Software Attestations
Validate the Security of Your Software Supply Chain
By September 13, 2023, all software providers to the US Government are required to achieve software supply chain compliance with US Executive Order 14028
Secure Supply Chain Best Practices
Software attestations are a key way for you as a software producer to establish trust with your customers by validating the security and integrity of your applications.
Using its secure build service, the ActiveState Platform will generate signed attestations for your application’s open source components, and verify their security and integrity upon installation using the attestation’s metadata.
That way, you can comply with new federal requirements and emerging industry best practices, and use security as a key differentiator.
US Government Requires Attestations
Beginning in June 2023, any software that touches US Government data in any way must comply with a number of secure supply chain requirements, including providing a software attestation that includes:
- The software vendor’s name
- A description of the product or products the statement refers to
- A statement attesting that the software vendor follows secure development practices
The attestations generated by the ActiveState Platform conform to these US Government requirements. And since public sector requirements are often quickly adopted by commercial sectors, they will soon be key to acceptance by other industries, as well.
Secure Software Development
Starting in 2023, U.S. agencies will only be able to use software that meets the National Institute of Standards and Technologies (NIST) guidance for secure software development practices. Developing software securely involves a number of best practices extending from application architecture and design to software threat modeling to secure software build and delivery. Key requirements that software vendors must provide key Supply Chain Levels for Software Artifacts (SLSA) components, including:
- Attestations from the software producer
- Software Bill Of Materials (SBOMs) and documented processes to validate code integrity
- A programmatic way to check for and automate vulnerability remediation
The ActiveState Platform delivers all of these components out of the box in a single solution that fits the way you develop your software.
Attestations for Open Source Binaries
The security risk posed by the software supply chain has grown exponentially over the past few years, primarily due to bad actors creating open source software exploits. The problem lies in the fact that open source repositories provide no guarantees as to the security and integrity of the components they offer. To solve this problem, the ActiveState Platform automatically builds all open source binaries from source code and provides an attestation for each.
Next Steps
Learn more about how the ActiveState Platform can help you generate attestations to help prove the security of your supply chain.
