Secure Pipeline Verifier
Updated Oct. 26 2021

OpenCredo returns to the Development Fund with a project that helps developers and InfoSec mitigate some of the supply chain style attacks and areas available for compromise within today’s modern software development processes. They will build the Secure Pipeline Verifier (SPV) as an out-of-pipeline tool / process used to validate and verify that key controls have been correctly implemented or adhered to.
Solution Overview

Venafi have recently worked with a number of industry leaders to develop a Blueprint for Securing Modern Software Development Pipelines. The goal is to help developers and security people alike mitigate some of the supply chain style attacks and areas available for compromise within today’s modern software development processes. To make it easy to get started and validate controls in use, OpenCredo will build the Secure Pipeline Verifier (SPV) as an out-of-pipeline tool / process used to validate and verify that key controls have been correctly implemented or adhered to.  

The Verifier is not envisioned to be developed as one single tool, but rather a number of smaller independent processes which can be used to verify different controls at different times and in different ways, although with a common approach. As a starter it will specifically target those controls related to ensuring secure interactions are taking place within pipelines.