S2C2F Framework for Secure Software Supply Chain Consumption
On May 24th, Adrian Diglio presented at #microsoftbuild about the company's approach to software supply chain security. He discussed the OpenSSF Secure Supply Chain Consumption Framework (S2C2F), which Microsoft leads.
The S2C2F is a consumption-focused framework that uses a threat-based, risk-reduction approach to mitigate real world threats in Open Source Software (OSS). It is designed to help organizations secure how developers consume and manage #opensource dependencies when building software.
The S2C2F has four levels of maturity:
- Level 1: Basic governance of OSS components is performed.
- Level 2: More advanced governance of OSS components is performed.
- Level 3: Comprehensive governance of OSS components is performed.
- Level 4: Aspirational level of governance of OSS components.
The S2C2F is a valuable resource for organizations that want to improve their software supply chain security. It provides a comprehensive set of practices that can be implemented at any level of maturity.
However, there are a few areas where the S2C2F could be improved. First, SBOMs are only required at Level 4. This is a significant oversight, as SBOMs are becoming increasingly important for software supply chain security. Second, the S2C2F focuses primarily on OSS components that reside in language ecosystems. This means that it does not address the huge amount of C/C++ code that is still in use.
Overall, the S2C2F is a valuable resource for organizations that want to improve their software supply chain security. There are a few areas where it could be improved and I look forward to seeing how the S2C2F evolves in the coming months.
In addition to the S2C2F, there are a number of other things that organizations can do to improve their software supply chain security. These include:
- Implementing a software bill of materials (SBOM)
- Using a vulnerability management tool
- Training developers on secure coding practices
- Implementing a security testing process
- Monitoring the software supply chain for threats
By taking these steps, organizations can help to protect themselves from the risks associated with insecure software supply chains.