The software supply chain can be challenging to maintain for companies across the chain, causing potential bottlenecks delaying software deployment, which can hurt businesses deeply in the long run.

The Cloud Native Computing Foundation’s open-source Notary Project simplifies and speeds up the supply chain, allowing quick and easy container signing and enhanced supply chain security, maintaining the integrity and authenticity of the software, according to Toddy Mladenov (pictured, right), principal product manager of Microsoft, a major contributing organizations in the Notary Project community.

“We kind of got two releases in the last six months; so, it took us a while to get to the first release, but now we are picking up speed and getting much faster and getting features out,” said Toddy Mladenov (pictured, right), principal product manager of Microsoft. “We are looking to extend this to not only signing, but other functionalities that are very essential for the supply chain security for not only containers, but other software.”

Mladenov and Feynman Zhou (left), product manager at Microsoft and Notary Project maintainer, spoke with theCUBE’s principle analyst Rob Strechay and host Savannah Peterson at KubeCon + CloudNativeCon Europe, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed collaborators on the Notary Project, what the Notary Project thinks about the extensibility of tooling and the collaboration with Microsoft, Amazon Web Services Inc. and Docker Inc. on supply chain security. (* Disclosure below.)

Securing the supply chain, one signing at a time

The nature of Notary Project invites a swathe of interesting collaborators, such as AWS — which is normally Microsoft’s competition. Both companies are using Notary Project as the foundation for their supply chain security, according to Mladenov.

“Docker also has a good participation. They’re looking, so each company maybe has some differences in how they are implementing it, but the core is the binaries that come from the project itself,” he said. “Our strategy on the Microsoft side is to provide this as part of Azure.”

It can be difficult to make sure that projects don’t overlap with each other, as a lot of projects don’t talk to each other. To mitigate this issue, Zhou imparted some advice so developers aren’t constantly reinventing the wheel.

“At Notary Project we not only deliver the CLI tools, we also have the extensibility for the tools, for the libraries,” Zhou said. “For those organizations, enterprises and the open-source communities, I would suggest that they consider how can they leverage the existing capabilities, especially the plugin framework that we delivered in the industry, in the community and how can they leverage the framework to extend the signing and verification capabilities and integrate with their ecosystem.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE Research’s coverage of KubeCon + CloudNativeCon Europe:

(* Disclosure: Cloud Native Computing Foundation sponsored this segment of theCUBE. Neither Cloud Native Computing Foundation nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE