《阿联酋创新技术研究院(TII):2024供应链安全白皮书:安全漏洞修复策略研究(英文版)(21页).pdf》由会员分享,可在线阅读,更多相关《阿联酋创新技术研究院(TII):2024供应链安全白皮书:安全漏洞修复策略研究(英文版)(21页).pdf(21页珍藏版)》请在三个皮匠报告上搜索。
1、SUPPLY CHAIN SECURITY 1Technology Innovation InstituteABSTRACTDespite billions of dollars of investment in software supply-chain security tools,enterprises and governments continue to be hacked.At the Security Systems Research Center of the Technology Innovation Institute(TII SSRC,Abu Dhabi,UAE,tii.
2、ae/secure-systems),researchers are working on new solutions to seal up the security gaps that make these breaches possible.This white paper delves into SSRCs work to bolster supply-chain security(SCS)security across efforts like Supply-Chain Levels for Software Artifacts(SLSA,slsa.dev),the open-sour
3、ce Nix package manager(nixos.org),and Identity and Access Management(IAM)infrastructures,all to automate a secure build pipeline.Key enhancements include new Software Bill of Materials(SBOM)generation tools,vulnerability-management automation,a flexible public key infrastructure,an automated Zero Tr
4、ust development-and-build pipeline,and creation of scalable and ephemeral build environments.2Technology Innovation Institute3INTRORecent years have seen a marked increase in attacks on the software supply-chainwith notable impacts on such security-conscious organizations as SolarWinds,Microsoft,OKT
5、A,Kaseya,and British Airways.These attacks typically involve malicious or vulnerable code inserted into legitimate products at almost any stage of the products lifecycle.Perhaps most alarmingly,at the end of March 2024,a Microsoft developer reported that someone(just who is still unknown)had planted
6、 a back door in the XZ compression tool slated for inclusion in coming Linux updates.1 Had they succeeded,this vulnerability could have given the perpetrators remote access to Linux systems underpinning much of the modern economy.This vulnerability was not discovered by a security researcher,but rat
7、her by a performance engineer who wondered why the compression utility seemed to be running so slowly.These threats have prompted significant regulatory and industry-led responses,notably U.S.Executive Order 14028:Improving the Nations Cybersecurity.2 The order mandates Software Bills of Materials(S
8、BOMs)for all software delivered to the American government.Concurrently,industry-led initiatives such as the Supply-Chain Levels for Software Artifacts(SLSA)framework seek to standardize verification methods and terminology in software delivery.An added challenge is that sometimes new vulnerabilitie
9、s(such as the Log4shell vulnerability in the Log4J logging tool 3)are discovered in open-source libraries long after development teams have adopted them.Once these weaknesses are found,development teams face a race against time to patch them,which takes them away from regular development activities.
10、Sonatypes 2023 State of Software Supply Chain report found that 245,000 malicious packages had been discovered during the previous yeartwice the number discovered in all previous years combinedand that one-eighth of all downloaded open-source code contains known risks4.In the interconnected modern b
11、usiness ecosystems,amplified by the proliferating Internet of Things(IoT),business opportunities and heightened risks of cyberattacks seem to go hand-in-hand.The industry advisory firm Cybersecurity Ventures predicts that the cost of cybercrime will rise from$3 trillion in 2015 to$10.5 trillion by 2
12、025.Enterprises spent about$150 billion on cybersecurity tools in 2021,up about 12.8%from the previous year.However,McKinsey researchers have argued that the scope and cost of security threats suggest a$2 trillion market opportunity.6.1 Goddin,Dan.“What we know about the XZ Utils backdoor that almos
13、t infected the world,”Ars Technica,Apr.1,2024.https:/ Order 14028:Improving the Nations Cybersecurity,”issued by U.S.President Joseph R.Biden,Jr.on May 21,2021.https:/www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/3“Log4j vulne
14、rability-what everyone needs to know,”National Cyber Security Center,Dec.15,2024.https:/www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know 4“Understanding Open-Source Adoption:Insights from the 9th State of the Software Supply Chain Report.”Accessed:Apr.05,2024.Online.Availa
15、ble:https:/ 5“2023 Official Cybercrime Report,”eSentire.Accessed:Apr.05,2024.Online.Available:https:/ 6“New survey reveals$2 trillion market opportunity for cybersecurity technology and service providers|McKinsey.”Accessed:Apr.05,2024.Online.Available:https:/ Innovation Institute4Technology Innovati
16、on InstituteWhen malefactors breach front-line security tools and infrastructure,the situation becomes critical,and the computing establishment quickly focuses on the issues.But securing the back-end software supply chain,the structure that delivers the applications,demands just as much attention.Ke
17、eping software clean requires considering in detail the complex ecosystem of development tools,code libraries,compilers,and hosting infrastructure.The security research community has thus been exploring many ways of hardening and enforcing a chain of trust around the tools for developing,building,an
18、d deploying code.Its important to note that modern software supply chains span wide ranges of processes,tools,and artifactsincluding code libraries,code management,development practices,and provisioning infrastructures.A weakness in any part of this chain can allow hackers to insert malicious code i
19、nto applications and infrastructure.Protecting software components throughout their lifecycles,from design to delivery,is critical for maintaining business reputation,safeguarding intellectual property,and ensuring customer safety.Clearly,development organizations must cultivate appropriate combinat
20、ions of tools,infrastructure,and workflows to protect their software and its infrastructure.The TIIs SSRC has explored best practices for building a Secure Software Supply Chain as part of its work on the Ghaf framework for building a highly secure virtual OS and ecosystem that covers phones,worksta
21、tions,drones,and embedded systems using a Zero Trust architecture(ZTA).The Ghaf platform is an essential tool in research and development for implementing Zero Trust frameworks,necessitating a secure development process.1 Goddin,Dan.“What we know about the XZ Utils backdoor that almost infected the
22、world,”Ars Technica,Apr.1,2024.https:/ Order 14028:Improving the Nations Cybersecurity,”issued by U.S.President Joseph R.Biden,Jr.on May 21,2021.https:/www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/3“Log4j vulnerability-what e
23、veryone needs to know,”National Cyber Security Center,Dec.15,2024.https:/www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know 4“Understanding Open-Source Adoption:Insights from the 9th State of the Software Supply Chain Report.”Accessed:Apr.05,2024.Online.Available:https:/ 5“2
24、023 Official Cybercrime Report,”eSentire.Accessed:Apr.05,2024.Online.Available:https:/ 6“New survey reveals$2 trillion market opportunity for cybersecurity technology and service providers|McKinsey.”Accessed:Apr.05,2024.Online.Available:https:/ Innovation Institute5HOW SOFTWARE SUPPLY CHAINS GET COM
25、PROMISEDInfrastructure as Code:The complexity of Infrastructure as Code(IaC)tools for automating provisioning,combined with human error,can sometimes overlook misconfigurations.These can replicate across running infrastructure to turn simple coding errors into significant vulnerabilities.Leaked secr
26、ets:Secrets such as passwords and tokens are sometimes embedded in code,either accidentally or for the coders convenience.Hackers who discover these keys gain direct access to critical systems to steal data or plant malware.CI/CD pipeline:Continuous Integration/Continuous Deployment pipelines automa
27、tically provision and deploy of new code.When CI/CD systems are compromised,hackers can introduce malicious code into production systems.Over-provisioning of access:Poor security policies may result in overprovisioning access(giving a set of credentials wider rights than strictly necessary)to develo
28、pment environments.Hackers who access these credentials or malicious insiders introduce malicious code,steal data,or install backdoors for further exploitation.Open source and third-party components:Malicious actors sometimes plant malware or backdoors in software components incorporated into new so
29、ftware or the tools and systems used to build software.In other cases,new vulnerabilities are discovered in existing libraries;these must be patched and deployed into releases.Compromised development tools and accounts:Hackers who compromise a developer account can introduce malware and vulnerabilit
30、ies into software build systems,compilers,and code management services like GitHub.Update infrastructure:Hackers sometimes find ways to access the infrastructure responsible for software updates to inject malware.(SIDEBAR)Modern software supply chains are built across complex ecosystems of tools,ser
31、vices,and processes.Each element may have potential vulnerabilities,and these may sometimes be compromised.Here are some examples:Technology Innovation Institute6SUPPLY CHAIN SECURITY LIFECYCLESecurity vendors and the open-source community have developed various security tools to help protect multip
32、le aspects of the software supply chain.For example,software composition analysis helps inventory code in production and under development,to check it against vulnerability reporting databases.Application security tools(AppSec)apply various security-testing approaches to identify security issues.Sec
33、ure code management tools help protect code repositories from malicious changes.1“Understanding Open Source Adoption:Insights from the 9th State of the Software Supply Chain Report.”Accessed:Apr.05,2024.Online.Available:https:/ Innovation Institute7BRIEF WALKTHROUGH OF SCS LIFECYCLE(SIDEBAR)ActorCod
34、e ReviewPull Request ApprovedBuildMessage ServiceActorCode Changes Pull RequestHardware TestsGenerate ProvenanceVulnerability AnalysisPull Request BuildSmoke TestTest ResultsBinaryVA ResultsProvenance/SBOMWeb ServerFigure 1:SCS lifecycle required to amalgamate binaries,SBOM,test results,and vulnerab
35、ility data.Essential efforts that stand out in hardening this chain of trust are Nix for packages,SLSA for practices,SBOMs for components,and public key infrastructure for signing software artifacts:Software Composition Analysis(SCA):Plays a crucial role in identifying and monitoring software compon
36、ents and their dependencies.Its implementation provides real-time visibility into the software supply chain,enhancing security measures.TSupply-Chain Levels for Software Artifacts(SLSA):The OpenSSF specifies a framework for safe development practices for hardening development processes.Nix:Package m
37、anager helps build tamper-evident seals in containers that help transform raw ingredients into application binaries.Software Bill of Materials(SBOM):Helps track the components that go into the final product,making it easier to identify and remediate vulnerable components across infrastructure and en
38、suring that they do not find a way into future software builds.Public Key Infrastructure(PKI):Helps automate Identity and Access Management(IAM)to ensure that only authorized users and applications can add,change,delete or execute software artifacts.Technology Innovation InstituteThese efforts are a
39、ll making meaningful progress and are still early in their maturity and adoption.So,the Technology Innovation Institutes Secure Software Research Center has led research to help understand some of the current challenges,add new capabilities where required,and improve workflow flexibility,hardening o
40、verall software supply chain security.This work parallels SSRCs broader Ghaf program to develop Zero Trust secure virtual operating systems for workstations,phones,drones,and other embedded systems.8Technology Innovation Institute9KEY TII ADVANCES(SIDEBAR)SLSA:The Supply-Chain Levels for Software Ar
41、tifacts(SLSA)framework offers a set of standards for ensuring software artifact integrity.The TII created a framework for combining the SLSA provenance record and the SBOM,furnishing them alongside each binary.This helps software consumers authenticate and comprehend the composition of software arti
42、facts.The provenance record is vital in tracing and addressing potential security issues,providing an extensive background of the artifacts journey.Meticulously documenting the genesis and evolution of software artifacts enhances security and transparencyfostering trust and confidence in the integri
43、ty of a software solution.Nix tooling:The TII created sbomnix,a utility for generating SBOM from Nix paths that provides a comprehensive list of all components used in the build process,thereby enhancing the traceability and transparency of the software supply chain.This includes tools for querying
44、dependency graphs(nixgraph),summarizing package attributes(nixmeta),improving vulnerability analysis(vulnxscan),tracking package versions and associating vulnerabilities(repology_cli and repology_cve),and identifying outdated packages(nix_outdated).CVE Management:Developed tooling to help developers
45、 and users efficiently track potential issues in upstream packages using CVEs(Common Vulnerabilities and Exposures)to proactively address security vulnerabilities and ensure the integrity of their software solutions.PKI Workflow:The TII adopted a three-tier public key infrastructure(PKI)workflow roo
46、ted in a hardware key that supports multiple clouds and scalability.The method automates the chain of trust for developers,applications,and the provisioning of cloud infrastructure to support specific requirements.CI/CD:SSRC developed an advanced continuous-integration-and-deployment software signin
47、g process.This mechanism guarantees software integrity during transitions between stages of the build process while ensuring that cryptographic keys never leave the secure environment.Ephemeral and hermetic build environments:Pioneering research spins up temporary and isolated build environments,whi
48、ch guard against advanced persistent threats.Isolation prevents cross-contamination between automated builds inside the build system.Hermetic builds reduce the risk of introducing vulnerabilities through dependencies.Technology Innovation Institute10SLSAEach level builds upon its predecessor,culmina
49、ting in Level 3,which adopts the most stringent security measures.These levels define specific protocols that uphold software artifact integrity,ranging from digital signatures and vulnerability checks to advanced security practices.The SLSA framework v1.0,released under the Open SSF and part of the
50、 Linux Foundation,offers a standardized language for discussing and enhancing software supply chain security per the SLSA standard.7 It is characterized by flexibility and adaptability,aligned with modern software development principles and security assurance.Some specific Supply-Chain Security(SCS)
51、suite provisions include alignment with SLSA standards,code reviews,automated vulnerability scanning,build environment monitoring,and automated SBOM generation.The shift towards reproducible builds in the forthcoming platform iteration is a significant stride towards this goal.The Supply-Chain Level
52、s for Software Artifacts(SLSA)method is a comprehensive framework to enhance software artifacts integrity across supply chains.Developed collaboratively by Google and industry leaders,SLSA version 1.0(released in April 2023),categorizes security measures in four distinct levels:LEVEL 0Incorporates n
53、o SLSA requirements.LEVEL 1Encompasses basic SLSA requirements.LEVEL 2Incorporates recommended SLSA guidelines.LEVEL 3Meets comprehensive SLSA requirements.7“SLSA specification,”SLSA.Accessed:Apr.05,2024.Online.Available:https:/slsa.dev/spec/v1.0/Technology Innovation Institute11ALIGNING NIX AND SLS
54、ATII SSRC created the Ghaf Framework and the Ghaf Platform to support a secure,scalable,Zero Trust environment for creating,deploying,and maintaining robust and reliable edge applications.8In the context of software supply chain security,the Ghaf platform leverages a robust build system to embed SLS
55、A provenance at the build stage,ensuring high reproducibility and reliability.This system captures essential details such as source code,build environment,and parameters,forming a comprehensive SLSA provenance record.This record provides an exhaustive history of the software artifact from inception
56、to distribution.The system concurrently generates a Software Bill of Materials(SBOM),listing all components,versions,and dependencies.As part of our SCS suite,sbomnix helps developers comprehensively understand the runtime and build-time dependencies of every artifact within an image.This SBOM,provi
57、ded by sbomnix,can now produce both CycloneDX9 and SPDX10 formats without any need for conversion,enabling broader compatibility and enhanced transparency across the software supply chain.The amalgamation of the SLSA provenance record and SBOM,furnished alongside each binary,lets consumers comprehen
58、d and authenticate the composition of software artifacts.The provenance record is vital in tracing and addressing potential security issues,providing an extensive background of the artifacts journey.The SLSA framework and its integration into Ghafs processes represent a significant stride in securin
59、g software supply chains.By meticulously documenting each bit of softwares genesis and evolution,Ghaf enhances security and transparency,ultimately fostering consumer trust and confidence in the integrity of their software.Using CVEs(Common Vulnerabilities and Exposures)to proactively address securi
60、ty vulnerabilities,the new tooling helps consumers efficiently track potential issues arising from upstream packages.This comprehensive approach fosters consumer trust and strengthens confidence in the reliability of Ghafs software offerings.A pivotal premise of the Ghaf approach to software supply
61、chain security is transparency and trust in the components used to construct the software.And central to this is the Software Bill of Materials(SBOMs)like the familiar industrial bill of materials,a detailed list of every component,its origin,specifications,nature,and function.9“OWASP CycloneDX Soft
62、ware Bill of Materials(SBOM)Standard.”Accessed:Apr.05,2024.Online.Available:https:/cyclonedx.org/10“SPDX Linux Foundation Projects Site.”Accessed:Apr.05,2024.Online.Available:https:/spdx.dev/Technology Innovation Institute12Using SBOMs bolsters software security in many ways.Primarily(and as already
63、 noted),SBOMs facilitate comprehensive assessments of software components,their interdependencies,and their known vulnerabilities and interactions.In the face of complex,fast-evolving cyber threats,good SBOMs allow indispensable rapid reactions.Furthermore,SBOMs significantly help to manage licenses
64、,increasing compliance while reducing bookkeeping overheads.By providing explicit details on component licenses,SBOMs preempt the legal and financial complications of violating licenses.Additionally,SBOMs are instrumental in managing software-component lifecycles,ensuring timely replacement of unsup
65、ported or obsolete elements to avert the hazards of outdated code.Understanding the critical importance of SBOMs,the Ghaf team developed sbomnix as an innovative in-house SBOM generation tool,which they then shared with the community.They conceived sbomnix as a much-needed,community-maintained SBOM
66、generator capable of analyzing Nix artifacts to produce SBOMs to meet rigorous quality standards.Sbomnix is seamlessly integrated into the TII SSRCs software supply chain and is operational during the software-artifact-testing phase(coordinated by the Jenkins Project,jenkins.io).After the SBOMs are
67、generated,they are converted into CycloneDX and SPDX formats to facilitate accessibility and usability by diverse stakeholders in the software supply chain.While SBOMs,as defined by standards such as CycloneDX and SPDX,primarily document software components,the TII approach uniquely integrates these
68、 SBOMs with additional provenance data and direct links to binaries.This extended integration goes beyond current standards to enhance transparency and trust across the supply chain.This initiative reflects more than the TII SSRC commitment to software supply chain security:it is a testament to our
69、dedication to providing stakeholders with high-quality,transparent,and accountable software components by reliably creating high-quality SBOMs.9“OWASP CycloneDX Software Bill of Materials(SBOM)Standard.”Accessed:Apr.05,2024.Online.Available:https:/cyclonedx.org/10“SPDX Linux Foundation Projects Site
70、.”Accessed:Apr.05,2024.Online.Available:https:/spdx.dev/Technology Innovation Institute13Nix(available at nixos.org and tools for provisioning a reproducible,declarative,and reliable build pipeline that hardens the process of turning software code into binary packages.Nix builds packages in isolatio
71、n from each other to ensure the process is reproducible and has no undeclared dependencies.Nix also provides a framework for sharing software development and build environments in a way that reduces configuration and library installation requirements for developers.The Nix infrastructure ensures tha
72、t updating one package doesnt break others.It helps create tamper-proof packages for managing,and collaborating on,the various tools for developing,building,and running apps.Nix also makes it easier to ensure that a particular app incorporates an exact version of a specific library.It also creates a
73、n audit trail for identifying where that library is used if a problem is discovered later.Analyzing a system requires a thorough listing of all the applications and all of their dependencies.This can be done during the build phase or the runtime phase.An end user does this analysis at runtime to see
74、 all the versions of applications,libraries,and configurations on the system.An IT department may also want to check what will be sent to the users in new updates or review what users are currently running.These checks can be done offline,on a users system,or in some build environment.TII SSRC is al
75、so working on tools that work with the Nix package manager and flakes,an experimental feature that enables precise version pinning of packages and source codes.This approach advances the pursuit of fully reproducible builds.The Nix ecosystem further supports automated vulnerability scanning(vulnxsca
76、n)and continuous integration,which further reinforce the security infrastructure.Shortcomings of previous automated SBOM generators have long troubled the Nix community.The SSRC evaluated many packages that purported to support Nix.We still needed help finding a SBOM generators that could scan Nix a
77、rtifacts and reliably produce an SBOM of acceptable quality.Although a few tools did exist,they were either not maintained or were part of another individuals project.NIXTechnology Innovation Institute14A workable SBOM-generator utility should meet the following performance standards:It must produce
78、 valid SBOM in standard format(CycloneDX or SPDX),which should be importable to other tools such as Dependency-Track.It must produce the most complete possible SBOMs(for instance,the tool should include the license information)It must clearly show which dependencies are included.Given a target artif
79、act,does the tool include only runtime dependencies,or does it also include build-time dependencies?It should include the dependencies of a static build binary,or clearly indicate that this information is omitted.It should explain how patches are handled.A vulnerability might not impact a vendor-spe
80、cific product version because it is forked,or the patch is backported.TTo address these shortcomings,the SSRC developed a suite of tools,each adding a bit of functionality to the overall goal of automating the SBOM.When pieced together,they help build the foundation for a secure supply chain securit
81、y process.The ghafscan repository( vulnerability scans for the Ghaf Framework.The repository also includes Ghaf vulnerability reports that can be incorporated into an automated vulnerability scan workflow.It builds on the set of tools that SSRC has created as part of the sbomnix repository.These inc
82、lude the following(expanding on the earlier descriptions):Sbomnix:generates Software Bill of Materials(SBOMs)from Nix derivations or output paths.Nixgraph facilitates querying and visualizing dependency graphs for Nix derivations or output paths.This tool aids in understanding the intricate dependen
83、cies among software components,which is essential for identifying potential security vulnerabilities and managing risks preemptively.Nixmeta:summarizes nixpkgs meta-attributes from the given nixpkgs version,further streamlining the software development process and ensuring consistency across package
84、sTechnology Innovation Institute15Vulnxscan:represents a significant advancement in vulnerability analysis,demonstrating the usage of SBOMs in running vulnerability scans.Drawing data from extensive databases such as the National Vulnerability Database(NVD)and the Distributed Vulnerability Database
85、for Open Source(OSV)this tool scrutinizes software components against known vulnerabilities,alerting developers to any new vulnerabilities introduced in subsequent builds.This proactive approach is instrumental in identifying and addressing potential security threats before they can be exploited.rep
86、ology_cli and repology_cve:command-line clients to repology.org to enable efficient tracking of package versions and vulnerabilities across repositories.nix_outdated:finds outdated Nix dependencies for a given output path,listing the outdated packages in priority order based on how many others depen
87、d on the given outdated package.Synthesizing these in-house tools with Nix-provided tools has markedly elevated the security and integrity of software artifacts throughout the supply chain at Ghaf.The vulnerability analysis tool,in particular,emerges as a pivotal innovation in preemptive security ma
88、nagement.The contribution of these tools to the Nix community reflects an intention to benefit the broader industry,underscoring the importance of collaborative development and shared advancements in software security.Ghafs ultimate goal extends beyond providing trusted images or binary caches.It en
89、compasses establishing a reproducible build environment that enables independent verification,building,and sharing of build results.This initiative marks a crucial step toward fortifying the security and reliability of software supply chains,ensuring robust defenses against emerging threats.This eff
90、ort must,however,be coupled with a robust SCS to achieve the goals.Technology Innovation Institute16PKI IN ENHANCING SOFTWARE SUPPLY CHAIN SECURITYPublic Key Infrastructure(PKI)provides a foundation for ensuring the security and integrity of the software supply chain.It helps establish and manage se
91、cure digital identities for authentication,encryption,and digital signatures across diverse digital platforms.PKI is vital for automating the security and governance processes required to set up Zero Trust boundaries across the myriad levels of the software development and deployment lifecycle.COMPO
92、NENTS OF PKI1Certificate Authority(CA):The CA functions as the pivotal trust entity within PKI,responsible for issuing and managing digital certificates.It validates entities identities,ensuring the legitimacy and integrity of their public keys.2Digital Certificates:These certificates function as di
93、gital credentials,linking public keys with entities respective identities.They comprise essential data,including the entitys name,its public key,the issuing CAs signature,and the certificates validity period.3Certificate Revocation Systems:PKI includes mechanisms for invalidating digital certificate
94、s,primarily through Certificate Revocation Lists(CRLs)and the Online Certificate Status Protocol(OCSP).4Certificate Chains:This hierarchical structure of certificates enables the establishment of trust.Each certificate in the chain is authenticated by the preceding certificate,culminating in a root
95、CA.Technology Innovation Institute17Root CA Secured in Physical HSM:The Root CA,the cornerstone of trust in the PKI hierarchy,securely stores its private key in a physical Hardware Security Module(HSM).This ensures maximal security for the key,which is pivotal to the entire PKI framework.PKI IMPLEME
96、NTATION IN GHAFS SOFTWARE SUPPLY CHAINThree-Tier CA Structure:The PKI architecture consists of three tiers:the Root CA,Intermediate CA,and Leaf(or Signing)Certificate.This hierarchy facilitates efficient distribution and management of trust.The Root CA is the apex authority,providing the foundation
97、of trust.The Intermediate CA is a mediator,issuing certificates assigned to various functions,such as signing build artifacts or websites.The signing or Leaf Certificate is directly responsible for signing the artifacts.BENEFITS OF GHAFS PKI STRATEGY1Enhanced Security Measures:Utilizing a physical H
98、SM for the Root CAs private key significantly mitigates risks of unauthorized access,thereby fortifying the security of the PKI system.2Flexibility in Vendor Choice:Storing the Root CA in a physical HSM instead of a cloud-based private certificate authority(PCA)empowers the organization with vendor-
99、independent control.This autonomy in managing the Root CA key facilitates potential transitions between cloud service providers.3Scalability and Management through trusted key vault:Leveraging Azure Key Vault for managing Intermediate and ephemeral signing certificates combines the benefits of cloud
100、 scalability with robust security,enabling efficient key management.4Establishment of Trust and Reliability:The three-tier CA structure,underpinned by the physical HSM and Azure Key Vault,engenders a reliable trust chain from the root to the end-users,augmenting the security fabric of the software s
101、upply chain.Ghafs integration of a physical HSM with a trusted key vault within its three-tier PKI architecture exemplifies a strategic amalgamation of security,flexibility,and manageability.This approach both elevates software supply chain security and ensures adaptability and trustworthiness,align
102、ing with contemporary digital security exigencies.Technology Innovation Institute18IMPROVING CI/CD WORKFLOWGhafs CI/CD(Continuous Integration/Continuous Deployment)system has been meticulously architected to ensure the security and integrity of software artifacts.Central to this architecture is an a
103、dvanced software signing process underpinned by the robust three-tier Certificate Authority(CA)structure,with its apex,the Root Certificate securely stored on a physical Hardware Security Module(HSM).At the same time,the Intermediate and ephemeral signing certificates are securely managed within Azu
104、re Key Vault.The process begins when the build-controller triggers a remote builder,compiling the binary and generating a corresponding provenance file.The signer service then signs this dual output using a leaf certificate unique to the builders identity,ensuring traceability and integrity.The Amaz
105、on Web Services Azure SDK facilitates direct signature verification with Key Vault,allowing secure cryptographic operations without exposing sensitive material.As the binary and provenance record move through the pipeline,their signatures are verified at each stage,reinforcing the security at every
106、step.Finally,the signed artifacts and their signatures are published to a web server.This enables end-users to independently verify the integrity of their downloaded files,using the published certificates.SECURITY BENEFITSEnhanced Security:Ghaf CI/CD significantly mitigates the risks of compromised
107、keys and unauthorized access by storing the Root CA on a physical HSM and utilizing a trusted key vault for other certificates.Moreover,this setup enables us to set up multiple build environments efficiently.We can issue an intermediate certificate for each instance,requiring the HSM to enroll in a
108、new build environment only once;the administrator also needs only a single operation to revoke an intermediate certificate,simultaneously enhancing security and scalability.Traceability and Accountability:A unique certificate for each builder provide a clear audit trail from binary creation to deplo
109、yment.Secure Signature Verification:By verifying signatures with Key Vault,the system ensures that cryptographic materials never leave the secure environment.Ghafs CI/CD software signing process represents a strategic balance between robust security measures and operational efficiency.Integrating ph
110、ysical and cloud-based security practices ensures that software artifacts are authenticated,verifiable,and secured throughout their lifecycles.Technology Innovation Institute19SCALABLE,EPHEMERAL,AND HERMETIC BUILD ENVIRONMENTSMoreover,ephemeral build environments inherently exist in a state of const
111、ant vigilance.With a fresh configuration for each build,these environments mandate continuous security assessments and updates,integral to a culture of perpetual security enhancement.This approach does have its challenges,particularly the robust orchestration and monitoring systems needed to manage
112、the lifecycles of these transient environments.However,security dividendsmitigating long-term vulnerabilities and ensuring the integrity of each releaseoutweigh the complexities introduced.Incorporating isolated,hermetic,and ephemeral builds into Ghafs CI/CD pipeline is a strategic initiative that b
113、olsters our systems security architecture.Isolated builds are executed in environments separated from the developers local environment and from other builds,reducing the risk of cross-contamination.This isolation ensures that external variables do not influence the build process,producing more consi
114、stent and secure outcomes.Furthermore,leveraging Infrastructure as a Service(IaaS)alongside Nix for the build environments themselves ensures traceability even in the construction of the builder,reinforcing our commitment to transparency and accountability throughout the software development lifecyc
115、le.Hermetic builds take this concept further;they ensure that all dependencies are explicitly defined and included within the build environment.They are impervious to changes in the external environment,which significantly reduces the chance of introducing vulnerabilities through dependencies.Given
116、the same source code and dependencies,these builds are reproducible,leading to the same binary output every time:this is a cornerstone of software supply chain security.To summarize,the security benefits of isolated and hermetic builds include:Minimized Security Risks:Minimized Security Risks:By iso
117、lating and making the build process hermetic,we reduce the risk of incorporating vulnerabilities from the build environment or external dependencies.Enhanced Reproducibility:This approach ensures that the builds can be reproduced identically,facilitating easier debugging and validation.Predictabilit
118、y and Reliability:Hermetic builds enhance the predictability and reliability of the CI/CD process,which is essential for maintaining high-security standards.Technology Innovation Institute20Ghafs future integration of ephemeral build environments alongside adherence to SLSA Level 3 standards exempli
119、fies TII SSRCs unwavering commitment to security.This evolution of our CI/CD pipeline,including the planned adoption of isolated and hermetic builds,signifies a strategic move to bolster our defenses against complex software supply-chain risks.Our dedication to security propels us to continually ele
120、vate the reliability and integrity of our software,thereby assuring the highest levels of trust and safety for our software products.Technology Innovation InstituteCONCLUSIONThe path forward is one of vigilance,innovation,and adaptability.Ghafs integration of cutting-edge technologies,adherence to s
121、tringent SLSA Level 3 standards,and proactive steps towards ephemeral and hermetic builds reflect our dedication to the strongest software integrity.The commitment to isolated build processes and the implementation of Azure-integrated ephemeral environments underscores an unwavering resolve:minimize
122、 the risks associated with the software supply chain.Ghaf strives to mitigate potential vulnerabilities through these multifaceted security measures,to foster a trust-centered paradigm in its relationship with stakeholders.The journey towards a more secure digital ecosystem is ongoing.Ghafs pioneering strategies serve as a beacon for the industry,guiding the development of secure,reliable,and trustworthy software products for a safer cyber world.21