https://deploy-preview-3420--ornate-narwhal-088216.netlify.app/contributors/john-speed-meyers/Recent content in John Speed Meyers onHugo -- gohugo.ioenCopyright (c) 2023 ChainguardTue, 06 Oct 2020 08:50:45 +0000https://deploy-preview-3420--ornate-narwhal-088216.netlify.app/software-security/selecting-a-base-image/Thu, 04 Aug 2022 15:21:01 +0200https://deploy-preview-3420--ornate-narwhal-088216.netlify.app/software-security/selecting-a-base-image/<p>Software teams building and deploying container-based software applications often use a &ldquo;base image,&rdquo; an initial set of software packages often associated with a Linux distribution. Software developers, security professionals, and infrastructure teams seeking to make an informed decision about what base image to use must consider a number of criteria when selecting a base image appropriate for their needs. Base images like those provided by Chainguard are designed to meet these security criteria while maintaining compatibility. To help these parties make a more informed decision when selecting a base image, this article describes a range of criteria:</p>https://deploy-preview-3420--ornate-narwhal-088216.netlify.app/software-security/what-is-software-supply-chain-security/Thu, 04 Aug 2022 15:21:01 +0200https://deploy-preview-3420--ornate-narwhal-088216.netlify.app/software-security/what-is-software-supply-chain-security/<p><em>An earlier version of this material was published in the <a href="https://learning.edx.org/course/course-v1:LinuxFoundationX&#43;LFS182x&#43;2T2022/block-v1:LinuxFoundationX&#43;LFS182x&#43;2T2022&#43;type@sequential&#43;block@1623557b9fc849d5a1e38177502b1499/block-v1:LinuxFoundationX&#43;LFS182x&#43;2T2022&#43;type@vertical&#43;block@825d4b442d1346ba8e9d7c3b4f765e76">first chapter</a> of the Linux Foundation <a href="https://learning.edx.org/course/course-v1:LinuxFoundationX&#43;LFS182x&#43;2T2022/home">Sigstore course</a>.</em></p> <p>Software producers have a supply chain just like manufacturing businesses have a supply chain. And just like manufacturers require physical inputs and then perform a manufacturing process to build a finished product, so do software producers, whether the producer is a company or individual. In other words, a software producer uses components, developed by third parties and themselves, and technologies to write, build, and distribute software. A compromise introduced anywhere in this chain is an example of a software supply chain security issue. Tools and practices like those implemented in Chainguard&rsquo;s containers help organizations protect against these risks through built-in SBOMs, provenance attestations, and SLSA compliance.</p>https://deploy-preview-3420--ornate-narwhal-088216.netlify.app/open-source/sbom/what-makes-a-good-sbom/Thu, 04 Aug 2022 15:21:01 +0200https://deploy-preview-3420--ornate-narwhal-088216.netlify.app/open-source/sbom/what-makes-a-good-sbom/<p>A <a href="https://deploy-preview-3420--ornate-narwhal-088216.netlify.app/software-security/glossary/#sbom">software bill of materials</a>, or an SBOM (pronounced s-bomb), is a formal record of the components contained in a piece of software. It is analogous to an ingredients list for a recipe. And it has become recognized as one of the key building blocks of software supply chain security. Proponents rightfully point out that organizations can&rsquo;t secure their software if they don&rsquo;t know what&rsquo;s inside their software.</p> <p>As awareness and adoption of SBOM has grown, there has been a gradual acknowledgement that <a href="https://www.chainguard.dev/unchained/not-all-sboms-are-created-equal">not all SBOMs are created equal</a>, some are more or less useful, depending on the goals of the SBOM user and the contents of the SBOM. This guide exists to provide some guidance on evaluating the quality of an SBOM, suggesting common use cases and the data fields that support these use cases and open source SBOM quality tools.</p>