Secure by Design and Zero Trust: Integrating Supply Chain Risk Management with DevSecOps

Secure by Design and Zero Trust: Integrating Supply Chain Risk Management with DevSecOps

Date: January 23, 2024
  • Home
  • >
  • We're on point
  • >
  • Secure by Design and Zero Trust: Integrating Supply Chain Risk Management with DevSecOps

Agencies Benefit from incorporating SBOMs into Build:

  • Secure by Design: ensures 3rd party SW compliance (i.e. no prohibited countries)
  • Vulnerability Management: ID Risk quickly
  • Lifts Patch Management

During the 2023 Singapore Cyber Week Conference, CISA Director Jen Easterly presented, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure Design Software.” An update to their “Secure by Design” guidelines issued Oct. 25, 2023, CISA focused on software bill of materials (SBOM), an application component inventory, as key to Software Supply Chain integrity.

Integrating an SBOM capability into the DevSecOps process is also recommended in the multi-organization publication, “Securing the Software Supply Chain: Recommended Practices for Developers” and endorsed by NSA and CISA, available here.

While we use Python examples in this article, the principles are applicable to any higher-level software development languages.(Review languages and other CloneDX tools here: CycloneDX Tool Center).

To allow SBOMs to be machine-readable for reporting, three specifications are currently available: Software Package Data eXchange (Linux Foundation), CycloneDX (OWASP) and Software Identification Tags (SWID). Here, we focus on the CycloneDX aspect using the CycloneDX Python SBOM Generation Tool (


To generate an SBOM for a Python app, you must pass a specific perimeter determined by the Python package manager you’ve used. We’ve used PipEnv in our example below.

The following is a list of Python-supported package managers:

Package Managers Supported with CycloneDX Python *

Package Managerclonedx-py ParameterLocking / Pinning CapabilitiesNotesBaseline Used
Installed Packages–environmentNoAvoid –environment usage, as the DevSecOps practitioner cannot trace and pin to an intentional package listGenerated by run
PipEnv–pipYesDistinguishes development requirement librariesPipfile.lock
Pip–requirementsYesrequirements.txt does not distinguish between development, text, and production deploymentsrequirements.txt
*If local packages are needed for other cybersecurity activities, Poetry, PipEnv, or Pip must be executed on the operating system to install the packages.

SBOM Generation

To generate the SBOM in XML format, execute the following:

clonedx-py –pip –format json –force –o hardening-app.xml

The parameters cause the following execution:

–pip: use the PipEnv package manager
–format: output the report in json
–force: overwrite an existing report file if it exists
–o hardening-app.xml: outputs the SBOM to hardening-app.xml

Note:  The choice of XML or JSON will depend on your Continuous Integration and Continuous Development (CI/CD) environment and ultimately the information’s consumer, which is likely to include change management, system security specialists (ISSO, ISSE, etc.) and supply chain oversight, where each consumer may require various artifact generations ranging from native formats (XML, JSON) for machine use, or Word documents for human review. For brevity’s sake, this article does not cover consumption cases, but will review a component example for clarification.

Component Review

Here is a snippet of the requests package used in a Python application, and is a common package used for web integrations and testing:

The first line of the output snippet shows that the component “requests” is a library. Other types of components include applications, containers, devices and so on. Other important lines in the snippet are the name, version, and trace (externalReferences). The additional lines provide supply chain details to assure delivery personnel identify signed versions of the requests library via signatures and version pinning. This is a simplified version focused on one dependency—requests—the actual SBOM contained 994 lines identifying all application components.

Agency Immediate Lift

By integrating supply chain risk management in the form of SBOM generation, you have earlier visibility into Zero Trust impacts as shown in the following table.

PillarFunctionMaturity LevelBenefit
DevicesPolicy Enforcement & Compliance MonitoringAdvancedCoverage:“…approve software and identify vulnerabilities and install patches”
Impact: Reduces total lifecycle costs through earlier ID of vulnerabilities and policy issues.
Apps and WorkloadsSecure App Dev & DeploymentInitialCoverage: “…with formal code deployment mechanisms”
Impact: Agency enables reporting much earlier in CI/CD processes.
Apps and WorkloadsApp Security TestingAdvancedCoverage: “Agency integrates app security testing through the SDLC…”
Impact: DevSecOp pipeline changes significantly lessen impact to availability.
Apps and WorkloadsVisibility & Analysis CapabilityAdvancedCoverage:“…security monitoring for most applications…”
Impact: Policy updates to third-party patterns are easier to implement.

T-Rex in Action – 2020 Census Technical Integration Effort: Team T-Rex supported development and deployment of U.S. Census Disclosure Avoidance System (DAS) systems to apply formal differential privacy protections to survey data—protecting respondent privacy while maintaining statistical integrity.

The SBOM Python script used with DAS can be viewed here.


Agencies are seeking innovative ways to mature their Zero Trust posture. In this article, we have focused on improvements to your DevSecOps to increase maturity in two pillars: 1) Devices and Applications and 2) Workloads.

T-Rex’s cybersecurity engineers and architects work with Federal agencies to speed their Zero Trust endeavors through T-Rex’s Zero Trust Architecture Accelerator and innovative tooling as shown here. Contact us at to discuss how we can assist in your Zero Trust program.

Looking for additional articles on Zero Trust? Check out T-Rex’s Zero Trust articles:

recently posted
Zero Trust Lift: Network Visibility and Analytics Maturity using Zeek

Zero Trust Lift: Network Visibility and Analytics Maturity using Zeek

Zeek is a proven open-source network visibility and analytics tool that you can leverage to increase your agency’s Network Visibility and Analytics Capability maturity under CISA’s Zero Trust Maturity Model Version 2. Zeek (, formerly named Bro) is a network […]

T-Rex is Hiring at Hill Air Force Base

T-Rex is Hiring at Hill Air Force Base

Since 2016, T-Rex has been supporting large scale hybrid-cloud migrations and systems modernization, to include the successful deployment of the first-ever online U.S. Census in 2020. We are excited about expanding our IT Modernization services within the National Security market, […]

Protecting Government Apps and Workloads from Zero-Day Cyber Threats

Protecting Government Apps and Workloads from Zero-Day Cyber Threats

In April 2023, CISA released Zero Trust Maturity Model Version 2, which added a fourth security maturity level and reaffirmed application and workload cyber requirements. In this article we consider Application Threat Protections security levels within the Applications and Workloads […]

Dr. Allen Harper on How T-Rex Helps Federal Agencies Meet the Zero Trust Challenge

Dr. Allen Harper on How T-Rex Helps Federal Agencies Meet the Zero Trust Challenge

The White House Executive Order (EO) 14028 “Improving the Nation’s Cybersecurity” calls for Federal agencies to adopt and implement zero trust architecture. In a recent interview with Washington Exec, T-Rex’s Executive Vice President of Cybersecurity Dr. Allen Harper discusses the […]