Unpacking the CNCF Software Supply Chain Security Best Practices Whitepaper

by Cole Kennedy, James Bohrman | Tuesday, Aug 3, 2021 | Security Supply Chain Security CNCF

Introduction

The increasing frequency of software supply chain attacks over the past few years has seen a lot of attention directed at the open source software that secures the software build process. Although the number of successful exploits is relatively small, the ramifications of these successful exploits are often far-reaching and catastrophic, and they have the potential to entice further attacks.

Despite the increasing importance of addressing these vulnerabilities, there is still somewhat of a blind spot when it comes to processes and mitigation strategies for addressing supply chain vulnerabilities. Hence, the Cloud Native Computing Foundation (CNCF) developed the Supply Chain Best Practices Paper to bridge this documentation gap by providing a holistic approach to architecting a secure supply chain.

This paper draws recommendations and insights from top security practitioners in the industry, state of the art academic research, and the work of the United States Air Force. It also provides a reference guide for securing software supply chains, and provides insight into the commonly used practices.

What is the CNCF?

The CNCF is a non-profit Linux foundation subsidiary created to encourage organizations to build and run scalable applications in cloud-native environments.

The CNCF was created in 2015 and is supported by over 500 members, including the world’s biggest computing and software companies, as well as over 200 innovative startups. For more information about CNCF, please visit www.cncf.io.

What is the goal of the Software Supply Chain Security Whitepaper?

The Software Supply Chain Security Best Practices (SSCSP) whitepaper was developed to provide the software community with a series of recommended practices, tooling options, and design considerations that reduces the likelihood and impact of a successful supply chain attack.

The paper defines four key principles that are crucial for securing the steps of a supply chain:

1. Trust: Every step in a supply chain should be “trustworthy” due to a combination of cryptographic attestation and verification.
2. Automation: Automation is critical to supply chain security and can significantly reduce the possibility of human error and configuration drift.
3. Clarity: The build environments used in a supply chain should be clearly defined, with limited scope.
4. Mutual Authentication: All entities operating in the supply chain environment must be required to mutually authenticate using hardened authentication mechanisms with regular key rotation.

The SSCSP whitepaper also operationalizes the four key principles in several stages. First, internal code repositories and associated entities are protected with processes like commit signing, vulnerability scanning, contribution rules, policy enforcement. Then, ingested second party and third-party materials are scanned and examined to ensure trustworthiness and immutability.

There should be a “separation of concerns” between each build step and workers to ensure a secured build pipeline, and all artifacts produced by the supply chain must carry signed metadata attesting to its contents. The artifacts will be independently verified and revalidated during the deployment stages. Each of the stages involves different considerations and guiding principles, and they complement one another for a comprehensive and holistic approach.

Who developed this whitepaper?

The SSCSP whitepaper was published by the CNCF Security Technical Advisory Group (STAG) which aims to discover and produce resources that will enable secure access, quality control, and safety for operators, administrators, developers, and end-users across the cloud-native ecosystem.

The STAG maintains a detailed catalog of known supply chain attacks going back to as far as 2003. For more information about STAG, please visit the STAG GitHub page.

How does BoxBoat help organizations adopt these best practices?

At BoxBoat, we understand the importance of supply chain security. One of our major commitments is towards increasing the security of DevOps processes of which a major part is addressing software supply chain security.

As mentioned in our Supply Chain Security by Verification blog post, we have been working with the CNCF STAG group on implementing an evidence-based trust system for secure software delivery that mitigates key and root credential loss.

We also consult with security-conscious enterprise organizations and the DOD to implement frameworks such as in-toto for verification and the SPIFFE/SPIRE framework for universal service identity.

BoxBoat is also heavily active in educating the next generation of contributors and leaders in the cloud-native industry. We offer training and assessments to a variety of private and federal organizations that are both just starting their cloud-native transformation and those that have been leveraging cloud-native technology for a while and want to keep their skills sharp.

Conclusion

The recent executive order on cybersecurity has made it more important than ever to make the security of your software supply chain a top priority. With the release of this whitepaper, organizations now have a roadmap to enhance their software supply chain security. If you would like to read the entire whitepaper, you can check it out here.