Securing the software supply chain is of paramount importance to the tech industry today. However, it remains a big challenge as several best practices need to be implemented in order to successfully secure it. To give you an idea of the scale of the challenges, this whitepaper from the Cloud Native Computing Foundation (CNCF) outlines best practices for supply chain security. It breaks the problem space into 5 key areas (source code, dependencies, build pipelines, artifacts and deployments) and altogether documents a set of 54 best practices.
These set of practices can be very overwhelming to organizations starting out on this journey and have to ask themselves:
- Where do you start?
- Is there tooling that can help?
- How do I pick the right path to go down?
The bad news is that you do need to figure out which of these practices matter for your particular organization and how you might approach tackling them. The good news is that there are some incredible open source tools emerging to help and folks from Citi have launched an amazing initiative to help put these all together.
The team at Citi has created a prototype implementation for a secure software supply chain. It is based on the upcoming CNCF's Secure Software Factory Reference Architecture and the Software Supply Chain Best Practices White Paper. The purpose of the project is to provide a set of tools, patterns, and policies in order to build artifacts with increased confidence around their authenticity and integrity, and with traceable provenance.
The Secure Software Factory uses best-in-class open source projects including Sigstore and Tekton. It was built with three key goals in mind:
- Secure by default - the design and configuration were carefully crafted to provide a secure platform
- SLSA ready - the platform implements SLSA guidelines to ensure software security and supply chain integrity
- Simple & Fast - it takes one single command to deploy it all
Sigstore is a new standard for signing, verifying and protecting software. It is an OpenSSF project that dramatically simplifies signing through better automation and user-friendly tools for a safer chain of custody tracing software back to source. Tekton is a powerful and flexible open source framework for creating CI/CD systems, allowing developers to build, test, and deploy across cloud providers and on-premise systems. Tekton is a Continuous Delivery Foundation project that is one of the first CI/CD systems to be secure-native.
The table below outlines some of the key open source software projects used and what purpose they serve in the reference architecture:
|Secure Supply Chain Component||Reference Architecture Project|
|Automated Signing||Sigstore Cosign|
|Pipeline Framework (CI/CD pipelines)||Tekton Pipelines|
|Pipeline Observer||Tekton Chains|
|Scheduling and Orchestration platform||Kubernetes|
Michael Lieberman and Brad Beck from Citi showcased the project at a recent meeting of the OpenSSF’s Supply Chain Integrity working group.
The demo was well received by the community, and Citi's plan is to contribute this project to the OpenSSF Supply Chain Integrity working group. They will also be welcoming contributions and feedback from the wider community. It’s a well needed initiative and we encourage folks to check out the resources and get involved.
- The Secure Software Factory Documentation
- The Secure Software Factory GitHub Repo
- CNCF Software Supply Chain Best Practices White Paper