Best Practices for Software Supply Chain Security

The Secure Software Factory


The software factory creates multiple pipelines configured to build a software artefact. It is composed of individual build stages chained together to retrieve the source code and dependencies, then scan, test, build and deploy the final artefact. The software factory relies heavily upon infrastructure and security-as-code to allow automated instantiation of pipelines, leading to the creation of multiple immutable pipelines. To eliminate the chance of error or misconfiguration there should be no manual configuration in place. This also leads to a system that is capable of performing a high level of automated security testing to validate its configuration and verify its products.

Software Supply Chain Best Practices White Paper

Securing a software supply chain in five stages

  1. Securing the Source Code: securing code produced by software producers (the internal or first party code) 
  2. Securing the Materials: hardening the “raw materials” of second and third party code incorporated in builds,
  3. Securing the Build Pipelines: securing the build and infrastructure
  4. Securing the Artefacts: attesting the security and trustworthiness of artefacts produced by these build pipelines
  5. Securing Deployments: verifying the attestations during the deployment stage 

Themes

Verification - Confidence in the software production process should result in verification at each stage in that process. Metadata from each stage of the build process should be attested. During the deployment or distribution stage of the process the build metadata must be verified. 

Automation - Leveraging automation helps to ensure that processes are deterministic. Infrastructure and its security controls should be defined as Infrastructure as Code (IaC) and deployed in an automated fashion. IaC allows system changes to be governed by source code management tools that integrate into enterprise identity management solutions. This further reduces the likelihood of varying configurations across environments through “write once, deploy many”. 

Authorization in Controlled Environments - To reduce the impact of compromise, the entities (human or software) and environments involved in the software production lifecycle should be clearly defined and limited in scope. Permissions for human or software operators should be granted on a “least privilege” basis to ensure that roles have the minimum permissions required and are periodically re-evaluated. 

Secure Authentication - Identities are to be determined with certainty. For interacting at any stage of the supply chain, entities should mutually authenticate their identities prior to interaction. Post authentication, the activities of entities should be monitored to detect suspicious or unauthorized activities

Comments

Popular posts from this blog

The Test Pyramid