software supply chain musings
starting point for thinking about software supply chain security
SEAN
K.H.
LIAO
software supply chain musings
starting point for thinking about software supply chain security
software supply chain
attacker end goals:
- use compute resources: cryptominers
- extract data: keys, wallets, user/application data
- persistent access
chain
assuming trusted local dev environment
- code
- permissions to modify access control
- written by project developers
- developers hold trusted commit keys
- block unauthorized code
- transport layer: https / ssh
- commit level: signed
- dependencies, imported
- pinned, audited versions
- content addressed or vendored
- continuous integration
- permissions to modify the pipeline
- security scans
- source code level
- dependency versions
- built artifacts scan
- compiler / packaging
- trusted not to insert backdoors?
- reproducible builds
- also signed?
- verify the artifacts came through trusted pipeline
- ci system holds trusted keys for pushing artifacts
- continuous deployment
- permissions to modify the pipeline
- only deploy trusted artifacts, signed?
- push trigger vs pull:
- push from ci / same system as ci: ci compromise == cd compromise, but faster
- watch and pull from artifact store: safer, slower
- cd system holds trusted keys for deploying to production
- execution environment
- permissions to access the environment
- permissions to modify access control
- environment needs to be kept up to date
- only run artifacts with a clean audit trail, signed?
- execution environment holds trusted keys for accessing application data
other
- trusted environment
- for dev and prod
- root of trust in hardware
- secure boot + ...