Supply Chain Security
Summary
- This is a summary of the Software Supply Chain Security Best Practices Paper
Securing the Source Code¶
securing code produced by software producers
Area | Control | Description |
---|---|---|
Verification | Require signed commits | |
Enforce full attestation and Verification for protected branches | Full attestation is the signature of the final commit once all signatures are verified (git merge -S --verify-signatures ) |
|
Automation | Prevent committing secrets to the source code repository | |
Define individuals/teams that are responsible for code in a repository and associated coding conventions (CODEOWNERS ) |
||
Automate software security scanning and testing (SAST, DAST) |
|
|
Controlled Environments | Define roles aligned to functional responsibilities (Developer, Maintainer, Owner, Reviewer, Approver, and Guest) | |
Enforce an independent four-eyes principle |
|
|
Use branch protection rules |
|
|
Secure Authentication | Enforce MFA for accessing source code repositories | |
Use SSH keys to provide developers access to source code repositories | ||
Have a Key Rotation Policy | ||
Use short-lived/ephemeral credentials for machine/service access (OAuth 2.0, OpenID Connect) |
Securing the Materials¶
hardening the “raw materials” of second and third party code
Area | Control | Description |
---|---|---|
Verification | Verify third party artefacts and open source libraries |
|
Require SBOM from third party supplier | ||
Track dependencies between open source components |
|
|
Define and prioritize trusted package managers and repositories | ||
Generate an immutable SBOM of the code | ||
Automation | Scan software for vulnerabilities | |
Scan software for license implications | ||
Run software composition analysis on ingested software |
Securing the Build Pipelines¶
securing the build and infrastructure
Area | Control | Description |
---|---|---|
Verification | Cryptographically guarantee policy adherence |
|
Validate environments and dependencies before usage |
|
|
Validate runtime security of build workers |
|
|
Validate Build artefacts through verifiably reproducible builds |
|
|
Automation | Build and related continuous integration/continuous delivery steps should all be automated through a pipeline defined as code | |
Standardize pipelines across projects | ||
Provision a secured orchestration platform to host software factory (e.g., Kubernetes with GitOps) | ||
Build Workers Should be Single Use | ||
Controlled Environments | Ensure Software Factory has minimal network connectivity | |
Segregate the Duties of Each Build Worker |
|
|
Pass in Build Worker Environment and Commands |
|
|
Write Output to a Separate Secured Storage Repo | ||
Secure Authentication | Only allow pipeline modifications through “pipeline as code” | |
Define user roles | ||
Follow established practices for establishing a root of trust from an offline source | ||
Use short-lived Workload Certificates (SPIFFE/SPIRE) |
Securing the Artefacts¶
attesting the security and trustworthiness of artefacts produced by the build pipelines
Area | Control | Description |
---|---|---|
Verification | Sign Every Step in the Build Process (in-toto, TUF) | |
Validate the Signatures Generated at Each Step | ||
Automation | Use TUF/Notary to manage signing of artefacts | |
Use a store to manage metadata from in-toto | ||
Controlled Environments | Limit which artefacts any given party is authorized to certify | |
Build in a system for rotating and revoking private keys | ||
Use a container registry that supports OCI image-spec images | ||
Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities |
Securing Deployments¶
verifying the attestations during the deployment stage
Area | Control | Description |
---|---|---|
Verification | Ensure clients can perform Verification of Artefacts and associated metadata | |
Ensure clients can verify the “freshness” of files | ||
Automation | Use The Update Framework |