A set of software supply chain security standards under the Open Source Security Foundation emerged this month as the open source community struggles to stay ahead of escalating cyberattacks.
The latest is Secure Software Factory, a prototype toolchain developed by financial services company Citi. It combines open-source projects like Tekton and Kyverno to follow a set of best practices laid out in a Cloud Native Computing Foundation (CNCF) white paper last year. Citi this week donated Secure Software Factory to OpenSSF, a subgroup of the Linux Foundation formed to promote open-source security projects like Sigstore and Google’s Supply Chain Levels for Software Artifacts (SLSA).
The CNCF’s reference architecture did not specify which tools should be used, leading Citi engineers to develop the Secure Software Factory project, a reusable package of open-source tools that meet CNCF’s best practice requirements.
“We want it to[a…[a[einem…[a
