials (SBOMs), which are an itemized list of the components that comprise a software application and display information about the software in use. With the SBOMs and the Secure Supply Chain Consumption Framework, S2C2F, Microsoft is also moving toward supply chain transparency.
S2C2F helps Microsoft manage how it consumes and contributes to open-source projects. It also allows organizations to see how they interact with open source, identifying potential areas of risk and providing a repetitive set of actions that can keep any threats to a minimum. To top it all off, it comes with a maturity model that assists users in achieving the appropriate level of compliance for the development process.
S2C2F is built around eight distinct practices that focus on specific interactions with open-source code and the threats associated with them. They are as follows: Ingest, Inventory, Update, and Enforce. Audit, Scan, and Rebuild, in addition to Fix and upstream.
Each represents a point in the life cycle of software development where users must consider threats and risks when working with open-source code, libraries, or components.
The sources for this piece include an article in TechRepublic.