Importance of Provenance Verification for Softwares
Introduction
How much do you know about the components, artifacts, libraries, and other assets you use in your daily development work? Where did these components come from? Who approved their use? Who changed them? And most importantly: Which of your applications use which components?
The SolarWinds Hack: A Wake-Up Call
The huge destructive impact of the SolarWinds hack (more about it here: SolarWinds hack explained: Everything you need to know) has made it evident how dangerous it is to not pay attention to the safety and security of your software supply chain. Indeed, for some industries like federal, finance, healthcare, aerospace, and pharmaceutical, it is mandated by regulations and law.
Provenance Verification in Software Development
One of the key challenges in software development is verifying the provenance of the software components we rely on. Provenance refers to the origin and history of a software component, including its author, version, and any modifications it has undergone. Provenance verification involves validating that the software components used in a project are authentic, unaltered, and come from trusted sources.
The Importance of Provenance Verification
Security
Provenance verification helps protect against malicious attacks and vulnerabilities. By ensuring that software components come from trusted sources, software organizations can reduce the risk of introducing malicious code or backdoors into their applications. This is particularly crucial when using open-source libraries or third-party dependencies, as these components may have been tampered with or compromised.
Compliance
Many industries, such as healthcare and finance, have strict regulatory requirements for software development. Provenance verification helps demonstrate compliance with these regulations by providing a clear audit trail of the software components used in a project. This can be especially important when dealing with sensitive data or critical infrastructure.
Quality Assurance
Provenance verification is essential for maintaining the quality and reliability of software. By ensuring that software components are authentic and unaltered, developers can have confidence in the stability and performance of their applications. This is particularly important when working on large-scale projects with multiple contributors, where the risk of introducing bugs or compatibility issues is higher. Furthermore, the modern DevOps pipeline should indeed use provenance verification as a way to enforce assurance.
Ensuring Provenance Verification in Modern Software Development
1. Dependency Management
Use a robust dependency management system like Codenotary’s Trustcenter, which tracks and verifies the provenance of software components. Dependency management should, of course, be transparent to developers.
2. Code Signing
Digitally sign software components to ensure their authenticity and integrity. These signatures need to be stored in a tamperproof way to avoid signature forgery. Codenotary’s Trustcenter uses our leading immutable database immudb (see here: immudb.io) as a zero-trust repository for digital signatures. These signatures are SHA256 hashes of each digital artifact signed with Trustcenter. In turn, these Trustcenter signatures can be used to verify that the code has not been altered since it was signed by the original author or publisher.
3. Continuous Monitoring
Implement continuous monitoring and vulnerability scanning to detect any changes or vulnerabilities in software components. Regularly update and patch dependencies to mitigate any known security risks. Trustcenter monitors on an ongoing basis and tracks the trust level of components used in the development organization.
Conclusion: A Secure Software Supply Chain
Provenance verification is a critical aspect of modern software development. Digital signatures based on digital certificates are a weak solution because a) certificates are easy to fake, b) certificates need to be attached to the digital asset, and therefore change the workflow. Whereas Trustcenter signatures are cryptographically strong and stored in a tamperproof, immutable database.
Only the combination of dependency tracking, code signing, and software development organization automation of the usage of these tools can ensure an end-to-end secure software supply chain.