Slim.AI introduces beta software supply chain container security as a service

Austin, Texas: We learned the hard way that if smart.AI CEO John Amaral says: “Your software supply chain is only as safe as the weakest link.” Amen, brother!

Slim.AI CEO John Amaral

Slim.AI CEO John Amaral: “Our core value is ‘Know your software’.”

smart.AI

Numerous high-profile attacks, breaches and exploits such as the solar wind fiasco and the Log4J Vulnerability are excellent examples. In fact, it has gotten so bad that President Joseph Biden has… executive order calling for securing the software supply chain† When politicians pay attention to software, things have become real.

Slim.AI takes up this challenge by announcing on Open Source Conference in Austin, Texas, its beta software supply chain security service. This service helps organizations continuously and automatically optimize and secure their containers and minimize software supply chain risk.

This service is built on the foundation of Slim.AI’s open source project, DockerSlim† This popular developer program optimizes and secures your containers by analyzing your code and discarding unnecessary code, thereby “slimming” the attack surface of your containers. It can also reduce the size of your container up to 30x.

That’s impressive. As Amaral said, “Currently, tens of thousands of developers and teams are using Slim’s open source and free SaaS software to understand what’s inside their containers, reduce the attack surface of containers, remove vulnerabilities, and send only the code they need. ” the open source project does not scale. With this new service, Emery continues, “We are moving from helping individual developers and small teams to a solution that enables organizations to continuously and automatically achieve these results at scale.”

This is done by integrating the code with container registrations, Continuous Integration/Continuous Deployment (CI/CD) pipelines and tools so you can automate and integrate them into existing workflows to quickly get secure software into production.

Current and planned integrations include Docker, AWS ECR, Google GCR, GitHub, DigitalOcean, and Quay registries, and the Jenkins, GitLab, and GitHub CI/CD platforms. Application Programming Interfaces (APIs) are also made available to Early Access Partners.

In addition, thanks to its APIs, the service allows you to use multiple vulnerability scanners on your containers to detect security vulnerabilities before they bite you.

This is all part of what Amaral calls “The four S’s of Software Supply Chain Security.

The good news about the open-source software supply chain is, Amaral explained, “it’s very easy for developers to ingest huge libraries of code into applications, package them in containers, and send them to production at the click of a button.” The code that runs in production is the child of the huge supply chain.” The bad news is that “it carries the benefits and risks of all the decisions, contributions, features, and flaws manifested in aggregate by its creators.”

As CodeNotarya software supply chain company, recently noted, “Software is never complete and the codebase including its dependencies is a document that is always updated† That automatically means that you have to follow it, good and bad, bearing in mind that something good can become bad.” Yes, exactly like that!

The answer, according to Amaral, is to build a comprehensive, automated software supply chain security (SSCS) program: “The Four Ss.” These are:

  1. Software bill of materials: This is a list of all components in a piece of software, such as open source libraries and third-party components. Well-known SBOM approaches include the: Linux Foundations Data exchange software package (SPDX) and Supply chain levels for software artifacts or SLSA (salsa)

  2. Sign: Signing is a way of digitally attaching an authenticated, immutable developer identity to a piece of code. Combined with other tools, it enables transparent, cryptographically secure recording of software changes and provides a permanent and reliable digital chain of custody for software and related artifacts. sigstore and Notary

  3. slimming: This minimizes your production code footprint by removing unnecessary code. It also inherently reduces software supply chain complexity, software attack surface and overall risk.

  4. Parts: No single person or organization can provide a comprehensive SSCS solution. Communication about SSCS and collaboration on solutions, both within your organization and with other groups, is essential to move the industry forward and protect our software-dependent global ecosystem. When it comes to open source security, we all do this together.

At Slim, Amaral concluded, “Our core value is ‘Know your software’. Slim.AI’s tools can be used alongside vulnerability scanners and SBOM generators to create a holistic view of the software supply chain.” With Slim’s optimization, you can ensure that teams send only what they need for production.

Want to know more? Contact the Slim.AI team for early access† If you are at Open Source Summit, you can visit the Slim.AI team and learn more about the program at booth B2.

Related stories:

Leave a Comment

Your email address will not be published.