Skip to content

An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about Secure Software Supply Chain Lifecycle in Cybersecurity.

License

Notifications You must be signed in to change notification settings

paulveillard/cybersecurity-secure-software-supplychain-lifecyle

Repository files navigation

Cybersecurity - Secure Software Supply Chain Lifecycle: Theory, Techniques, and Tools

An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about Secure Software Supply Chain Lifecycle in Cybersecurity.

Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.

Theory

Theory - Table of Contents

Techniques - Table of Contents

Tools - Table of Contents

Introduction

Why software security and secure supply chains matter even more today:

image

Digital Transformation continues at a relentless pace, putting even greater responsiblity on business executives to meet new demands of a fully customer experience. With every organization now a software-driven company, technology leaders are expected to enable business outcomes like flexibility and scale from moving to the cloud. However, many struggle to maintain consisten security and performance in their complex, hybrid IT environment, stalling transformation efforts in their software factory.

Organizations need integrated security tooling and processes that support DevSecOps Practices, driven in part by the following

- Elevated complexity for secure development
- The growing use of open source components
- New attack vectors discovered each day
- Stricter regulatory requirements

Elevated complexity for secure development

The growing use of open source components

New attack vectors discovered each day

Stricter regulatory requirements

Software Supply Chain DevSecOps Challenge

The overall market is growing toward application platforms that can provide for the fast, secure, continuous deployment of great software experiences that companies compete by. But the reality is that enterprises often struggle with running these parallel tasks. Their challenges include the following:

image-2

  • Maintaining and Improving legacy applications and infrastructure is complicated and places strain on already limited IT Resources
  • Building and running brand new applications using modern frameworks and cloud-native application architectures increases cognitive load for dev teams
  • Security is often an afterthought that's handled by security and IT operations teams at the end of the application development life cycle, with little to no collaboration with app development and other teams.
  • Disparate application security and DevOps tools, practices and disjointed processes result in tool sprawl; this impedes collaboration, visibility, and productivity and increases the change of human error.

DevSecOps Best Practices for Developers:

  • Implement Security Early and Often
  • Automate Security Wherever Possible
  • Emphasize Collaboration between development, security, and operations teams
  • Use secure coding practices
  • Conduct regular security assessments
  • Continuously monitor and improve security

Enabling a Successful DevSecOps Practice

Successfully implementing DevSecOps begins well before the application pipeline. As a first step, organizations will want to ensure their underlying infrastructure and application services are running on an enterprise open source foundation prehardened with built-in security tools and features.

Developers need security scanning and guidance across all aspects of cloud-based applications. Beyond just the software packages, they need security coverage on tooling, application configurations, and the entire solution architecture, including infrastructure.

Developers also need flexibility to move workloads to any footprint that works best with consumption options to match the organization’s needs for an open hybrid cloud. Building on trusted, industry-proven container orchestration platforms adds the advantages of standards and consistency to continue their investments in, for example, a Kubernetes-native Java framework like Quarkus.

1) Get trusted images and libraries out-of-the-box

  • Stay on top of the latest vulnerabilities and security risks by making use of trusted content in the form of libraries from popular application frameworks available including Java, Node.js, Python, Go, and packages from Red Hat Enterprise Linux (RHEL).

2) Maintain a highly available container registry from which to securely access and incorporate attested, curated packages

  • Restrict access to the container registry and the images stored within using granular role-based access controls (RBAC) to reduce risk of unauthorized entry.
  • Securely store and manage images that are used to deploy applications and services, ensuring that only trusted images are used in production.
  • Run rootless container images to install packages and run services safely within the container without impacting the host.
  • Increase transparency and visibility across software factories to build trust between security teams and DevOps teams.
  • Allow image signing for verification and authentication, which helps prevent malicious code from being added to the registry.
  • Verify the authenticity of the software build of materials and prevent tampering to ensure code integrity.
  • Support the use of digital signatures and certificates that attests to the origin of software components as coming from a trusted source.

3) Protect source code and dependencies in code management with security best practices

  • Analyze and detect potential vulnerabilities, malware, or other malicious code before they are consumed across software factories.
  • Make use of automated code analysis to scan for potential security vulnerabilities in images and for other security issues before they’re committed to the code repository.
  • You need to carefully manage dependencies, and any libraries or components used in the build process should be regularly audited for vulnerabilities.
  • Component analysis helps organizations identify and assess the risk of third-party components in their software supply chain.

4) Strengthen the CI/CD pipeline with an automated chain of trust and approval gates

  • Control the flow of software dependencies and ensure that only trusted packages are used in builds and deployments to prevent poisoned pipeline execution in the software factory.
  • Manage and secure the use of various software components that make up the build by first auto-generating software bill of materials (SBOMs) with metadata on how each artifact was built.
  • Authenticate provenance to industry standards through version control, auditing, and traceability of all software components used in the development process.
  • Automate CI/CD pipelines with regular security checks integrated throughout the build process to ensure all inputs and outputs are secure as teams compile code, build images, and run tests.
  • Institute strong protections against tampering through cross-build contamination.
  • Immediately detect and alert on any changes or unauthorized modifications to the source code and OSS dependencies that are impacting build artifacts stored in the repository.
  • Determine which versions of what components were used in any given application and understand the impact of that change to mitigate risks in the SDLC.

5) Monitor applications at runtime with contextual insights into vulnerabilities and threats to deployed workloads

  • Ensure that deployment environments are secure at runtime by implementing proper access controls, threat prevention and anomaly detection, network segmentation, and runtime vulnerability detection.
  • Provide complete end-to-end visibility into all components and their respective sources to continuously monitor and proactively identify changes in the risk profile caused by malicious components.
  • Implement monitoring and logging systems that instantly detect, alert, and direct on potential security incidents.

Tools

Software Supply Chain Security - Tools

Introduction - What this is all about

There is no prescribed taxonomy for this domain. This list will necessarily have some overlap with disciplines and categories such as DevSecOps, SAST, SCA and more.

The supply-chain-synthesis repo offers a long-form read on why that's the case, plus helpful pointers to understand and navigate it as it evolves.

For awesome-software-supply-chain-security we take the following high-level approach: different actors in the supply chain contribute attestations to the elements represented in the chain.

In this process-centric view, attestations are emitted, augmented (e.g., during composition) and verified.

Another way to look at this was described here by Josh Bressers, and here's a narrative example in the wild from Spotify

Using this lens we can identify a large group of "subjects" (dependencies), distinct categories of "facts" (licenses or vulnerabilities) and the specific role of identity, provenance and build systems. This is the rationale behind the current headings, which are expected to evolve with the domain.

Other examples of the ongoing process to define the domain include Add Bad Design as a supply chain scenario · Issue #249 · slsa-framework/slsa and How does SLSA fit into broader supply chain security? · Issue #276 · slsa-framework/slsa. Check out this tweet from Aeva Black with Dan Lorenc for another in-a-pinch view of a couple key projects.

Dependency intelligence

This section includes: package management, library management, dependency management, vendored dependency management, by-hash searches, package, library and dependency naming, library behavior labeling, library publishing, registries and repositories, publishing gates and scans, dependency lifecycle.

Also read:

SCA and SBOM

This section includes: package/library scanners and detectors, SBOM formats, standards, authoring and validation, and a few applications. Will likely include SCA.

The most complete reference is awesomeSBOM/awesome-sbom. Another helpful repo focusing on generators is cybeats/sbomgen: List of SBOM Generation Tools.

More interesting resources:

A few open source projects are documenting, in public, how they acquire dependencies. This intentional, human-parsable, long-form examples can be illustrative:

Vulnerability information exchange

A dedicated section on VEX reads:

Also see:

Point-of-use validations

This section includes: admission and ingestion policies, pull-time verification and end-user verifications.

Also see:

Supply chain beyond libraries

And a few things to watch beyond libraries and software dependencies:

Identity, signing and provenance

This section includes: projects and discussions specifics to developer identity, OIDC, keyrings and related topics.

Frameworks and best practice references

This section includes: reference architectures and authoritative compilations of supply chain attacks and the emerging categories.

Also see:

Build techniques

This section includes: reproducible builds, hermetic builds, bootstrappable builds, special considerations for CI/CD systems, best practices building artifacts such as OCI containers, etc.

Also see:

Talks, articles, media coverage and other reading

Getting started and staying fresh

And a collection of reads and listens, ranging from insightful blog posts, explainers/all-rounders and some long-form analysis (we've tried to keep deep dive reads scoped to other sections)

License

MIT License & cc license

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work.

About

An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about Secure Software Supply Chain Lifecycle in Cybersecurity.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published