2. What Is Software Supply Chain Security?
“Software supply chain attacks occur when the
materials or processes of producing software
are themselves compromised, resulting in
vulnerabilities targeting downstream consumers
of the software produced”
3. Limited Visibility Into Our Dependencies
App
Your dependencies likely have CRITICAL CVEs (Source: deps.dev)
4. Limited Visibility Into Source and Build Requirements
“There’s currently no guarantee that a package on npm is built from the same source code that’s published”
- Justin Hutchings, GitHub Director of Product Management
Can the source
code history be
verified?
Can the build system be
verifiably linked back to
source control?
6. Generate A Supply Chain Data Layer
Foundation for Supply Chain Transparency
Attestations
Signed metadata (typically
how artifact was
produced)
List of ingredients that
make up the software
components
Standard for signing and
verifying software integrity
7. sigstore
Making sure your software’s what it
claims to be
A new standard for signing, verifying and protecting
software.
Great UX is fundamental to adoption.
Modern ‘keyless’ signing removes painful key
management.
8. Sigstore, a new standard for signing, verifying and protecting software
● Key Pieces:
○ Cosign: sign things
○ Fulcio: sign things using short lived certs
● Rekor: verify & monitor (transparency log)
● All cryptographically verifiable, auditable,
community operated
● Sigstore community hosts a free shared
public-good instance
12. What do signatures guarantee?
● Signatures give you evidence that:
○ What you signed hasn’t changed
○ It came from the producer that signed it
● We want to sign our software
○ Artifacts (.jars, container images)
○ Git Commits
● We want to sign our supporting docs
○ SBOMs
○ Attestations
13. Software Bill of Materials (and friends)
Component 1
Component 2
Component 3
License 1
AFFECTED NOT AFFECTED
FIXED
UNDER
INVESTIGATION
My
Product
Vulnerability Exploitability eXchange
14. DENCE
Attestations
A software attestation is a signed statement (metadata)
about a software artifact
● Makes it possible to write automated policies that
take advantage of structured metadata
● Fits into the SLSA Framework
EVIDENCE
15. Common Attestations
How it was Built (Provenance)
ko attests to the fact that it built a
container image with digest
"sha256:87f7fe…" from git
commit "f0c93d…"
How it was Tested
GitHub Actions attests to the
fact that the npm tests passed
on git commit "f0c93d…".
What Security Scans it Passed
GitHub Actions attests to the fact that
no vulnerabilities were found in
container image "sha256:87f7fe…" at a
particular time using a scanning tool
22. ❏ Ensure verification of signed commits for new changes before merging
❏ Ensure all artifacts on all releases are signed
❏ Ensure pipeline steps sign the SBOM produced
❏ Ensure signed metadata of the build process is required and verified
❏ Ensure a signed SBOM of the code is supplied
❏ Ensure all artifacts are signed by the build pipeline itself
❏ Ensure all signed artifacts are validated upon uploading the package registry
❏ Ensure all versions of an existing artifact have their signatures validated
Supply Chain Security Guide
CIS Benchmarks
23. Secure Software Development Framework NIST SSDF
❏ Evaluate tools’ signing capabilities to create immutable logs for auditability
❏ Use commit signing for code repositories
❏ Use code signing to help protect the integrity of executables
❏ Confirm the integrity through digital signatures
❏ Post cryptographic hashes for release files on a well-secured website
❏ Protect the integrity of provenance data
❏ Provide a way for recipients to verify provenance data integrity
❏ Automatically review provenance and software composition data
❏ Make the provenance data available to the organization’s operations and response teams
24. Gitsign
“Keyless” git commit signing with Sigstore
● Sign with git commit -S
● Sign every commit by default (optional)
Meet SLSA Verified-History
& Two-Person Review Reqs
github.com/sigstore/gitsign
26. Let’s Make Informed Risk Management Decisions
Supply chain metadata allows you to make
policy decisions, events, alerts, etc based on
your security posture