
TestifySec Recruits Chris Hughes as Advisor
Today we welcome cloud cybersecurity expert Chris Hughes to TestifySec in the role of Board Advisor. Chris brings over a …
Following is the third of three blogs about IT Supply Chain Security:
You can also view my presentation on these topics from CMS CISO Cybersecurity Forum 2021:
It is our position that the supply chain, like most aspects of enterprise software, can benefit greatly from employing the mindset and the architecture of Zero Trust.
Gilman and Barth in their “Zero Trust Networks: Building Secure Systems in Untrusted Networks”, call out five attributes of a Zero Trust Architecture:
In our practice, these high-level assumptions or axioms imply a focus in three areas: Identity, Policy and Control, in tension in what is known as the “Kautz Triangle”: The vertices of this (iron) triangle are Identity, Policy and Control.
Identity is the most important component of ZTA. In ZTA, all users must be strongly authenticated, via traditional identity tokens (username, hardware dongles, etc.) plus MFA. Your risk environment will determine authentication strength.
But workload identity is the meat of the issue for supply chain security. Workloads are “born” (created) with an identity that follows them throughout their life cycles, for source through product deployment. Their identity is summed up in a strongly attested SBOM (Software Bill of Materials) One way to establish identity for a workload (an executable or a container) is to create a hash from the bytes that comprise the workload and then compare that hash to metadata for the workload and falls within organizational policy. Strong workload identity is essential to policy automation.
To summarize
Organizational policy must be defined as data or code. Policy defines the limits of what network and compute resources can be granted to a user or workload. In other words, use code to define the “right” and “left” limits of the system, what users can and can’t do.
All requests to system or network resources should be controlled by evaluating the cryptographic identity of the workload or user making that request and comparing it to the organizational policy.
Examples
So what are the actual tasks and attributes involved in CI/CD verification?
SLSA is the new standard for CI/CD systems. SLSA 4 is the most secure.
The following table outlines common risks and associated mitigation needed to achieve SLSA level 4. The open source tools referenced in the table (e.g., In-toto and SPIRE).
Risks | Mitigation |
---|---|
Submit bad code to the source repo | Sign Commits |
Compromise source control platform | Use in-toto to record and sign build meta-data |
Build from code not matching source control | Use in-toto to record and sign build meta-data |
Compromise build platform | Use In-toto to record and sign build meta-data, Use SPIRE to attest workers |
Use bad dependency (i.e., A-H, recursively) | Limit access to internal package repositories with verified assets only. |
Upload an artifact that was not built by the CI/CD system | Use In-toto to record and sign build meta-data |
Compromise package repository | Use In-toto to record and sign build meta-data |
Trick consumer into using bad package | Verify metadata and signatures at admission control with co-sign/rekor |
Relatively few commercial/proprietary tools support this paradigm. Instead, we look to open source projects for software components to support verification in CI/CD systems.
SigStore - Service and software that allows developers and administrators to:
In-toto - Attestation standard to secure integrity of software supply chains
SPIFFE / SPIRE - a universal identity control plane for distributed systems
Tekton Chains - Kube Native CI/CD Solution with security baked in
Creating zero-trust supply chains requires policy as code, automated controllers, and attestable metadata. We are hard at work at TestifySec, working on products to help with the implementation of zero-trust supply chains for any environment from embedded to multi-cloud. Contact us if you would like to see what we are working on and how we can help your organization be compliant, agile, and secure.
Today we welcome cloud cybersecurity expert Chris Hughes to TestifySec in the role of Board Advisor. Chris brings over a …
Today we announced that cloud native / zero trust expert Frederick Kautz is joining TestifySec in the role of Senior …
TestifySec Judge Provides Visibility into the Security of Your Inventory
Learn More