We are digitizing the planet. Our businesses, society, and personal lives are enabled by vast amounts of interconnected software. The reliability of this software is becoming ever more critical. The world is investing more in ensuring this software is well managed, tested for correctness, and ever more importantly, assured to be free from vulnerabilities.
The reality though is that the security of the world’s software remains an epic struggle for all involved. The good news is that there has been much progress. The bad news is that there is much more to be done. Some organizations are at the vanguard and leading the way, while others are still catching up—but all are activating significantly more focus.
Against this backdrop of continued need for higher levels of software security assurance, the world has also seen the rise of more prevalent software supply chain attacks. Attackers, motivated to be more covert across a wider array of targets, have demonstrated intent and success in targeting companies’ software build systems as well as software dependencies in open and closed source systems. To quote Marc Andreesen, “software is eating the world,” and it’s down to us to make sure bugs and vulnerabilities don’t then eat that software.
Yet, there is hope. As we will see in this book, there is a vibrant body of work around application security, including investment in new controls and new methodologies for security teams interfacing with software developers and infrastructure operations teams. We are collectively working towards the goal of creating secure products, rather than just jamming in security measures late in the design and build process. This approach is driving more security at greater scale with more and better tooling across the whole software ecosystem and development lifecycle.
This book is an end-to-end tour of leading practices across governance, tooling, culture, risk prioritization, and supply chain security. Organizations will be well served by adopting many of the practices covered here. All organizations can use this as a launchpad for utilizing and developing new tools and frameworks that not only improve security, but also create sustainable reliability and agility in the software production process.
We all need to work together to speed up adoption of these practices. Working together also means using the power of open standards and open source to further propel the right practices, exemplified in frameworks like slsa.dev and the Open Source Security Foundation.
The Purple Book truly demonstrates the power of a community. And the book is only the beginning. I look forward to the supporting blogs, panel discussions, and podcasts that will be produced by this community to help us deal with the dynamic changes we all experience in this world.
I hope you all benefit from this work, and above all, use it as a starting point to further develop practices for the good of all.