4/12/2023

TestifySec Witness and Archivista: Supply Chain Security and SSDF Compliance for Federal Market

Author: Cole Kennedy

Produce Well-Secured Software

TestifySec Witness and Archivista for the Federal Market and SSDF Compliance

TestifySec offers comprehensive solutions for the federal market by ensuring supply chain security and compliance with the NIST Secure Software Development Framework (SSDF) through its products Witness and Archivista

Witness: Pluggable Framework for Supply Chain Security

Witness is a pluggable framework that creates an evidence trail of the entire Software Development Life Cycle (SDLC), ensuring the integrity of your software from source to target [^1^]. It supports most major CI and infrastructure providers and uses a secure PKI distribution system to enhance security and mitigate against software supply chain attack vectors.

Key features of Witness include:

  • Creating an evidence trail of the entire SDLC for policy compliance evaluation and detection of potential tampering or malicious activity
  • Supporting most major CI and infrastructure providers for versatile and flexible supply chain security
  • Running in both containerized and non-containerized environments without requiring elevated privileges
  • Implementing the in-toto specification, with an embedded engine for build policy enforcement
  • Supporting keyless signing with Sigstore and SPIFFE/SPIRE
  • Uploading attestation evidence to the Archivista server
  • Verifying file integrity between CI steps and across air gaps
  • Supporting Darwin, Windows, and ARM architectures

Archivista: Graph and Storage Service for In-toto Attestations

Archivista is a graph and storage service for in-toto attestations, enabling the discovery and retrieval of attestations for software artifacts. This feature facilitates the management of software supply chain security by providing a centralized and accessible record of attestations.

SSDF Compliance

TestifySec's Witness and Archivista help organizations adhere to the NIST SSDF by:

  • Protecting code from tampering throughout the SDLC
  • Continuous monitoring of the software pipeline
  • Continuous enforcement of the software pipleine
  • Providing a mechanism for verifying software release integrity via digital signatures
  • Ensuring compliance with security requirements and mitigating security risks in software design
  • Verifying third-party software compliance with security requirements
  • Configuring compilation and build processes to improve executable security

Conclusion

TestifySec's Witness and Archivista offer a powerful combination of supply chain security and compliance with the NIST SSDF. By providing a detailed and verifiable record of the SDLC, these tools help federal market organizations ensure the integrity of their software supply chain while aligning with the SSDF's security standards.