What is it about?
Traditionally, software supply chain security is verified for a particular artifact - you download a piece of software and check that it meets your security needs. By using Confidential Computing hardware, you can perform similar checks on a running software application (including software-as-a-service, SaaS) using a specialized protocol.
Featured Image
Photo by JJ Ying on Unsplash
Why is it important?
Today, software-as-a-service (SaaS) is more popular than on-premise installed software; yet, software supply chain security tooling often assumes you have access to software binaries or packages that to install on-premise. This paper provides a way to extend the existing tooling to also be useful for SaaS deployments.
Perspectives
Confidential Computing is an exciting field of development - it already quietly protects your biometrics and mobile payments in smartphones, but it is relatively newer on the server-side and in the cloud. I believe this paper is already a unique advancement in software supply chain security, and it is just scratching the surface.
Bobbie Chen
Read the Original
This page is a summary of: Runtime Verification for Software Supply Chain Security using Confidential Computing, November 2023, ACM (Association for Computing Machinery),
DOI: 10.1145/3689944.3696350.
You can read the full text:
Contributors
The following have contributed to this page
