Scribe Security: The first evidence-based security hub for software supply chains
Photo Gallery
Scribe Security: The first evidence-based security hub for software supply chains
Additional Info
Company | Scribe Security |
Website | https://scribesecurity.com/ |
Company size (employees) | 10 to 49 |
Headquarters Region | Europe |
Overview
Scribe secures software supply chains by providing an evidence-driven end- to-end solution. The solution creates transparency, control and trust for all stakeholders, software producers and consumers alike.
The solution is an online SaaS platform that provides continuous assurance for the quality of built software artifacts, by acting as a hub between software producers and consumers. These producers and consumers may be part of the same organization or reside across organizations.
Scribe generates an SBOM for every build and collects evidence of its level of security. Producers can retain and share with stakeholders this SBOM as an attestation for the security level.
Scribe continuously tracks newly published intelligence such as advisories and open-source scorecards about the SBOM components. With Scribe, Producers can address these findings and communicate de-facto risks associated with published vulnerabilities, utilizing the Vulnerability Exploit eXchange (VEX) standard.
Same as GitHub – the hub of source code management, Scribe is the hub of software trust. This helps organizations address the risk of implicit trust in software products.
DevSecOps and Security engineering professionals can use Scribe to set a local or an organizational Software Development and Build policy that governs the acceptable risk and enforces it in certain chokepoints.
Stakeholders can apply a policy over attestations to ensure a secure development / build process, validate that tampering hasn’t taken place, and gauge compliance to standards such as the SSDF and SLSA.
Scribe also validates the integrity of the software build, as well as ensuring its provenance (origin). All files are tracked by comparing hashes throughout the software development lifecycle, from the origin to the built artifact.
Attestations that Scribe creates are summarized evidence that is cryptographically signed utilizing standards based Sigstore open-source project.
These attestations are stored in Scribe’s cloud attestation store, out-of-band of the CI pipeline.
How we are different
1. Scribe is an end-to-end solution that uses a zero-trust, evidence-based approach and an inter-organizational software trust center that answers the needs of both the producers and consumers of software products, offering full transparency, control and trust.
2. Continuous code security, integrity, and provenance assurance, helping organizations address the risk of tampering with source code or artifacts. - While flagging suspicious modifications, Scribe also accounts for legitimate changes, such as linting and compilation. Similarly, Scribe validates the build environment and tools. Utilizing its open-source package intelligence, Scribe authenticates the open-source components, thus assuring that they were not maliciously modified. Scribe incorporates this granular validation information in the SBOM, which users can share with relevant stakeholders.
3. Exceptional observability and attestation - Scribe has multiple agentless and agent-based capabilities to observe all the relevant security related evidence from the software development and the build processes. Scribe connects and pulls evidence from source code managers, CI tools, build servers, container registries and cluster admission controllers. It uses this evidence to attest to the resulting product’s integrity and security.
Such evidence may consist of the identity of the developer committing code, proof of code review , file hashes, artifact hashes, source control manager and CI tool security posture, application security scanning test results, etc.