Supply Chain Security
Phases¶
Summary
- This is a summary of the Software Supply Chain Security Best Practices Paper
Securing the Source Code¶
securing code produced by software producers
| Area | Control | Description |
|---|---|---|
| Verification | Require signed commits | |
| Enforce full attestation and Verification for protected branches | Full attestation is the signature of the final commit once all signatures are verified (git merge -S --verify-signatures) |
|
| Automation | Prevent committing secrets to the source code repository | |
Define individuals/teams that are responsible for code in a repository and associated coding conventions (CODEOWNERS) |
||
| Automate software security scanning and testing (SAST, DAST) |
|
|
| Controlled Environments | Define roles aligned to functional responsibilities (Developer, Maintainer, Owner, Reviewer, Approver, and Guest) | |
| Enforce an independent four-eyes principle |
|
|
| Use branch protection rules |
|
|
| Secure Authentication | Enforce MFA for accessing source code repositories | |
| Use SSH keys to provide developers access to source code repositories | ||
| Have a Key Rotation Policy | ||
| Use short-lived/ephemeral credentials for machine/service access (OAuth 2.0, OpenID Connect) |
Securing the Materials¶
hardening the “raw materials” of second and third party code
| Area | Control | Description |
|---|---|---|
| Verification | Verify third party artefacts and open source libraries |
|
| Require SBOM from third party supplier | ||
| Track dependencies between open source components |
|
|
| Define and prioritize trusted package managers and repositories | ||
| Generate an immutable SBOM of the code | ||
| Automation | Scan software for vulnerabilities | |
| Scan software for license implications | ||
| Run software composition analysis on ingested software |
Securing the Build Pipelines¶
securing the build and infrastructure
| Area | Control | Description |
|---|---|---|
| Verification | Cryptographically guarantee policy adherence |
|
| Validate environments and dependencies before usage |
|
|
| Validate runtime security of build workers |
|
|
| Validate Build artefacts through verifiably reproducible builds |
|
|
| Automation | Build and related continuous integration/continuous delivery steps should all be automated through a pipeline defined as code | |
| Standardize pipelines across projects | ||
| Provision a secured orchestration platform to host software factory (e.g., Kubernetes with GitOps) | ||
| Build Workers Should be Single Use | ||
| Controlled Environments | Ensure Software Factory has minimal network connectivity | |
| Segregate the Duties of Each Build Worker |
|
|
| Pass in Build Worker Environment and Commands |
|
|
| Write Output to a Separate Secured Storage Repo | ||
| Secure Authentication | Only allow pipeline modifications through “pipeline as code” | |
| Define user roles | ||
| Follow established practices for establishing a root of trust from an offline source | ||
| Use short-lived Workload Certificates (SPIFFE/SPIRE) |
Securing the Artefacts¶
attesting the security and trustworthiness of artefacts produced by the build pipelines
| Area | Control | Description |
|---|---|---|
| Verification | Sign Every Step in the Build Process (in-toto, TUF) | |
| Validate the Signatures Generated at Each Step | ||
| Automation | Use TUF/Notary to manage signing of artefacts | |
| Use a store to manage metadata from in-toto | ||
| Controlled Environments | Limit which artefacts any given party is authorized to certify | |
| ​​Build in a system for rotating and revoking private keys | ||
| Use a container registry that supports OCI image-spec images | ||
| Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities |
Securing Deployments¶
verifying the attestations during the deployment stage
| Area | Control |
|---|---|
| Verification | Ensure clients can perform Verification of Artefacts and associated metadata |
| Ensure clients can verify the “freshness” of files | |
| Automation | Use The Update Framework |
Other Resources¶
| Link | Notes |
|---|---|
| An Overview of Software Supply Chain Security | A breakdown of what constitutes the software supply chain and how to secure each stage |
| Software Supply Chain Vendor Landscape | An analysis of over 20 supply chain security vendors |
| supply-chain-firewall |
|