Many organizations that have begun the effort to implement DevSecOps often quickly realize that they’re still in early stages of fully integrating security and compliance into the software development life cycle (SDLC).
Today, users typically download packages and use simple checksum digests and commonly depend on security scanners on the final products (e.g., container, binary) before they're deployed into production. It's a less-than-optimal feedback loop for the developer, as any insight into a security threat would already have been introduced into the build pipeline after their code commits. Few registries provide a trustable hashing service coupled with a cryptographic signing system alongside the package repository service itself.
To read this article in full, please click here
Support the originator by clicking the read the rest link below.
