Cloudsmith introduces policy engine for secure software

Cloudsmith has announced the launch of the Enterprise Policy Manager, a policy-as-code engine designed to centralise governance in software supply chains.

The Enterprise Policy Manager is developed to address the growing security and compliance challenges in software supply chains by utilising artefact management as a control plane. The system aims to shift security protocols earlier in the development cycle to mitigate risks without hindering development speed.

High-profile security incidents such as the 2020 SolarWinds attack and the Log4j vulnerability in 2021 have highlighted the vulnerabilities in software supply chains, prompting a shift in industry focus towards stronger security practices. Cloudsmith's new platform is intended to be a response to these challenges, providing centralised oversight and enriched metadata to inform policy decisions.

"We're building a solution that anticipates future security and compliance requirements," said Glenn Weinstein, CEO of Cloudsmith. "Enterprises will face increasing security and regulatory pressures on their software supply chains. Cloudsmith is an essential infrastructure for secure, efficient, and compliant software delivery, and we'll be adding predictive risk analytics, AI-driven security recommendations, and full lifecycle compliance management to serve as the backbone of global software supply chains.

"Our goal is to empower companies to ship secure software at scale, with confidence and speed, redefining what it means to be secure," Weinstein added.

The Enterprise Policy Manager uses Cloudsmith's artefact repositories to govern all software components, particularly third-party artefacts such as open-source packages. This central point ensures that dependencies are verified and compliant before entering production systems, aiming to reduce risks from outdated or unsupported software.

Cloudsmith also emphasises the platform's capability to enrich software artefacts with metadata, including vulnerability scores and dependency risk indicators. This allows teams to prevent the integration of vulnerable packages by making informed decisions based on extensive data.

The platform offers a visual policy builder designed to facilitate easy policy creation, accommodating both technical and non-technical users, while also supporting Open Policy Agent (OPA) and Rego for more complex needs. This functionality encourages collaboration between security and development teams without impacting productivity.

Policies created using the platform are fully auditable and logged, aiding in compliance with industry regulations. This transparency helps enterprises demonstrate compliance and manage risks associated with third-party software.

Open-source technology's widespread use has led to challenges in maintaining security, as modern applications often incorporate multiple open-source components. Many of these components may be outdated, exposing organisations to potential cyber threats. The problem is expected to grow, with projected costs reaching USD $138 billion by 2031.

The Enterprise Policy Manager is now available in early access for Cloudsmith customers, with plans for expanded access in the future. The platform aims to provide a comprehensive solution for enterprises looking to improve the security and compliance of their software supply chains.