{"id":55221,"date":"2020-12-03T14:59:50","date_gmt":"2020-12-03T22:59:50","guid":{"rendered":"https:\/\/github.blog\/?p=55221"},"modified":"2021-07-29T10:00:53","modified_gmt":"2021-07-29T17:00:53","slug":"applying-devsecops-to-your-software-supply-chain","status":"publish","type":"post","link":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/","title":{"rendered":"Applying DevSecOps to your software supply chain"},"content":{"rendered":"<p><i>This article was originally published on <\/i><a href=\"https:\/\/www.infoworld.com\/article\/3586610\/4-steps-to-devsecops-in-your-software-supply-chain.html\"><i>InfoWorld<\/i><\/a><i>, and is republished here with permission. This is part of our blog series on DevSecOps and software security.<\/i><\/p>\n<p>Developers often want to do the \u2018right\u2019 thing when it comes to security, but they don\u2019t always know what that is. In order to help developers continue to move quickly, while achieving better security outcomes, organizations are turning to <a href=\"https:\/\/github.blog\/2020-08-13-secure-at-every-step-a-guide-to-devsecops-shifting-left-and-gitops\/\">DevSecOps<\/a>. DevSecOps is the mindset shift of making all parties who are part of the application development lifecycle accountable for security of the application, by continuously integrating security across your development process. In practice, this means shifting security reviews and testing left &#8211; from auditing or enforcing at deployment time, to also checking security controls earlier at build or development time.<\/p>\n<p>For code your developers write, that means providing feedback on issues during the development process, so the developer doesn\u2019t lose their flow. For dependencies your code pulls in as part of your <a href=\"https:\/\/github.blog\/2020-09-02-secure-your-software-supply-chain-and-protect-against-supply-chain-threats-github-blog\/\">software supply chain<\/a>, what should you do?<\/p>\n<p>Let\u2019s first define a dependency. A dependency is another binary that your software needs in order to run, specified as part of your application. Using a dependency allows you to leverage the power of open source, and to pull in code for functions that aren\u2019t a core part of your application, or where you might not be an expert. They often define your software supply chain \u2014 GitHub\u2019s 2019 State of the Octoverse Report showed that on average, each repository has <a href=\"https:\/\/octoverse.github.com\/\">more than 200 dependencies<\/a> (disclosure: I work for GitHub). An upstream vulnerability in any one of these dependencies means you\u2019re likely affected too. The reality of the software supply chain is that you are dependent on code you didn\u2019t write, yet the dependencies still require work from you for ongoing upkeep. So where should you get started in implementing security controls?<\/p>\n<h2 id=\"create-a-unified-ci-cd-pipeline-to-shift-security-controls-left\"><a class=\"heading-link\" href=\"#create-a-unified-ci-cd-pipeline-to-shift-security-controls-left\">Create a unified CI\/CD pipeline to shift security controls left<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>Part of the goal of <a href=\"https:\/\/resources.github.com\/whitepapers\/Architects-guide-to-DevOps\/\">DevSecOps<\/a>, and shifting left, is to provide not only feedback but also consistency and repeatability as part of the development environment. This isn\u2019t unique to your supply chain, but applies to any security control.<\/p>\n<p><b>The earlier you can unify your CI\/CD pipeline, the earlier you can implement controls, allowing your security controls to shift left.<\/b> You don\u2019t want to apply the same controls multiple times in different systems &#8211; it doesn\u2019t scale, spreads your (already thin) security resources even thinner, allows inconsistencies to be introduced via drift or incompatibility in systems, and potentially worst of all, means you might miss something.<\/p>\n<p>The precursor to shifting left and applying DevSecOps isn\u2019t a security control at all &#8211; it\u2019s about improving developer tooling to provide a consistent way to write, build, test, and deploy code. Introducing a centralized system for any one of these can help you improve your security. Organizations will frequently tackle developer tools from the last step, and work backwards to the first &#8211; that is, adopting a consistent deployment strategy before adopting a consistent build strategy &#8211; with one exception, code. Even if you build locally, chances are, you\u2019re checking your code in for posterity.<\/p>\n<p>You can start applying security controls to your code even without getting all the other steps unified. A developer-centric approach means your developers can stay in context and respond to issues as they code, not days later at deployment, or months later from a penetration test report. Building on a unified CI\/CD pipeline, here are some tips on how your development team can apply DevSecOps to secure your software supply chain.<\/p>\n<h2 id=\"declare-dependencies-in-code-so-you-discover-them-at-development-time\"><a class=\"heading-link\" href=\"#declare-dependencies-in-code-so-you-discover-them-at-development-time\">Declare dependencies in code, so you discover them at development time<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>First things first, in order to maintain your dependencies &#8211; for example, applying security patches &#8211; you need to know what your dependencies are. Seems straightforward, right?<\/p>\n<p>There are many ways to detect your dependencies, at different parts of your development process: by analyzing at the dependencies declared in code, for example, specified by a developer in a manifest file or lockfile; by tracking the dependencies pulled in as part of a build process; or by examining completed build artifacts, for example once they\u2019re in your registry. Unfortunately, there is no perfect solution as all methods have their challenges, but you should pick the solution that best integrates with your existing development pipeline or use multiple solutions to give you insights into dependencies at each step in your development process.<\/p>\n<p>However, there are benefits to detecting dependencies in code, rather than later: you\u2019re shifting that dependency management step left. This allows developers to immediately perform maintenance for dependencies &#8211; performing updates, applying security patches, or removing unnecessary dependencies &#8211; without waiting for feedback from a build or deployment step. And, if you don\u2019t have a centralized or consistent build pipeline, and can\u2019t apply a check later, detecting your dependencies in code means you can still infer this information. The main downside to detecting dependencies in code is that you might miss any artifacts pulled in later, for example, Gradle allows for <a href=\"https:\/\/docs.gradle.org\/current\/userguide\/declaring_dependencies.html\">dependencies to be resolved as part of a build<\/a>, meaning build-time detection will contain more complete information.<\/p>\n<p><b>To accurately detect dependencies in code &#8211; and to more easily control what dependencies you use &#8211; you\u2019ll want to explicitly specify them as part of your application\u2019s manifest file or lockfile<\/b>, rather than vendoring them into a repository (forking a copy of a dependency as part of your project, aka copy-pasting it). Vendoring makes sense if you have a good reason to fork the code, for example, to modify or limit functionality for your organization, or use this as a step to review dependencies (you know, actually tracking inputs from vendors). (Some ecosystems also favor using vendoring.) However, if you\u2019re planning on using the upstream version, vendoring makes updating your dependencies harder. By specifying your dependencies explicitly, it\u2019s easier for your development team to update: with a single line of code change in a manifest, rather than re-forking and copying a whole repository. In certain ecosystems, you can use a lockfile to ensure consistency, so you\u2019re using the same version in your development environment as you are for your production build, and review changes like any other code changes.<\/p>\n<h2 id=\"provide-a-path-paved-with-golden-packages-for-your-development-team\"><a class=\"heading-link\" href=\"#provide-a-path-paved-with-golden-packages-for-your-development-team\">Provide a path paved with \u2018golden\u2019 packages for your development team<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>You might already be familiar with the concept of \u2018golden\u2019 images, which are maintained and sanctioned by your organization, including the latest security patches. This is a common concept for containers, to provide developers with a base image on which they can build their containers, without having to worry about the underlying OS. The idea here is to only have to maintain one set of OSes, managed by a central team, that you know have been reviewed for security issues and validated in your environment. Well, why not do that for any other artifacts too?<\/p>\n<p><b>To supplement a unified CI\/CD pipeline, you can provide a reference set of maintained artifacts and libraries. <\/b>This is just a pre-emptive security control &#8211; rather than verifying that a package is up to date once it\u2019s been built, give your developers what they need as an input to their build. For example, if multiple teams are using OpenSSL, you shouldn\u2019t need every team to update it; if one team updates it (and there are sufficient tests in place!), then you should be able to change the default for all teams. This could be implemented by having a central internal package registry of your known good artifacts, that have already passed any security requirements, and have a clear owner responsible for updating if new versions are released.<\/p>\n<p>By providing a single set of packages, you\u2019re ensuring all teams reference these. Keep in mind, the latest you can do this is in the build system, but this could also be done earlier in code, especially if you\u2019re using a monorepo. An added benefit of sharing common artifacts and libraries is making it easier to tell if you\u2019re \u2018affected\u2019 by a newly discovered vulnerability. If the corresponding artifact hasn\u2019t been updated, you are! And then it\u2019s just one change to address the issue, and for the update to flow downstream to all teams. Phew.<\/p>\n<h2 id=\"automate-downstream-build-and-deployment\"><a class=\"heading-link\" href=\"#automate-downstream-build-and-deployment\">Automate downstream build and deployment<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>To make sure that developers\u2019 hard work pays off, their changes actually need to make it to production! In creating a unified CI\/CD pipeline, you cleared a path for changes that are made to code in a development environment to propagate downstream to testing and production environments. The next step is to simplify this with automation. In an ideal world, your <i>development<\/i> team only makes changes to a <i>development<\/i> environment, with any changes to that environment automatically pushed to testing, validated, and automatically rolled out (and back, if needed).<\/p>\n<p>Rather than applying DevOps and DevSecOps by requiring your development team to learn operations tools, you simplify those tools and feedback to what these teams need to know in order to make changes where they\u2019re most familiar, in code. This should sound familiar &#8211; it\u2019s what\u2019s happening with trends like infrastructure as code, or GitOps &#8211; define things in code, and let your workflow tools handle making the actual change.<\/p>\n<p>If you can automate downstream build, testing, and deployment of your code &#8211; then your developers only need to focus on fixing code. Following DevSecOps principles, they don\u2019t need to learn tooling to do validating testing, phased deployments, or whatever you might need in your environment.<b> Crucially, for security, your development team doesn\u2019t need to learn how to roll out a fix in order to apply a fix.<\/b> Fixing a security issue in code and committing it is sufficient to ensure it (eventually) gets fixed in production. Instead, you can focus on quickly finding and fixing bugs in code.<\/p>\n<p>Creating a unified CI\/CD pipeline allows you to shift security controls left, including for supply chain security. Then, to best apply DevSecOps principles to improve the security of your dependencies, you should ask your developers to declare your dependencies in code and in turn provide them with maintained \u2018golden\u2019 artifacts and automated downstream actions so they can focus on code. Since this requires changes to not just security controls, but your developers\u2019 experience, just using security tooling isn\u2019t sufficient to implement DevSecOps. In addition to enabling <a href=\"https:\/\/docs.github.com\/en\/github\/setting-up-and-managing-organizations-and-teams\/managing-security-and-analysis-settings-for-your-organization\">platform-native dependency management features<\/a>, you\u2019ll also want to take a closer look at your CI\/CD pipeline and artifact management.<\/p>\n<p>Altogether, applying DevSecOps means you can have a better understanding of what\u2019s in your supply chain. By using DevSecOps, it should be simpler to manage your dependencies, with a change to a manifest or lockfile easily updating a single artifact in use across multiple teams, and automation of your CI\/CD pipeline ensuring that changes developers make quickly end up in production.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>To best apply DevSecOps principles to improve the security of your supply chain, you should ask your developers to declare your dependencies in code; and in turn provide your developers with maintained \u2018golden\u2019 artifacts and automated downstream actions so they can focus on code.<\/p>\n","protected":false},"author":1807,"featured_media":54057,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_gh_post_show_toc":"","_gh_post_is_no_robots":"","_gh_post_is_featured":"","_gh_post_is_excluded":"","_gh_post_is_unlisted":"","_gh_post_related_link_1":"","_gh_post_related_link_2":"","_gh_post_related_link_3":"","_gh_post_sq_img":"","_gh_post_sq_img_id":"","_gh_post_cta_title":"","_gh_post_cta_text":"","_gh_post_cta_link":"","_gh_post_cta_button":"","_gh_post_recirc_hide":"","_gh_post_recirc_col_1":"","_gh_post_recirc_col_2":"","_gh_post_recirc_col_3":"","_gh_post_recirc_col_4":"","_featured_video":"","_gh_post_additional_query_params":"","_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"{title}\n\n{excerpt}\n\n{url}","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_wpas_customize_per_network":false,"jetpack_post_was_ever_published":false,"_links_to":"","_links_to_target":""},"categories":[3318,3313],"tags":[1709],"coauthors":[],"class_list":["post-55221","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devsecops","category-enterprise-software","tag-supply-chain-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.9 (Yoast SEO v27.9) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Applying DevSecOps to your software supply chain - The GitHub Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Applying DevSecOps to your software supply chain\" \/>\n<meta property=\"og:description\" content=\"To best apply DevSecOps principles to improve the security of your supply chain, you should ask your developers to declare your dependencies in code; and in turn provide your developers with maintained \u2018golden\u2019 artifacts and automated downstream actions so they can focus on code.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/\" \/>\n<meta property=\"og:site_name\" content=\"The GitHub Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-12-03T22:59:50+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-29T17:00:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/github.blog\/wp-content\/uploads\/2020\/08\/security-default.png?fit=1200%2C630\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Maya Kaczorowski\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/github.blog\/wp-content\/uploads\/2020\/08\/security-default.png?fit=1200%2C630\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Maya Kaczorowski\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/applying-devsecops-to-your-software-supply-chain\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/applying-devsecops-to-your-software-supply-chain\\\/\"},\"author\":{\"name\":\"Maya Kaczorowski\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/5b9e90adf3e2207ad5a7b541ba5714b3\"},\"headline\":\"Applying DevSecOps to your software supply chain\",\"datePublished\":\"2020-12-03T22:59:50+00:00\",\"dateModified\":\"2021-07-29T17:00:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/applying-devsecops-to-your-software-supply-chain\\\/\"},\"wordCount\":1834,\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/applying-devsecops-to-your-software-supply-chain\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/security-default.png?fit=1200%2C630\",\"keywords\":[\"supply chain security\"],\"articleSection\":[\"DevSecOps\",\"Enterprise software\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/applying-devsecops-to-your-software-supply-chain\\\/\",\"url\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/applying-devsecops-to-your-software-supply-chain\\\/\",\"name\":\"Applying DevSecOps to your software supply chain - The GitHub Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/applying-devsecops-to-your-software-supply-chain\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/applying-devsecops-to-your-software-supply-chain\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/security-default.png?fit=1200%2C630\",\"datePublished\":\"2020-12-03T22:59:50+00:00\",\"dateModified\":\"2021-07-29T17:00:53+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/5b9e90adf3e2207ad5a7b541ba5714b3\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/applying-devsecops-to-your-software-supply-chain\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/applying-devsecops-to-your-software-supply-chain\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/applying-devsecops-to-your-software-supply-chain\\\/#primaryimage\",\"url\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/security-default.png?fit=1200%2C630\",\"contentUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/security-default.png?fit=1200%2C630\",\"width\":1200,\"height\":630},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/applying-devsecops-to-your-software-supply-chain\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/github.blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Enterprise software\",\"item\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"DevSecOps\",\"item\":\"https:\\\/\\\/github.blog\\\/enterprise-software\\\/devsecops\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Applying DevSecOps to your software supply chain\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/github.blog\\\/#website\",\"url\":\"https:\\\/\\\/github.blog\\\/\",\"name\":\"The GitHub Blog\",\"description\":\"Updates, ideas, and inspiration from GitHub to help developers build and design software.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/github.blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/5b9e90adf3e2207ad5a7b541ba5714b3\",\"name\":\"Maya Kaczorowski\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/0caa9667d4c52e910619627e9a8c12b82711d08c93c41bef12d6d6cabcaacd57?s=96&d=mm&r=gc1ea47a6cdabca177d6a83c6a8fefdb6\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/0caa9667d4c52e910619627e9a8c12b82711d08c93c41bef12d6d6cabcaacd57?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/0caa9667d4c52e910619627e9a8c12b82711d08c93c41bef12d6d6cabcaacd57?s=96&d=mm&r=g\",\"caption\":\"Maya Kaczorowski\"},\"url\":\"https:\\\/\\\/github.blog\\\/author\\\/mayakacz\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Applying DevSecOps to your software supply chain - The GitHub Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/","og_locale":"en_US","og_type":"article","og_title":"Applying DevSecOps to your software supply chain","og_description":"To best apply DevSecOps principles to improve the security of your supply chain, you should ask your developers to declare your dependencies in code; and in turn provide your developers with maintained \u2018golden\u2019 artifacts and automated downstream actions so they can focus on code.","og_url":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/","og_site_name":"The GitHub Blog","article_published_time":"2020-12-03T22:59:50+00:00","article_modified_time":"2021-07-29T17:00:53+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/github.blog\/wp-content\/uploads\/2020\/08\/security-default.png?fit=1200%2C630","type":"image\/png"}],"author":"Maya Kaczorowski","twitter_card":"summary_large_image","twitter_image":"https:\/\/github.blog\/wp-content\/uploads\/2020\/08\/security-default.png?fit=1200%2C630","twitter_misc":{"Written by":"Maya Kaczorowski","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/#article","isPartOf":{"@id":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/"},"author":{"name":"Maya Kaczorowski","@id":"https:\/\/github.blog\/#\/schema\/person\/5b9e90adf3e2207ad5a7b541ba5714b3"},"headline":"Applying DevSecOps to your software supply chain","datePublished":"2020-12-03T22:59:50+00:00","dateModified":"2021-07-29T17:00:53+00:00","mainEntityOfPage":{"@id":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/"},"wordCount":1834,"image":{"@id":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2020\/08\/security-default.png?fit=1200%2C630","keywords":["supply chain security"],"articleSection":["DevSecOps","Enterprise software"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/","url":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/","name":"Applying DevSecOps to your software supply chain - The GitHub Blog","isPartOf":{"@id":"https:\/\/github.blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/#primaryimage"},"image":{"@id":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2020\/08\/security-default.png?fit=1200%2C630","datePublished":"2020-12-03T22:59:50+00:00","dateModified":"2021-07-29T17:00:53+00:00","author":{"@id":"https:\/\/github.blog\/#\/schema\/person\/5b9e90adf3e2207ad5a7b541ba5714b3"},"breadcrumb":{"@id":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/#primaryimage","url":"https:\/\/github.blog\/wp-content\/uploads\/2020\/08\/security-default.png?fit=1200%2C630","contentUrl":"https:\/\/github.blog\/wp-content\/uploads\/2020\/08\/security-default.png?fit=1200%2C630","width":1200,"height":630},{"@type":"BreadcrumbList","@id":"https:\/\/github.blog\/enterprise-software\/devsecops\/applying-devsecops-to-your-software-supply-chain\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/github.blog\/"},{"@type":"ListItem","position":2,"name":"Enterprise software","item":"https:\/\/github.blog\/enterprise-software\/"},{"@type":"ListItem","position":3,"name":"DevSecOps","item":"https:\/\/github.blog\/enterprise-software\/devsecops\/"},{"@type":"ListItem","position":4,"name":"Applying DevSecOps to your software supply chain"}]},{"@type":"WebSite","@id":"https:\/\/github.blog\/#website","url":"https:\/\/github.blog\/","name":"The GitHub Blog","description":"Updates, ideas, and inspiration from GitHub to help developers build and design software.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/github.blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/github.blog\/#\/schema\/person\/5b9e90adf3e2207ad5a7b541ba5714b3","name":"Maya Kaczorowski","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/0caa9667d4c52e910619627e9a8c12b82711d08c93c41bef12d6d6cabcaacd57?s=96&d=mm&r=gc1ea47a6cdabca177d6a83c6a8fefdb6","url":"https:\/\/secure.gravatar.com\/avatar\/0caa9667d4c52e910619627e9a8c12b82711d08c93c41bef12d6d6cabcaacd57?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0caa9667d4c52e910619627e9a8c12b82711d08c93c41bef12d6d6cabcaacd57?s=96&d=mm&r=g","caption":"Maya Kaczorowski"},"url":"https:\/\/github.blog\/author\/mayakacz\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/github.blog\/wp-content\/uploads\/2020\/08\/security-default.png?fit=1200%2C630","jetpack_shortlink":"https:\/\/wp.me\/pamS32-emF","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/55221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/users\/1807"}],"replies":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/comments?post=55221"}],"version-history":[{"count":4,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/55221\/revisions"}],"predecessor-version":[{"id":56401,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/55221\/revisions\/56401"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media\/54057"}],"wp:attachment":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media?parent=55221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/categories?post=55221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/tags?post=55221"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/coauthors?post=55221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}