Supply Chain Security

Summary

This is a summary of the Software Supply Chain Security Best Practices Paper

Securing the Source Code¶

securing code produced by software producers

Area	Control	Description
Verification	Require signed commits
	Enforce full attestation and Verification for protected branches	Full attestation is the signature of the final commit once all signatures are verified (`git merge -S --verify-signatures`)
Automation	Prevent committing secrets to the source code repository
	Define individuals/teams that are responsible for code in a repository and associated coding conventions (`CODEOWNERS`)
	Automate software security scanning and testing (SAST, DAST)	During the build process the metadata from security tooling such as SAST tooling should be recorded and linked to a hash of the build artefact to provide chain of custody and provenance Both the coverage and results of these tests should be published as part of the repository information
Controlled Environments	Define roles aligned to functional responsibilities (Developer, Maintainer, Owner, Reviewer, Approver, and Guest)
	Enforce an independent four-eyes principle	The author(s) of a request may not also be the approver of the request At least two individuals, of which one should have write access to the branch, that are independent of the request must review and approve the request
	Use branch protection rules	Protection rules can be used to enforce the usage of pull requests with specified precondition and approval rules, ensuring that a human code review process is followed or an automated status checking of a branch occurs Protected branches can be used to disallow dangerous use of force pushes26, preventing the overwrite of commit histories and potential obfuscation of code changes
Secure Authentication	Enforce MFA for accessing source code repositories
	Use SSH keys to provide developers access to source code repositories
	Have a Key Rotation Policy
	Use short-lived/ephemeral credentials for machine/service access (OAuth 2.0, OpenID Connect)

Securing the Materials¶

hardening the “raw materials” of second and third party code

Area	Control	Description
Verification	Verify third party artefacts and open source libraries	All third party artefacts, open source libraries and any other dependencies should be verified as part of the continuous integration pipeline by validating their checksums against a known good source and validating any cryptographic signatures Any software ingested must be scanned using Software Composition Analysis (SCA) tools to detect whether any vulnerable open-source software is used in the final product
	Require SBOM from third party supplier
	Track dependencies between open source components	A register should be maintained of a project's open source components, dependencies and vulnerabilities to help trace any deployed artefacts with new vulnerabilities
	Define and prioritize trusted package managers and repositories
	Generate an immutable SBOM of the code
Automation	Scan software for vulnerabilities
	Scan software for license implications
	Run software composition analysis on ingested software

Securing the Build Pipelines¶

securing the build and infrastructure

Area	Control	Description
Verification	Cryptographically guarantee policy adherence	Metadata produced during the build process must be analyzed to ensure that the products, materials, and processes used during the build pipeline fall within controls set in the policy template Example: use in-toto
	Validate environments and dependencies before usage	The build environment's sources and dependencies must come from a secure, trusted source of truth Checksums and any signatures should be validated both in the downloading or ingestion process, and again by the build worker This should include validating package manager signatures, checking out specific Git commit hashes, and verifying SHA sums of input sources and binaries
	Validate runtime security of build workers	Out-of-band Verification of runtime environment security, as defined by execution of policies using tools such as seccomp, AppArmor, and SELinux, provides defense in depth against attacks on build infrastructure
	Validate Build artefacts through verifiably reproducible builds	Lock and Verify External Requirements From The Build Process Find and Eliminate Sources Of Non-Determinism Record The Build Environment Automate Creation Of The Build Environment Distribute Builds Across Different Infrastructure
Automation	Build and related continuous integration/continuous delivery steps should all be automated through a pipeline defined as code
	Standardize pipelines across projects
	Provision a secured orchestration platform to host software factory (e.g., Kubernetes with GitOps)
	Build Workers Should be Single Use
Controlled Environments	Ensure Software Factory has minimal network connectivity
	Segregate the Duties of Each Build Worker	It is generally better to have specific build workers handle specific parts of a build as opposed to having a single worker handle all steps in a build, e.g. lint, compile, submit for remote scanning, push artefact etc
	Pass in Build Worker Environment and Commands	A Build Worker should have a hermetic (e.g. isolated and sealed) environment given to it from the broader pipeline, and no capability to pull in its own environment
	Write Output to a Separate Secured Storage Repo
Secure Authentication	Only allow pipeline modifications through “pipeline as code”
	Define user roles
	Follow established practices for establishing a root of trust from an offline source
	Use short-lived Workload Certificates (SPIFFE/SPIRE)

Securing the Artefacts¶

attesting the security and trustworthiness of artefacts produced by the build pipelines

Area	Control	Description
Verification	Sign Every Step in the Build Process (in-toto, TUF)
	Validate the Signatures Generated at Each Step
Automation	Use TUF/Notary to manage signing of artefacts
	Use a store to manage metadata from in-toto
Controlled Environments	Limit which artefacts any given party is authorized to certify
	Build in a system for rotating and revoking private keys
	Use a container registry that supports OCI image-spec images
	Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities

Securing Deployments¶

verifying the attestations during the deployment stage

Area	Control	Description
Verification	Ensure clients can perform Verification of Artefacts and associated metadata
	Ensure clients can verify the “freshness” of files
Automation	Use The Update Framework