Chief Information Security Officers (CISOs) and their federal government equivalents (authorizing officials) likely often find themselves repeating a corporate version of the “serenity prayer:”
…grant me the serenity to accept the things I cannot change, courage to change the things I can, and wisdom to know the difference.
It’s because these leaders have to manage security risks with limited budget and time while most workers in modern companies want more software, faster, and the other executives are eager for the associated productivity and innovation gains. In short, CISOs manage strategic risk by trying to prevent and mitigate common and severe security breaches, a difficult task since software security generally appears as a digital appendage bolted on rather than as lifeblood baked in.
Sigstore, an open source software signature project available free for use, answers this CISO serenity prayer by offering three key benefits to CISOs:
- Software Integrity: Sigstore helps CISOs meet the digital signature requirements of software security frameworks such as NIST’s secure software development framework and Supply Chain Levels for Software Artifacts (SLSA, pronounced “salsa”). Sigstore also provides authenticity and non-repudiation, creating chain-of-custody records for software artifacts.
- Ease and Convenience for Software Teams: Sigstore provides a developer-friendly method for signing and verifying software artifacts. This smooth developer experience makes it easier for CISOs to enforce software security policies.
- Risk-Informed Software Consumption: Sigstore enables organizations and individuals to sign and verify useful claims about software (“attestations”) such as SBOMs and provenance, creating evidence about otherwise opaque software. This evidence enables security audits.
Protecting Software Integrity as Required by NIST SSDF and SLSA
Companies and governments have been learning the hard way that tampering with software is an increasingly common means of breaking into computer networks. Information security frameworks such as the National Institute of Standards and Technology’s (NIST) secure software development framework (SSDF) have consequently explicitly embraced anti-tampering techniques such as code signing, commit signing, and software release integrity. The goal of these frameworks is source-to-system integrity. The SLSA framework goes a step further by making integrity its core principle and providing users with an incremental path to increasing software assurance, one level at a time.
This inability of many organizations to verify the integrity of the software they produce and consume is a problem that the digital signatures provided by Sigstore help address. Digital signatures are the equivalent of a tamper-proof seal, a cryptographic means to ensure that no 3rd party tampered with a software in between the producer and the consumer. Sigstore helps software teams create digital signatures for software artifacts like containers and git commits. Sigstore also ensures that software consumers can verify that no seal has been broken, meeting the security goals of a CISO and satisfying the requirements of modern software supply chain security frameworks.
A Developer-Friendly Method for Signing and Verifying Software Artifacts
Importantly, Sigstore enables these integrity measures without erecting high barriers to use so that software supply chain security practices can fit within existing organizational processes.
Signing tools associated with PGP have a history of making unrealistic assumptions about the ability of users to correctly use cryptographic signing tools. One in-depth user study of PGP found that a majority of participants, despite being allotted 90 minutes, were unable to sign and encrypt an email message and a quarter of participants actually exposed the secret keys they were supposed to protect.
Sigstore makes signing and verifying software artifacts easy. Sigstore enables “keyless” signing in which the software developer signing the artifact does not need to create and store long-lived credentials specific to signing an artifact. This removes a major headache for developers and a security risk for the company. Instead, Sigstore allows developers to use their digital identity associated with GitHub, Google or other similar online services to sign artifacts.
Risk-Informed Software Consumption: Using Signed SBOMs and Provenance
Sigstore also enables software consumers to make risk-informed decisions about what software to consume based on signed software metadata, or “attestations.” Users of Sigstore can not only attest who authored an artifact, the traditional use of signing, but attest where and how a software artifact was built (“provenance”) or what components are in a software artifact (a software bill of materials or SBOM). Companies can then determine policies about what software artifacts to consume and use these signed metadata documents to enact these policies. The evidence that Sigstore allows a company to create then enables software supply chain security audits.
In other words, Sigstore is for CISOs too. If you’re interested in protecting the integrity of your organization’s software supply chain, then Sigstore is for you.