Skip to content

Supply Chain Security

Summary

Securing the Source Code

securing code produced by software producers

Area Control Description
Verification Require signed commits
Enforce full attestation and Verification for protected branches Full attestation is the signature of the final commit once all signatures are verified (git merge -S --verify-signatures)
Automation Prevent committing secrets to the source code repository
Define individuals/teams that are responsible for code in a repository and associated coding conventions (CODEOWNERS)
Automate software security scanning and testing (SAST, DAST)
  • During the build process the metadata from security tooling such as SAST tooling should be recorded and linked to a hash of the build artefact to provide chain of custody and provenance
  • Both the coverage and results of these tests should be published as part of the repository information
Controlled Environments Define roles aligned to functional responsibilities (Developer, Maintainer, Owner, Reviewer, Approver, and Guest)
Enforce an independent four-eyes principle
  • The author(s) of a request may not also be the approver of the request
  • At least two individuals, of which one should have write access to the branch, that are independent of the request must review and approve the request
Use branch protection rules
  • Protection rules can be used to enforce the usage of pull requests with specified precondition and approval rules, ensuring that a human code review process is followed or an automated status checking of a branch occurs
  • Protected branches can be used to disallow dangerous use of force pushes26, preventing the overwrite of commit histories and potential obfuscation of code changes
Secure Authentication Enforce MFA for accessing source code repositories
Use SSH keys to provide developers access to source code repositories
Have a Key Rotation Policy
Use short-lived/ephemeral credentials for machine/service access (OAuth 2.0, OpenID Connect)

Securing the Materials

hardening the “raw materials” of second and third party code

Area Control Description
Verification Verify third party artefacts and open source libraries
  • All third party artefacts, open source libraries and any other dependencies should be verified as part of the continuous integration pipeline by validating their checksums against a known good source and validating any cryptographic signatures
  • Any software ingested must be scanned using Software Composition Analysis (SCA) tools to detect whether any vulnerable open-source software is used in the final product
Require SBOM from third party supplier
Track dependencies between open source components
  • A register should be maintained of a project's open source components, dependencies and vulnerabilities to help trace any deployed artefacts with new vulnerabilities
Define and prioritize trusted package managers and repositories
Generate an immutable SBOM of the code
Automation Scan software for vulnerabilities
Scan software for license implications
Run software composition analysis on ingested software

Securing the Build Pipelines

securing the build and infrastructure

Area Control Description
Verification Cryptographically guarantee policy adherence
  • Metadata produced during the build process must be analyzed to ensure that the products, materials, and processes used during the build pipeline fall within controls set in the policy template
  • Example: use in-toto
Validate environments and dependencies before usage
  • The build environment's sources and dependencies must come from a secure, trusted source of truth
  • Checksums and any signatures should be validated both in the downloading or ingestion process, and again by the build worker
  • This should include validating package manager signatures, checking out specific Git commit hashes, and verifying SHA sums of input sources and binaries
Validate runtime security of build workers
  • Out-of-band Verification of runtime environment security, as defined by execution of policies using tools such as seccomp, AppArmor, and SELinux, provides defense in depth against attacks on build infrastructure
Validate Build artefacts through verifiably reproducible builds
  • Lock and Verify External Requirements From The Build Process
  • Find and Eliminate Sources Of Non-Determinism
  • Record The Build Environment
  • Automate Creation Of The Build Environment
  • Distribute Builds Across Different Infrastructure
Automation Build and related continuous integration/continuous delivery steps should all be automated through a pipeline defined as code
Standardize pipelines across projects
Provision a secured orchestration platform to host software factory (e.g., Kubernetes with GitOps)
Build Workers Should be Single Use
Controlled Environments Ensure Software Factory has minimal network connectivity
Segregate the Duties of Each Build Worker
  • It is generally better to have specific build workers handle specific parts of a build as opposed to having a single worker handle all steps in a build, e.g. lint, compile, submit for remote scanning, push artefact etc
Pass in Build Worker Environment and Commands
  • A Build Worker should have a hermetic (e.g. isolated and sealed) environment given to it from the broader pipeline, and no capability to pull in its own environment
Write Output to a Separate Secured Storage Repo
Secure Authentication Only allow pipeline modifications through “pipeline as code”
Define user roles
Follow established practices for establishing a root of trust from an offline source
Use short-lived Workload Certificates (SPIFFE/SPIRE)

Securing the Artefacts

attesting the security and trustworthiness of artefacts produced by the build pipelines

Area Control Description
Verification Sign Every Step in the Build Process (in-toto, TUF)
Validate the Signatures Generated at Each Step
Automation Use TUF/Notary to manage signing of artefacts
Use a store to manage metadata from in-toto
Controlled Environments Limit which artefacts any given party is authorized to certify
​​Build in a system for rotating and revoking private keys
Use a container registry that supports OCI image-spec images
Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities

Securing Deployments

verifying the attestations during the deployment stage

Area Control Description
Verification Ensure clients can perform Verification of Artefacts and associated metadata
Ensure clients can verify the “freshness” of files
Automation Use The Update Framework