Since we keep improving the service steadily we are also keen to add new features. During the last years, we were trying to address many different topics and expand the functionality in all directions. But we had to recognise, that TrustSource is growing steadily. Despite the features being tailored into several services, some logical dependency created through data structures and general behaviour are not always simple to avoid. So we will focus on specific areas and start touching the next area not before the key goals of the former topic will be achieved.
However, here are a few of our next level ambitions:
- Support for Container-Analysis:
Container here, Container there, Container everywhere! Even our solution operates almost completely "serverless". Scanning containers gains of relevance. Even today it is possible to scan containers and push the scan result to TrustSource, given it is available as SPDX or CycloneDX file. Many scanners support that.
But we want to get it more comfortable. And we want to make it of more valuable information. What if you discover a file, you do not want to be inside the image? You will have to know which container has added it to the collections. That sort of information typically is not passed on by such scanners. This is why we took a few of them and enhanced the outputs.
Status: delivered with v2.5.48
- Browsable Dependency-Graphs:
Dependency trees and dependency diagrams are nice but tend to get complex and useless in larger modules. Moving the knowledge into a Graph-database activates information and allows to provide more accessible insights. We can start visualising unusual additions or removals of components. We will be able to compare the current with the expected, visualise changes in a new way. We started experimenting with such approaches already.
Status: postponed to Q2/2023
- Improving Security & Risk Management across Portfolio:
TrustSource in the first place delivers a process helping organisations to ensure software is legally compliant. Since this involves almost the same steps as Software Supply Chain Security, we already integrated Security aspects such as identification of Known Vulnerabilities or project security information (e.g. OpenSSF data) to help making decisions.
In the next phase we plan to extend the security management and review aspects. This shall be done through adding Threat Modelling capabilities on the project level. In addition we will extend the existing CIA capabilities towards a more sophisticated modelling approach and combine the vulnerability assessment with the risk management and reporting.
Status: improved Vulnerability handling and data, as well as reports, delivered v2.6.06 and v2.6.30, shifted TM down the road and added VEX handling instead, coming in approx. v2.6.35)
Since we are coming from the architecture domain, we'd love to see more architecture tooling in the solution. We are already built a database of knowledge populated automatically with accurate information. It is a natural demand to seek a sound portfolio approach. We developed a concept on how to use the information in the tool to auto-populate a TechRadar. Together with a simple procedural approach, this will become an easy to use tool for steering the technology portfolio across your development org.
- Adding Tech Debt:
Finally all and everything that needs to be done will require resources. Persondays is the value of tasks. We have developed a concept of measuring Technical Debt in Persondays and we will add this to TrustSource. Thus projects will be able to show their TechDebt, reviews, new Vulnerabilities or changes due to legal demands may cause an increase, while teams continuously working to decrease the amount of TechDebt associated with the project. Visualising these developments will create a new sense of value that security and archietcture are delivering.
So stay tuned or even join and help to achieve your secure software supply chain!