& cplSiteName &

Google & Partners Secure 'Software Supply Chain'

Mitch Wagner

Google and partners are launching Grafeas, an open source API to help organizations manage security and policies on their "software supply chain."

Google (Nasdaq: GOOG), along with Red Hat Inc. (NYSE: RHT), IBM Corp. (NYSE: IBM) and other companies, are working on Grafeas to provide a means of "auditing and governing the modern software supply chain," according to a blog post from Google announcing the initiative Thursday.

Grafeas includes Kritis, a Kubernetes policy engine to help customers enforce software supply chain policies. Using Kritis, organizations can enforce container policies at deployment for Kubernetes clusters, Google says.

Shopify is using Grafeas and Kritis to manage its 6,000-plus daily builds and registry over more than 330,000 container images. The ecommerce provider uses Grafeas and Kritis to "automatically store vulnerability and build information about every container image that we create and strictly enforce a built-by-Shopify policy," Jonathan Pulsifer, Shopify senior security engineer, says in Google's blog post. Shopify's Kubernetes clusters only run images signed by its builder.

"Grafeas and Kritis actually help us achieve better security while letting developers focus on their code," Pulsifer says.

Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.

Other companies participating in the Grafeaas partnership are JFrog, BlackDuck, Twistlock, Aqua Security and CoreOS.

Several software trends are driving the need for tools like Grafeas and Kritis (which, by the way, mean "scribe" and "judge," respectively), Google says. Among these are growing, fragmented toolsets, including more languages and tools; open source software adoption, which makes developers more productive but also complicates auditing and governance; decentralized and continuous delivery; hybrid cloud deployments spreading software over multiple locations; and microservices architectures -- more pieces to track.

"Large monoliths are being replaced with dozens or hundreds of microservices," Jason McGee, IBM fellow, vice president and chief technology officer, for IBM Cloud Platform, says in a blog post announcing IBM's participation in the initiative. "Quarterly updates are being replaced with continuous deployments happening dozens of times a day. Servers that you love and maintain are switched for ephemeral containers that are constantly replaced."

Says Google, "Without uniform metadata schemas or a central source of truth, CIOs struggle to manage and secure their software supply chains, let alone answer foundational questions like: 'Is software component X deployed right now?' 'Did all components deployed to production pass required compliance tests?' and 'Does vulnerability Y affect any production code?'"

Grafeas is available as a Github project and more information is available at grafeas.io.

Related posts:

— Mitch Wagner Follow me on Twitter Visit my LinkedIn profile Visit my blog Follow me on Facebook Editor, Enterprise Cloud News

(3)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Educational Resources
sponsor supplied content
Educational Resources Archive
More Blogs from Wagner’s Ring
IBM and Cisco are working with Europe's largest port to reduce fuel consumption and other costs and improve safety.
In which we receive an alarming email from Oracle.
SD-WAN is about more than saving money – it also provides application delivery, insights and reliability. Find out more in this podcast sponsored by Citrix.
Platform is designed to enable enterprises to build big data analytics apps that move easily between public and private clouds.
Buying Evident.io extends Palo Alto's portfolio with API-based security capabilities and compliance automation.
Featured Video
From The Founder
John Chambers is still as passionate about business and innovation as he ever was at Cisco, finds Steve Saunders.
Flash Poll
Upcoming Live Events
September 12, 2018, Los Angeles, CA
September 24-26, 2018, Westin Westminster, Denver
October 9, 2018, The Westin Times Square, New York
October 23, 2018, Georgia World Congress Centre, Atlanta, GA
November 6, 2018, London, United Kingdom
November 7-8, 2018, London, United Kingdom
November 8, 2018, The Montcalm by Marble Arch, London
November 15, 2018, The Westin Times Square, New York
December 4-6, 2018, Lisbon, Portugal
All Upcoming Live Events
Hot Topics
Adtran Will Be a 5G Winner, Says Analyst
Iain Morris, News Editor, 7/19/2018
Telecom Jargonosaurus Part 1: Repeat Offenders
Iain Morris, News Editor, 7/13/2018
Get Off My Wireline Lawn!
Carol Wilson, Editor-at-large, 7/17/2018
Trump Trashes EU's $5B Google Fine
Dan Jones, Mobile Editor, 7/19/2018
Eurobites: EU Socks Google With $5B Monster-Fine for Android Control-Freakery
Paul Rainford, Assistant Editor, Europe, 7/18/2018
Upcoming Webinars
Webinar Archive
Animals with Phones
Casual Tuesday Takes On New Meaning Click Here
When you forget your pants.
Latest Comment
Live Digital Audio

A CSP's digital transformation involves so much more than technology. Crucial – and often most challenging – is the cultural transformation that goes along with it. As Sigma's Chief Technology Officer, Catherine Michel has extensive experience with technology as she leads the company's entire product portfolio and strategy. But she's also no stranger to merging technology and culture, having taken a company — Tribold — from inception to acquisition (by Sigma in 2013), and she continues to advise service providers on how to drive their own transformations. This impressive female leader and vocal advocate for other women in the industry will join Women in Comms for a live radio show to discuss all things digital transformation, including the cultural transformation that goes along with it.

Like Us on Facebook
Twitter Feed