Secure your software supply chain with Trustcenter
Introduction
If you wonder how to secure your organization and its CI/CD software supply chains from unwanted software changes, you are in the right place. In this series of posts, I will describe how you can include notarization and authentication of artifacts using the Codenotary products: vcn tool working together with Trustcenter/Enterprise. It's time to take control of your CI/CD pipelines with notarization and authentication!
Welcome to the first part of our series of posts that explores the topic of automatically securing builds in various CICD tools. In this initial post, we will delve into the fundamental concepts that underpin the world of CICD, such as what constitutes a CICD pipeline, the significance of notarization and authentication, and how Codenotary tools play a vital role in enhancing software security. Our subsequent post will focus on GitHub Actions, which is currently the most popular platform for code repositories and boasts a diverse range of automation tools.What is CICD and who needs it?
CICD, or Continuous Integration and Continuous Delivery/Deployment, is a software development approach that aims to streamline and automate the software delivery process.
In a traditional software development process, developers write code and then manually merge their changes with the main codebase. After that, testers perform testing on the code, and then the code is deployed to production. This process is time-consuming and prone to errors.
CICD, on the other hand, is an automated process that achieves these things in minimum time, reliably, and with high quality. By automating the entire software delivery process, CICD reduces manual errors, accelerates time-to-market, and provides visibility into the software development pipeline. Additionally, CICD helps teams to identify and fix bugs early in the development process, reducing the time and effort required for bug fixing later on.
Who benefits from CICD?
- Organizations, business stakeholders, and teams release new and upgraded products consistently and often, bringing more value to their business and customers,
- Development teams make sure their changes don’t break existing functionality,
- Operations teams are so much more efficient thanks to automation,
- Quality assurance teams test software more thoroughly and catch bugs earlier,
- Security teams reduce risks inherent in release processes. Security teams can work more closely with development teams and ensure that security concerns are addressed at every stage of the software development lifecycle.
What are notarization and authentication?
Notarization of assets means recording their hashes and metadata in an immutable ledger along with the status of the asset by a verifiable identity. The identity that performs this action is a human person that you can identify by name or a machine, such as a CI/CD process. By default, along with notarization the status of an asset is set to trusted, however, it is also possible to set the status of an asset to unsupported or untrusted.
In simple terms, authentication of assets means verifying that a particular asset is the same as the one that was previously notarized and getting its status from an unchangeable record. This verification is done against an identity, which could be one or multiple opinions of different identities about the asset. The outcome of the authentication process can be one of these: trusted, untrusted, unsupported, or unknown.
What do you gain by consistently notarizing and authenticating your software?
- You gain one place where you can track all ingredients of your software. This is either thanks to notarizing all source code files or notarizing your applications (binaries, images, and others) with SBOM (software bill of materials),
- Once you have the lists of ingredients you can start making use of them: scan for vulnerabilities, compare the lists, understand licenses, control what can be deployed and what cannot, track and guarantee the provenance of every artifact, and find and eliminate/prohibit unwanted artifacts.
What is the importance of ensuring that software builds are secure and trustworthy? The aim of a reliable process of notarization and authentication is to ensure that no unwanted components of the software or final assets are released in the final product deployed to the customer.
The key elements needed to secure the CICD are presented in the following diagram:
Diagram 1: The basic flow of authentication and notarization
The actions presented in this diagram are:
- Authentication of sources - verifying if all the components and dependencies used in the environment have been previously trusted.
- Notarization of packages - the outcome of the integration pipeline may be a binary, an image, or another form of software product. Provided that all the dependencies have just been authenticated the pipeline automatically notarizes the build. Also at this stage the pipeline author may generate and attach additional documentation of the build: SBOM, vulnerability scanning results, in-toto attestation, and others.
- Authentication of packages during deployment serves as a control point to check that only trusted final product reaches the customers.
The basic idea is to provide security by allowing the integration pipeline to finish without an error only if all the sources received from the software repository are trusted. Accordingly, the deployment pipeline will be allowed to finish without error only if the packages built as a result have already been built before in the same manner and have been thus trusted.
It is worth noting that the setup of pipelines described above is only the basic one and there are many variations imaginable and implementable. In the next parts of this series, I will show how all these variations are achievable with GitHub Action and other platforms.
Authorization chain
The example described in the previous chapter can be expanded to create an authorization chain. The idea presented in diagram 2 is that every software supply chain can be secured by a chain of roles/identities. This concerns any software supply chain, even one consisting of multiple workflows and jobs running at different moments.
Diagram 2: Supply chain security using authorization chain.
At key moments of the process (such as source code checkout, binary build, etc.) there is an identity responsible for this step. This identity authenticates the results of the previous step against the identity responsible for the previous step. Next, he/she produces the results and notarizes them attaching the necessary logs (such as an SBOM, vulnerability scanning results, and in-toto metadata).
The whole process can be overseen by one or many external auditors that can intervene in Trustcenter/Enterprise by untrusting unwanted assets or dependencies. This way, instead of intervening in the operation of (possibly hundreds) of CI/CD supply chains they can globally exclude these unwanted assets from further exploitation. Moreover using extended search capabilities provided by Trustcenter/Enterprise they can find all the builds that have used this asset or dependency.
What are vcn and Trustcenter/Enterprise?
You can perform all the actions of notarization, authentication, SBOM generation, vulnerability scanning, and more using Codenotary products: vcn and Trustcenter. These actions can be performed not only manually but also automated with command line scripts or via the API and implemented in CICD pipelines. We recommend Trustcenter/Teams for smaller customers and Trustcenter/Enterprise for larger organizations.
vcn is a command line interface (CLI) tool that allows you to interact with the Trustcenter service. It is a cross-platform tool that can be used on Windows, Linux, and macOS. Using the command line tool vcn these actions are performed with commands like vcn notarize
, vcn authenticate
, and vcn bom
. To blacklist components, you can use vcn unsupport
or vcn untrust
.
What else can vcn do?
- Notarize and authenticate assets of many types: images, containers, git repositories, binaries, files, directories, etc.,
- Scan and generate SBOMs for assets in many languages: Java, Python, Go, JavaScript, Rust, NET, Nodejs, PHP, etc.,
- Scan OS package managers: apk, dpkg, rpm,
- SBOM formats supported include SPDX and CycloneDX (both JSON and XML),
- Import SBOMs from other sources into Trustcenter,
- Send attachments to Trustcenter along with notarizations, for example, to store SBOMs, vulnerability scan results, or other documents in file format,
- Work with labels and custom attributes (metadata) to authenticate and notarize assets,
- Run vulnerability scanning along with authentication and notarization,
- Connect to any image registries, including Docker Hub, Quay, ECR, GCR, ACR, etc.,
- Run cosign notarization and authentication. Cosign is a tool for signing and verification, maintained by the Cloud Native Computing Foundation (CNCF).
You can find more information on vcn and its basic syntax in the cheatsheet file posted on the vcn-github-action wiki page.
Truscenter/Enterprise is a portal that communicates with vcn and provides you with:
- Easy way to store components of your projects and applications,
- User and credentials management (API Keys, Signer IDs, personal access tokens),
- Very versatile artifact search build for very large projects and codebases,
- A way to explore dependency trees,
- A rich OpenAPI model to automate your work with vcn and all TC functionalities.
Trustcenter/Enterprise is backed by immudb, the immutable database so you have the guarantee no changes have been made to the data read by vcn.
To start notarization and authentication using vcn and Trustcenter/Enterprise you need to sign up for free evaluation. To do this contact sales@codenotary.com. Once you have your tenant in tc.codenotary.com, log in, create your first ledger, and set up your signer id to create your API key.
Summary
In this part of the blog post, you learned the notions of notarization and authentication and how those actions could help secure your software supply chain. I have also introduced Codenotary tools that help achieve this.
In the next parts of this series, I will be discussing how to implement it all in practice in various CICD platforms. We will start with GitHub Actions. So once you are ready to take control of your CI/CD pipelines with notarization and authentication, don't wait any longer. Start your evaluation period of Trustcenter/Enterprise today and see for yourself how it can enhance the security of your software supply chains.
With Trustcenter/Enterprise and the vcn tool from Codenotary, you can track all ingredients of your software, scan for vulnerabilities, control what can be deployed, and guarantee the provenance of every artifact. Say goodbye to manual errors and hello to reliable, automated processes.
Take the first step towards a more secure software delivery process by starting your trial of Trustcenter/Enterprise now.