Securing the software supply chain doesn't end when a release ships. Maintaining released software is an important part of security.
May 28, 2025
This post is an excerpt from Securing the Software Supply Chain by Michael Lieberman and Brandon Lum. Download the full e-book for free from Kusari.
The maintenance phase is the part of the software development life cycle (SDLC) where we keep things running as planned, as well as provide the final stage of the feedback loop back into the next iteration of the SDLC’s planning phase. The maintenance phase doesn't bring to light any new risks or attacks, but does call attention to the need to remain diligent to protect running systems and make sure data from all our systems flows into security monitoring, alerting, and management systems.
This feedback loop is the final piece of the picture that helps any organization like a hypothetical Secure Bank achieve multiple security goals:
That last point around having a knowledge base of security metrics and metadata can't be overstated. Having this knowledge base isn’t an end unto itself, but almost everything in security will rely on it. All the threat mitigation systems, processes, procedures, etc. are only as good as the data that feeds into them.
Without trustworthy and reliable data backing the decisions made by both manual and automated security controls, the controls are borderline useless. Enforcing rules around ingesting software without "no known vulnerabilities" isn’t valuable if you don’t have access to data around known vulnerabilities. Verifying that software is signed isn't valuable if you don't store the cryptographic key and certificate information related to the identities doing the signing. It would be very easy to verify that a signature is valid but the signature could easily be associated with an unknown or untrusted party.
There are emerging patterns in this space, but be aware that a lot of work on building out this knowledge base is still early on. There are a few mature tools out there like Grafeas that help, along with some emerging tools like GUAC. In addition to tools specifically designed to help with storing supply chain and artifact metadata, a lot of organizations utilize common data warehousing, and data lake tools to build solutions that work for their specific needs.
No older posts
No newer posts