If you wonder how to secure your organization and its CI/CD software supply chains from unwanted software changes, you are in the right place. In this series of posts, I will describe how you can include notarization and authentication of artifacts using the Codenotary products: vcn tool working together with Trustcenter/Enterprise. It's time to take control of your CI/CD pipelines with notarization and authentication!
Welcome to the first part of our series of posts that explores the topic of automatically securing builds in various CICD tools. In this initial post, we will delve into the fundamental concepts that underpin the world of CICD, such as what constitutes a CICD pipeline, the significance of notarization and authentication, and how Codenotary tools play a vital role in enhancing software security. Our subsequent post will focus on GitHub Actions, which is currently the most popular platform for code repositories and boasts a diverse range of automation tools.CICD, or Continuous Integration and Continuous Delivery/Deployment, is a software development approach that aims to streamline and automate the software delivery process.
In a traditional software development process, developers write code and then manually merge their changes with the main codebase. After that, testers perform testing on the code, and then the code is deployed to production. This process is time-consuming and prone to errors.
CICD, on the other hand, is an automated process that achieves these things in minimum time, reliably, and with high quality. By automating the entire software delivery process, CICD reduces manual errors, accelerates time-to-market, and provides visibility into the software development pipeline. Additionally, CICD helps teams to identify and fix bugs early in the development process, reducing the time and effort required for bug fixing later on.
Who benefits from CICD?
Notarization of assets means recording their hashes and metadata in an immutable ledger along with the status of the asset by a verifiable identity. The identity that performs this action is a human person that you can identify by name or a machine, such as a CI/CD process. By default, along with notarization the status of an asset is set to trusted, however, it is also possible to set the status of an asset to unsupported or untrusted.
In simple terms, authentication of assets means verifying that a particular asset is the same as the one that was previously notarized and getting its status from an unchangeable record. This verification is done against an identity, which could be one or multiple opinions of different identities about the asset. The outcome of the authentication process can be one of these: trusted, untrusted, unsupported, or unknown.
What do you gain by consistently notarizing and authenticating your software?
What is the importance of ensuring that software builds are secure and trustworthy? The aim of a reliable process of notarization and authentication is to ensure that no unwanted components of the software or final assets are released in the final product deployed to the customer.
The key elements needed to secure the CICD are presented in the following diagram:
Diagram 1: The basic flow of authentication and notarization
The actions presented in this diagram are:
The basic idea is to provide security by allowing the integration pipeline to finish without an error only if all the sources received from the software repository are trusted. Accordingly, the deployment pipeline will be allowed to finish without error only if the packages built as a result have already been built before in the same manner and have been thus trusted.
It is worth noting that the setup of pipelines described above is only the basic one and there are many variations imaginable and implementable. In the next parts of this series, I will show how all these variations are achievable with GitHub Action and other platforms.
The example described in the previous chapter can be expanded to create an authorization chain. The idea presented in diagram 2 is that every software supply chain can be secured by a chain of roles/identities. This concerns any software supply chain, even one consisting of multiple workflows and jobs running at different moments.
Diagram 2: Supply chain security using authorization chain.
At key moments of the process (such as source code checkout, binary build, etc.) there is an identity responsible for this step. This identity authenticates the results of the previous step against the identity responsible for the previous step. Next, he/she produces the results and notarizes them attaching the necessary logs (such as an SBOM, vulnerability scanning results, and in-toto metadata).
The whole process can be overseen by one or many external auditors that can intervene in Trustcenter/Enterprise by untrusting unwanted assets or dependencies. This way, instead of intervening in the operation of (possibly hundreds) of CI/CD supply chains they can globally exclude these unwanted assets from further exploitation. Moreover using extended search capabilities provided by Trustcenter/Enterprise they can find all the builds that have used this asset or dependency.
You can perform all the actions of notarization, authentication, SBOM generation, vulnerability scanning, and more using Codenotary products: vcn and Trustcenter. These actions can be performed not only manually but also automated with command line scripts or via the API and implemented in CICD pipelines. We recommend Trustcenter/Teams for smaller customers and Trustcenter/Enterprise for larger organizations.
vcn is a command line interface (CLI) tool that allows you to interact with the Trustcenter service. It is a cross-platform tool that can be used on Windows, Linux, and macOS. Using the command line tool vcn these actions are performed with commands like vcn notarize, vcn authenticate, and vcn bom. To blacklist components, you can use vcn unsupport or vcn untrust.
What else can vcn do?
You can find more information on vcn and its basic syntax in the cheatsheet file posted on the vcn-github-action wiki page.
Truscenter/Enterprise is a portal that communicates with vcn and provides you with:
Trustcenter/Enterprise is backed by immudb, the immutable database so you have the guarantee no changes have been made to the data read by vcn.
To start notarization and authentication using vcn and Trustcenter/Enterprise you need to sign up for free evaluation. To do this contact sales@codenotary.com. Once you have your tenant in tc.codenotary.com, log in, create your first ledger, and set up your signer id to create your API key.
In this part of the blog post, you learned the notions of notarization and authentication and how those actions could help secure your software supply chain. I have also introduced Codenotary tools that help achieve this.
In the next parts of this series, I will be discussing how to implement it all in practice in various CICD platforms. We will start with GitHub Actions. So once you are ready to take control of your CI/CD pipelines with notarization and authentication, don't wait any longer. Start your evaluation period of Trustcenter/Enterprise today and see for yourself how it can enhance the security of your software supply chains.
With Trustcenter/Enterprise and the vcn tool from Codenotary, you can track all ingredients of your software, scan for vulnerabilities, control what can be deployed, and guarantee the provenance of every artifact. Say goodbye to manual errors and hello to reliable, automated processes.
Take the first step towards a more secure software delivery process by starting your trial of Trustcenter/Enterprise now.