Supply Chain

ActiveState Delivers Trust For The Open Source Supply Chain

ActiveState Delivers Trust For
ActiveState announced the availability of their secure build service, a major component of the ActiveState Platform, which implements the greatest number of Supply Chain Levels for Software Artifacts (SLSA) Level 4 controls of any publicly available build platform. As defined by slsa.dev, SLSA is a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. It's how you get from safe enough to being as resilient as possible, at any link in the chain.

ActiveState's Supply Chain Security survey showed that too many organizations (regardless of size) continue to implicitly trust open source language repositories, despite the fact that they provide no guarantee of security or integrity for the millions of third-party software assets they provide to software developers.

The ActiveState Platform secure build service implements the controls to generate SLSA level 4 artifacts for open source components that:
  • Are fully scripted and automated
  • Generate authenticated provenance
  • Provide auditability of the source and the integrity of the provenance, respectively
  • Deliver isolated, ephemeral, hermetic and reproducible builds

ActiveState pairs these controls with its unique open source management capabilities to deliver comprehensive software supply chain security that includes:
  • Automated, tamper-proof builds of open source language dependencies from source code, including native libraries
  • A catalog of source code that is maintained in perpetuity, ensuring build reproducibility even if dependencies are deleted or corrupted in public repositories
  • Enriched dependency metadata, including vulnerability and licensing information
  • Signed artifacts, ensuring that they haven't been tampered with
  • Optional distribution from an Artifact Repository hosted by ActiveState

This means that DevOps now has a trusted vendor for open source supply chain management as an alternative to setting up their own supply chains, which are time-consuming and inherently insecure.

The ActiveState Platform secure build service supports SLSA Level 4 standards to enable DevOps to dramatically reduce the risk and cost of securing their software supply chain while ensuring the security and integrity of the products and services they create.

  "The effort of building and verifying the security and integrity of every open source dependency used by DevOps teams worldwide can be expensive, requiring significant engineering time and resources. The ActiveState Platform secure build service enables DevOps to consume trusted artifacts at a fraction of the cost by implementing controls to meet SLSA Level 4 standards."

-Loreli Cadapan, Vice President, Product Management, ActiveState,

About ActiveState
ActiveState has a 20+ year history of providing secure, scalable open source language solutions to more than 2 million developers and 97% of Fortune 1,000 enterprises. Enterprises choose ActiveState to support mission-critical systems and speed up software development while enhancing the security and integrity of their open source supply chain. Visit www.activestate.com for more information.

Spotlight

Other News

Dom Nicastro | April 03, 2020

Read More

Dom Nicastro | April 03, 2020

Read More

Dom Nicastro | April 03, 2020

Read More

Dom Nicastro | April 03, 2020

Read More

Spotlight

Resources