Cybersecurity involves protecting computer systems, networks, and devices from attacks, theft, and damage. An important aspect of cybersecurity is securing the software supply chain, as this helps to ensure that the software we use is trustworthy and free from vulnerabilities that could be exploited by attackers. There are multiple frameworks that explain how to achieve it such as NIST SSDF as well as tools like Trustcenter.
Security of the software supply chain can be enhanced with:
- code signing and continuous integration and delivery (CI/CD), as well as
- verifying the integrity of software, and
- ensuring transparency and accountability throughout the software development process.
By securing the software supply chain, organizations can improve their cybersecurity and build trust with their users and customers. The issue is important as one can notice a significant rise in such attacks. The SolarWinds attack is just one example.
There are many frameworks and recommendations published recently in this field. One example is UK’s National Cyber Security Centre (NCSC) guidance on how to assess the organization’s security in this field. It also sets out practical steps for identifying and mitigating supply chain risks. However, it has been criticized for its focus on supplier relationships and communication rather than technical information. Moreover the US Cybersecurity and Infrastructure Security Agency (CISA) with NSA published the three-part series of guidelines for developers, suppliers, and customers on ensuring software integrity and security during development, procurement, and deployment.
In February 2022 NIST published Secure Software Development Framework (SSDF) version 1.1 which is downloadable from here. In the words of the authors, this document recommends “a core set of high-level secure software development practices that can be integrated into each Software Development Life Cycle (SDLC) implementation”. The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce. It is responsible for promoting innovation and industrial competitiveness by advancing measurement science, standards, and technology.
Biden’s Executive Order mentions SSDF so that it is no longer just a recommendation but also a regulation that all contractors of the US government have to self-certify. Some consider it to be one of the biggest topics moving into 2023. This development has however received pushback from the industry. The Information Technology Industry Council (ITI) has written a letter to the White House’s Office of Management and Budget expressing their concerns and recommending clarification of the regulation, standardization, and adjustment of the implementation timeline.
A deeper look into SSDF
The SSDF has 4 main areas:
- Prepare the Organization (PO): Ensure that people, processes, and technology are prepared for secure software development at the organization level.
- Protect the Software (PS): Protect all components of the software from tampering and unauthorized access.
- Produce Well-Secured Software (PW): Produce software with minimal security vulnerabilities in its releases.
- Respond to Vulnerabilities (RV): Identify and respond to residual vulnerabilities in software releases.
While all the above areas are equally important, we will focus on one of them. Recommendations in the “Protect the software” area include the following:
- conduct software integrity verification; for example posting hashes of release files in a well-secured location
- collect and maintain provenance data for all components of each software release:
- e.g. software bill of materials (SBOM)
- archive each release in a tamper-proof manner
- store all forms of code: source code, executable code, configurations-as a code in a version control system such as a code repository with restricted access
Archiving releases means storing the SBOMs, provenance, and integrity checks in a separate repository so that it is possible to inspect and track down any gaps in integrity.
Trustcenter provides a comprehensive solution for securing the software supply chain. It is a system where you can:
- generate SBOMs,
- conduct an attestation, which means checking if the piece of software is at the moment exactly the same as it was in an earlier stage of the software life cycle,
- safely upload artifacts and their metadata,
- easily search among artifacts and export search results,
- perform all of the above in a multiple identity environment and
- automatically perform those actions in your CI/CD pipelines such as GitHub, GitLab, or Jenkins.
According to SSDF, an artifact is a “piece of evidence”, which provides “grounds for belief or disbelief”. It is important to know that Trustcenter doesn’t download the pieces of software, it only stores artifacts which are documents summarizing the software such as hash, name, size, and so on.
Trustcenter uses immudb, an immutable database, which stores all notarized artifacts in such a way that nobody can change data, remove them or otherwise tamper with them without notice. Moreover, immudb has implemented algorithms for checking for the internal integrity of the data. Therefore storing there the hashes of any notarized files fulfills the requirement of “posting hashes in a well-secured location” and “archiving in a tamper-proof manner”.
Moreover, Trustcenter cooperates with vcn, a command-line tool (CLI) that is a highly configurable and programmable resource. It parses every kind of binary, image, and source code written in the most popular languages. Trustcenter exposes an API that makes it easy to integrate with any environment, solution or automation. Also, Trustcenter helps protect your Kubernetes cluster on deployment using the admission controller and in runtime using eBPF.
Securing the software supply chain is an important aspect of cybersecurity and it helps to ensure the trustworthiness of the software we use. It also helps prevent the exploitation of any vulnerabilities by hostile attackers. There are several frameworks and tools available to help organizations achieve this goal, such as the National Institute of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF) and Codenotary Trustcenter. To enhance the security of the software supply chain, organizations can use code signing and continuous integration and delivery, verify the integrity of software, and ensure transparency and accountability throughout the software development process. By securing the software supply chain, organizations can improve their cybersecurity and build trust with their users and customers.