More Related Content
Similar to Oh The Places You'll Sign.pdf
Similar to Oh The Places You'll Sign.pdf (20)
More from LibbySchulze
More from LibbySchulze (20)
Recently uploaded
Recently uploaded (20)
Oh The Places You'll Sign.pdf
- 1. John Osborne josborne@chainguard.dev @CloudLvlMidnite How Sigstore Accelerates a Software Supply Chain Journey https://chainguard.dev Oh The Places You’ll Sign
- 2. What Is Software Supply Chain Security? “Software supply chain attacks occur when the materials or processes of producing software are themselves compromised, resulting in vulnerabilities targeting downstream consumers of the software produced”
- 3. Limited Visibility Into Our Dependencies App Your dependencies likely have CRITICAL CVEs (Source: deps.dev)
- 4. Limited Visibility Into Source and Build Requirements “There’s currently no guarantee that a package on npm is built from the same source code that’s published” - Justin Hutchings, GitHub Director of Product Management Can the source code history be verified? Can the build system be verifiably linked back to source control?
- 5. Building Transparency In The Software Supply Chain
- 6. Generate A Supply Chain Data Layer Foundation for Supply Chain Transparency Attestations Signed metadata (typically how artifact was produced) List of ingredients that make up the software components Standard for signing and verifying software integrity
- 7. sigstore Making sure your software’s what it claims to be A new standard for signing, verifying and protecting software. Great UX is fundamental to adoption. Modern ‘keyless’ signing removes painful key management.
- 8. Sigstore, a new standard for signing, verifying and protecting software ● Key Pieces: ○ Cosign: sign things ○ Fulcio: sign things using short lived certs ● Rekor: verify & monitor (transparency log) ● All cryptographically verifiable, auditable, community operated ● Sigstore community hosts a free shared public-good instance
- 10. Signing and Verifying (also git commits - more later) Images $ cosign sign josborne/myimage Blobs $ cosign sign-blob ./myblob Attestations $ cosign attest josborne/myimage --predicate ./att.json SBOMs $ cosign attest josborne/myimage --predicate ./sbom Images $ cosign verify josborne/myimage Blobs $ cosign verify-blob ./myblob Attestations $ cosign verify-attestation josborne/myimage SBOMs $ cosign verify-attestation josborne/myimage
- 11. cosign demo
- 12. What do signatures guarantee? ● Signatures give you evidence that: ○ What you signed hasn’t changed ○ It came from the producer that signed it ● We want to sign our software ○ Artifacts (.jars, container images) ○ Git Commits ● We want to sign our supporting docs ○ SBOMs ○ Attestations
- 13. Software Bill of Materials (and friends) Component 1 Component 2 Component 3 License 1 AFFECTED NOT AFFECTED FIXED UNDER INVESTIGATION My Product Vulnerability Exploitability eXchange
- 14. DENCE Attestations A software attestation is a signed statement (metadata) about a software artifact ● Makes it possible to write automated policies that take advantage of structured metadata ● Fits into the SLSA Framework EVIDENCE
- 15. Common Attestations How it was Built (Provenance) ko attests to the fact that it built a container image with digest "sha256:87f7fe…" from git commit "f0c93d…" How it was Tested GitHub Actions attests to the fact that the npm tests passed on git commit "f0c93d…". What Security Scans it Passed GitHub Actions attests to the fact that no vulnerabilities were found in container image "sha256:87f7fe…" at a particular time using a scanning tool
- 16. Sigstore Provides Integrity for Attestations sign sign & verify continuous verification SLSA NIST SSDF CIS Benchmarks
- 17. SLSA Level 1 SLSA SLSA Level 1 ● Scripted Builds ● Provenance Available SLSA Level 1 Attestation Example
- 18. SLSA Level 2 SLSA SLSA Level 2 Attestation Example Verify SLSA Level 2 ● Use a Build Service ● Sign & Verify Provenance Sign Verify Signature
- 19. Verify Attestation SLSA Level 3 SLSA SLSA Level 3 Attestation Example Verify SLSA Level 3 ● Build As Code ● Non-Falsifiable Provenance ● External KMS Sign
- 20. Verify SLSA Level 4 SLSA SLSA Level 4 Attestation Example Verify SLSA Level 4 ● Reproducible Build ● Provenance of Transitive Deps Sign
- 21. Verify Kim SLSA Level 4 Code Review SLSA Verify Dan Signs Kim Signs Verify Dan
- 22. ❏ Ensure verification of signed commits for new changes before merging ❏ Ensure all artifacts on all releases are signed ❏ Ensure pipeline steps sign the SBOM produced ❏ Ensure signed metadata of the build process is required and verified ❏ Ensure a signed SBOM of the code is supplied ❏ Ensure all artifacts are signed by the build pipeline itself ❏ Ensure all signed artifacts are validated upon uploading the package registry ❏ Ensure all versions of an existing artifact have their signatures validated Supply Chain Security Guide CIS Benchmarks
- 23. Secure Software Development Framework NIST SSDF ❏ Evaluate tools’ signing capabilities to create immutable logs for auditability ❏ Use commit signing for code repositories ❏ Use code signing to help protect the integrity of executables ❏ Confirm the integrity through digital signatures ❏ Post cryptographic hashes for release files on a well-secured website ❏ Protect the integrity of provenance data ❏ Provide a way for recipients to verify provenance data integrity ❏ Automatically review provenance and software composition data ❏ Make the provenance data available to the organization’s operations and response teams
- 24. Gitsign “Keyless” git commit signing with Sigstore ● Sign with git commit -S ● Sign every commit by default (optional) Meet SLSA Verified-History & Two-Person Review Reqs github.com/sigstore/gitsign
- 25. gitsign demo
- 26. Let’s Make Informed Risk Management Decisions Supply chain metadata allows you to make policy decisions, events, alerts, etc based on your security posture