Manifest and configuration tracking
The creation of a software manifest is a crucial step in knowing how to maintain the security of your systems. This ultimately is a detailed list of software packages and their respective versions. It is the sum of all packages in your operating system and your application stack, along with any additional third-party packages or combined dependencies.
Knowing what goes into each and every release and where those packages come from, and curating a secure anthology of said packages will empower you to control the lifecycle of your solution.
I am not saying this will be easy. It can be, but as solutions become more and more complex, this truly becomes a labored effort – especially if not everything your solutions have consumed is provided in the same format.
Let me go into detail here. What if your operating system provider gives you their packages as RPMs but you have some dependencies that are downloaded as tarballs, or as flatpaks...
