Scribe is an online software-as-service that acts as a hub between software producers and software consumers for continuously sharing attestation (cryptographically signed evidence) to the software’s trustworthiness. These producers and consumers might be teams in a single organization or reside across enterprise barriers.
Stakeholders can apply a policy over attestations to ensure a due secure development process, build processes, validate that tampering hasn’t taken place, and gauge compliance with standards such as SSDF and SLSA. More often than not, organizations are not aware of the full extent of the open-source dependencies in the software they use. Moreover, if such information exists, it is not methodically tracked or communicated to the stakeholders who consume this software. This is especially true in vendor-customer relationships.
Scribe generates a standards-based software bill of materials (SBOM) for every build and enables producers to share it with stakeholders on an ongoing basis with information and updates about published vulnerabilities and reputation.
Software Integrity and Provenance:
Scribe ensures the provenance(origin) and validates the integrity of your software build. It tracks every file by hash from the file’s origin up to the built artifact, throughout the software development lifecycle. This origin can be open-source or internal: a code repo, a package manager, or a container registry. In the process, Scribe flags suspicious modifications while accounting for legitimate changes such as linting and compilation. Scribe also validates the build environment and tools in a similar way. With its open-source package intelligence service, Scribe authenticates the open-source components, thus assuring that they were not maliciously modified. Scribe enriches SBOMs with this granular validation information and you can share it with relevant stakeholders.
Scribe cryptographically signs and validates critical evidence with customer keys, throughout the software development lifecycle (SDLC). This method provides resistance against tampering. It can also be regarded as extending the well-known concept of software signing to the SDLC.
Continuous Vulnerability Tracking:
Scribe generates CVE reports and continuously tracks newly published CVEs for software builds delivered to production based on the SBOMs it stores and manages for the built software.
Policy and Governance:
Scribe enables software customers to govern, by policy, artifacts delivered from their vendors such as in a subcontracting relationship. The policy owner can also mandate a minimum level for the software vendor’s build environment security level.
*CloudBlue Fast-Track product: This product is part of the CloudBlue Fast-Track program. This means that the product is in process to be integrated with CloudBlue Connect.