Introducing Kusari Inspector: Immediate Security Insights in Pull Requests

Securing the maintenance phase

Securing the software supply chain doesn't end when a release ships. Maintaining released software is an important part of security.

Michael Lieberman

May 28, 2025

This post is an excerpt from Securing the Software Supply Chain by Michael Lieberman and Brandon Lum. Download the full e-book for free from Kusari.

The maintenance phase is the part of the software development life cycle (SDLC) where we keep things running as planned, as well as provide the final stage of the feedback loop back into the next iteration of the SDLC’s planning phase. The maintenance phase doesn't bring to light any new risks or attacks, but does call attention to the need to remain diligent to protect running systems and make sure data from all our systems flows into security monitoring, alerting, and management systems.

This feedback loop is the final piece of the picture that helps any organization like a hypothetical Secure Bank achieve multiple security goals:

  • Understanding potential threats by highlighting security gaps
  • Understanding both successful and thwarted attacks
  • Having a knowledge base of security metrics and metadata

That last point around having a knowledge base of security metrics and metadata can't be overstated. Having this knowledge base isn’t an end unto itself, but almost everything in security will rely on it. All the threat mitigation systems, processes, procedures, etc. are only as good as the data that feeds into them.

Without trustworthy and reliable data backing the decisions made by both manual and automated security controls, the controls are borderline useless. Enforcing rules around ingesting software without "no known vulnerabilities" isn’t valuable if you don’t have access to data around known vulnerabilities. Verifying that software is signed isn't valuable if you don't store the cryptographic key and certificate information related to the identities doing the signing. It would be very easy to verify that a signature is valid but the signature could easily be associated with an unknown or untrusted party.

There are emerging patterns in this space, but be aware that a lot of work on building out this knowledge base is still early on. There are a few mature tools out there like Grafeas that help, along with some emerging tools like GUAC. In addition to tools specifically designed to help with storing supply chain and artifact metadata, a lot of organizations utilize common data warehousing, and data lake tools to build solutions that work for their specific needs.

Like what you read? Share it with others.

Other blog posts 

The latest industry news, interviews, technologies, and resources.

View all posts

Previous

No older posts

Next

No newer posts

Want to learn more about Kusari?

Schedule a Demo
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.