We are happy to announce Bytesafe, our service for securing your organization’s code supply chain.
Today’s organizations have a code supply chain. Developers depend on code from other teams (possibly remote) and third party dependencies (often Open Source).
This supply chain is based on trust. Trust that all packages are always available from the public registries, trust that a specific package is not malicious or has vulnerabilities, and trust that the package has not been compromised or taken over from its original creator.
This large amount of trust (or maybe more appropriately, Risk) is often poorly managed, or not managed at at all.
Even when there is an awareness in the organization, with tooling in place to scan builds for vulnerabilities before reaching production, the burden of responsibility is often placed on individual developers to make sure the tooling is used correctly.
A second problem is that when the code reaches the CI/CD pipeline for security scanning, it might already be too late. A package containing malicious code downloaded from the internet and running on a developer machine, might already have compromised the organization and made irreversible damage.
Bytesafe aims to provide the infrastructure needed to add security and control when consuming and sharing code, both with other teams and third parties.
In it’s first release, Bytesafe provides free, secure and hosted private registries with initial support for the npm package manager.
Teams can create multiple registries, each with their own set of upstreams (private or public registries), organizing the flow of packages between different teams and the outside world.
Registries are very lightweight and can easily be cloned (and if needed, read-only), enabling workflows such as archiving the exact dependencies used for a production release, allowing for reproducible builds.
Some teams clone their registry at the start of each Sprint, making sure that other teams (of Developers, QA, SecOps, Release managers etc) are using the correct dependencies, while the team is moving forward.
At the same time, the tooling around collaboration, security and compliance, is probably the most lacking. The npm package manager even allows code execution on first install if the developer is not careful.
Upcoming releases of Bytesafe, with support for plugins, enables packages to be scanned for security problems and license compliance, making sure that unwanted code never even reaches the developers environment.
Support for policies, enforced whenever a package moves, will enable more control of which packages flow in and out of teams.
Support for third-party integrations is also being added, such as notifications via Slack.
We are also adding features needed by larger organizations:
- Fine grained Identity and Access management
- Audit logs
- Single Sign On (via SAML)
- Premium SLAs and Support options
- On-Premise / Single Tenant / Bring Your Own Cloud support
- Non-EU data regions
Support for other package managers (Java, C#, C++, Python, Ruby, Webassembly) is also on the roadmap.
Free, secure, hosted npm registries is only the start!
The founding team behind Bytesafe (and the company behind, Bitfront AB) are veteran developers and team leaders from the FinTech industry.
With a combined 120 years of experience working with mission critical back- and frontend infrastructure and applications, primarily for Digital Banking clients, we have experienced or seen first hand the challenges involved depending of third party code.
The desire for the missing pieces of infrastructure to meet these challenges inspired us to build Bytesafe.
The team of 7, including the Founders of the company, is currently located in Stockholm, Sweden.
If you’d like to try Bytesafe for yourself it’s free to Sign up and be part of our journey.
If you have any questions, we would love to hear from you!