Outsourced Software Development—Security Validation

A very important component in achieving end-to-end security of  the software supply chain, is the ability to mitigate cyber risks posed by  outsourced subcontractors. In addition, it is crucial to enable a continuous and secure subcontractor software delivery process.

The outsourced subcontractor develops the software, and exports the software artifact, which then goes through the organization’s risk management gate, with the purpose of:

  • Preventing tampering with digital assets
  • Allowing access to trusted developers only
  • Using only reputable open-source

Scribe’s platform serves as your organization’s Acceptance Gate

Scribe serves as your organization’s risk management gate to:

  • Continuously collect and sign evidence from subcontractors
  • Authenticate and authorize developers
  • Verify evidence integrity
  • Apply acceptance policy

For organizations using SaaS architecture, Scribe is used as acceptance gate and controls the policy

Modular evidence is collected based on the use case;
integration points into the SDLC are optional.

Evidence is cryptographically signed.

Scribe verifies signatures, analyzes evidence, and applies acceptance policy.

For organizations using on-prem architecture, Scribe is used as a local agent and exports subcontractor’s version evidence as Acceptance Gate

Modular evidence is collected, signed and stored locally, based on the use case.

Scribe exports evidence along with delivery of software artifacts.

Scribe serves as a local agent and exports subcontractor’s version evidence as Acceptance Gate.