SBIR/STTR Award attributes
Raft has built a Secure Software Supply Chain (SSSC) proof of concept that does this important software assurance thing (do not contain the notorious Log4Shell CVE). By automatically signing OCI images and generating a Software Bill of Materials (SBOM), the Raft SSSC ensures all applications in a deployment are signed with our private keys. Raft's SSSC solution can provide DoD systems assurance that software running in production environments are verifiably what they say they are, have not been tampered with during the packaging process, and do not include malicious software. Raft aims to expand this proof of concept and integrate these SSSC components with DoD software build pipelines to automatically generate these validation policies. This would enable DoD systems to verify the absence of current and future CVEs rapidly, without the overhead of writing the policies and increasing the security posture of consumers of OCI images across the DoD.
