Phylum adds OPA and continuous reporting to its policy engine
Phylum has added Open Policy Agent (OPA) and continuous reporting to its policy engine. Customers now have more flexibility when creating and enforcing custom policies, and can show compliance with key software supply chain frameworks, regulations and guidelines.
“We built Phylum’s policy engine as a security-as-code mechanism to give security and risk teams more visibility into the development lifecycle and allow them to enforce security policy without disruption. Phylum is the only platform that allows organizations to automatically enforce software supply chain security and compliance policy directly in developers’ native work environments to block attacks and ensure only trusted code is used,” said Pete Morgan, CSO at Phylum.
Phylum’s policy engine sits directly between the open-source ecosystem and the tools developers use to build source code, in line with the package selection process. It protects directly from an endpoint or plugs directly into a CI/CD pipelines so developers experience seamless, always-on protection and policy enforcement.
Additionally, the Phylum Birdcage execution sandbox applies a zero-trust security model to the package installation process, providing defense-in-depth in the event that a software supply chain attack is perpetrated at runtime. This combination allows developers to work in their preferred environments and provides assurance for security teams that only secure and compliant code is being used.
The Phylum platform comes equipped with a default policy that detects risks across five domains – software vulnerabilities, license misuse, OSS malware, author risk and reputation and engineering risk – and blocks attacks.
The default policy also allows organizations to comply with software supply chain security regulations in NIST, ISO and more. Leveraging OPA, users with more specific requirements can easily write custom policies as needs evolve.
Policy enforcement significantly limits risk and reduces remediation efforts, while continuous reporting allows organizations to keep more thorough records and document security posture on an ongoing basis.
The Phylum Platform is built to provide broad defense immediately upon deployment and scale with organizations as appsec programs mature to address the rapidly evolving software supply chain attack surface.
Customers use Phylum to automate vulnerability reachability, detect risks and block attacks, defend developers, define and enforce software supply chain policy and operationalize software bill of materials (SBOMs).