By Dan K. Anderson vCISO and On-Call Roving Reporter, Cyber Defense Magazine
In my travels and works one of the most difficult challenges for Security is achieving good relations and cooperation with Software Developers. It makes sense because the Dev team is interested in getting the software out the door while the Security team is challenged to ensure that it is secure. I won’t say they are diametrically opposed, but it does feel that way at times.
What we need are tools and techniques that both Security and Developers can agree on and use these to work together more like hand in glove.
I’ve found one such tool. Scribe Security.
Scribe Security is a platform that aims to address holistically the security of your software supply chain whether you are a producer of software, a consumer, or both. This includes all aspects of the software bill of materials (SBOM), securing the dev process against attacks, maintaining control of the dev process’s security, facilitating transparency between software producer and consumer, and attesting to the security of product releases for auditing.
To this end, Scribe Security acts as an orchestrator and integrates a technology stack of Software Composition Analysis (SCA), Dev platform telemetry, artifact signing, policy as code, K8s admission control, and Business Intelligence into one.
Source: The software supply chain security challenge by Scribe
Scribe Security’s value proposition:
The AppSec and DevSecOps solution market comprises various Application Security Testing (AST) scanners; for example, SCA, SAST, DAST, IAST, and secrets. In addition, relatively new solutions attempt to manage the Application Security Posture, aka ASPM which orchestrate these scanners and aggregate their results in a single place.
Scribe Security contends that while these capabilities are necessary, the supply chain’s deeper, more comprehensive security requires a method to continuously attest to every software release’s security and integrity by gathering and signing evidence from every build. This evidence spans the code, artifacts, and dev infrastructure posture. A high degree of integrity is assured by having the evidence cryptographically signed and verified.
To put such evidence to use, it is necessary to provide a knowledge layer that connects the data points and a flexible, product composition-aware policy tool.
Beneath the engine bonnet, Scribe utilizes the most up-to-date software supply chain security concepts and specs, which render the solution also formalistically sound. To name a few, SLSA, Sigstore, In-toto, and SBOM.
The result is a platform that secures the software development lifecycle by preventing attacks and protecting the product by setting guardrails.
Finally, Scribe Security adds strong reporting and analytics that help measure the adoption of the application security controls.
Architecture Overview:
Scribe Security’s solution comprises four steps:
- Identify all Secure Software Development Life Cycle (SSDLC) assets: They scan the organization’s source code managers, build systems, container registries, and production clusters, and link the discovered entities into code to production chains.
- Evidence: They gather all security evidence of the artifacts as they are built, sign this into attestations, and place it in a secured store. This evidence consists of software bills of materials reflecting the change from one link to another in the supply chain, the output of AST scanners, security configuration of the dev tools, user identities and actions, and context that connects the different pieces from developer to deployment. This result is a tamper-proof audit trail and a verifiable software integrity record. This aspect establishes trust and transparency, ensuring that every link in the software supply chain can be verified for authenticity and compliance.
- Knowledge: They transform the collected evidence, enriched by intelligence about software vulnerabilities and open-source projects, into a knowledge layer accessible through a business intelligence (BI) interface. The process aggregates and analyzes the vast amounts of evidence, organizing it into a coherent inventory of the software portfolio. This facilitates risk analysis, insights, and decision-making.
- Action: They gate the software development and deployment process at the end of the build, at deployment or out-of-band with flexible policies (managed as-code) and be aware of the product composition. The policy evaluation attests to the product’s security and can be useful for transparency with stakeholders and auditors. Finally, you can apply out-of-the-box blueprints for compliance with different frameworks such as SLSA and SSDF.
Core Capabilities:
- Sophisticated SSDLC agent:this tool natively plugs into multiple types of dev platforms to generate a wide range of evidence types, such as source code and container image SBOMs, AST scanners, dev platform configurations, and file and artifact hashes.
- Anti-Tampering Code and Artifact Signing and Verification:The evidence is signed by one of a variety of methods such as PKI or Sigstore. Signed evidence and detailed SBOMs help maintain integrity and detect unaccounted-for deviations in build artifacts and configuration. This capability fits well with defense and banking sectors concerned with sophisticated attacks like those observed in the SolarWinds incident. Through continuous integrity checks, Scribe ensures the authenticity and security of code throughout its lifecycle.
- Intelligence enrichment:intelligence from multiple sources about vulnerabilities, exploitability, open-source projects’ reputation, and available fixes is gathered continuously and used for risk scoring and triaging the findings.
- Strong Reporting:Provide continuous compliance reports for standards such as SLSA and SSDF, enabling organizations to effortlessly meet regulatory requirements throughout their CI/CD pipelines.
- Policy as Code:by employing a policy-as-code approach, Scribe allows for flexible and robust governance across the software development lifecycle, enabling automatic enforcement of security policies through the same sensors or collectors that gather data.
Cybercrime statistics:
What does the product look like?
Elevator Pitch:
Scribe was established by seasoned veterans in Cyber Security and cryptography who share a common mission: to introduce an end-to-end software supply chain security solution that can actually protect you. Recognizing the delicate balance between security and operational efficiency, we understand that every security decision impacts time to market, and ultimately, your revenue.
CEO Quote:
“We built an SSC platform that harnesses modern frameworks and concepts to safeguard by design and by default your software factory and products at every stage of their lifecycle, from code to cloud, to installed IOT” ~Rubi Arbel, CEO Scribe Security LTD.
Gartner has not yet evaluated or highlighted Scribe Security.
How are you funded?
We raised $10.3M to date from VCs (Elron Ventures, Tal Ventures, YYM Ventures) and a group of CISOs (Cyberfuture).
Customer Testimonials:
None, yet, but I can say that I do plan to be one of the first, just looking for that perfect customer who shares this vision with me ~Dan K Anderson
One of the biggest finance sector companies in the US bought Scribe for our SBOM and pipeline security capabilities. During the deployment process, they discovered the power of Scribe’s policy as code guardrails and policy governance automation. Scribe is now also their go-to tool for their cross-org SSDLC governance initiative.
Roadmap
We have a very elaborate roadmap that is not shareable. It includes transforming Scribe into an AI-first platform in almost every aspect, enhancing UX, discoverability, visualization, creating new types of sensors, and many more.
How do you keep key devs around?
We give our devs the opportunity to work on the most challenging problems in the cybersecurity domain with renowned experts. That is what makes them stay.
Dan K. Anderson
Winner Top Global CISO of the year 2023
Dan currently serves as a vCISO and On-Call Roving reporter for CyberDefense Magazine. BSEE, MS Computer Science, MBA Entrepreneurial focus, CISA, CRISC, CBCLA, C|EH, PCIP, and ITIL v3.
Dan’s work includes consulting premier teaching hospitals such as Stanford Medical Center, Harvard’s Boston Children’s Hospital, University of Utah Hospital, and large Integrated Delivery Networks such as Sutter Health, Catholic Healthcare West, Kaiser Permanente, Veteran’s Health Administration, Intermountain Healthcare and Banner Health.
Dan has served in positions as President, CEO, CIO, CISO, CTO, and Director, is currently CEO and Co-Founder of Mark V Security, and Cyber Advisor Board member for Graphite Health.
Dan is a USA Hockey level 5 Master Coach. Current volunteering by building the future of Cyber Security professionals through University Board work, the local hacking scene, and mentoring students, co-workers, and CISO’s.
Dan lives in Littleton, Colorado and Salt Lake City, Utah and can be reach through linkedin.com/in/dankanderson