3/14/2023

An attestation based approach to Software Risk Managment

Author: Cole Kennedy

An attestation based approach
As the landscape of software security evolves, organizations continually grapple with the challenge of ensuring the integrity and trustworthiness of their software supply chain. Traditional scanning methods, while valuable for identifying vulnerabilities and misconfigurations, may not adequately address emerging threats. A fresh approach is needed, one that focuses on securing the entire software supply chain through attestations, automation, and secure signatures.

Opting for Attestation-Based Security Over Scanning

API discovery and scanning tools assess the security of software products by relying on data obtained from remote APIs (like GitHub's GraphQL API) or through the inspection of artifacts. This method, however, might not be sufficient to guarantee the integrity of the software supply chain. The information gathered from APIs may not accurately depict the events that transpired during the software development process, and integrating this data with other systems, such as third-party risk management, can be challenging. This is primarily because there are no cryptographic guarantees or established chains of trust to validate the information.
Additionally, APIs come with inherent limitations such as added latency and rate limits, which can restrict their usefulness for big data problems. These limitations may hinder comprehensive security analysis, especially in situations where large-scale software supply chain management is required.
To better understand the shortcomings of API discovery and scanning tools, consider the analogy of asking a baker about the ingredients and preparation of a cake. While the baker may provide an accurate account, there's still room for error or omission. You're essentially relying on the baker's word, which may not be enough to guarantee the cake's quality and safety.
Attestation-based security, on the other hand, is akin to hiring a trusted observer to watch and record everything that goes into the cake and how it's prepared. This observer creates a detailed report (or attestation) of the entire process, from sourcing ingredients to the final presentation, allowing for independent verification and greater confidence in the cake's quality, safety, and adherence to established standards.
API discovery and scanning tools can be compared to asking a baker about a cake's ingredients and preparation, which may not ensure its quality and safety. Attestation-based security, however, is like having a trusted observer document the entire process, offering independent verification and increased confidence in the cake's quality, safety, and compliance with standards.
Similarly, attestation-based security introduces a reliable chain of trust throughout the software supply chain. By creating signed attestations, trusted parties provide cryptographic guarantees that the software development process adhered to security standards and best practices. This approach offers a more proactive and dependable method for ensuring software integrity while overcoming the limitations of APIs.
By relying on attestations rather than the information provided by APIs or artifact inspection, attestation-based security establishes a clear chain of trust for software products. This approach increases confidence in the security of the software supply chain, promotes a higher level of transparency and traceability for all stakeholders involved, and overcomes the challenges posed by API limitations. In doing so, attestation-based security ensures a more secure and reliable software supply chain by focusing on preventing issues rather than just detecting them.

Attestation-Based Security

Attestation-based security focuses on ensuring the integrity and security of software products by validating the processes, procedures, and provenance of software artifacts at every stage of the software supply chain. Unlike traditional security scanning methods, this approach emphasizes the importance of trust and transparency by requiring the creation of attestations that confirm compliance with security standards.
Essential Attestations for Strengthening Software Supply Chain Security:
  1. Static Application Security Testing (SAST) attestation: This attestation verifies that a SAST tool, such as SonarQube or Veracode, has been employed to analyze the source code and pinpoint potential security vulnerabilities before the code is compiled and deployed.
  2. Third-Party Risk Management (TPRM) attestation: This attestation ensures that the artifact has undergone the organization's TPRM process, evaluating the risks associated with using third-party software components and approving their use based on defined criteria.
  3. Dynamic Application Security Testing (DAST) attestation: This attestation confirms that a DAST tool, like OWASP ZAP or Burp Suite, has been utilized to examine the running application for security vulnerabilities and misconfigurations.
  4. Container security attestation: This attestation certifies that a container security tool, such as Aqua Security or Sysdig, has been employed to scan and secure container images for vulnerabilities and misconfigurations, guaranteeing the security of deployed containers.
  5. Software Composition Analysis (SCA) attestation: This attestation asserts that an SCA tool, like WhiteSource or Snyk, has been used to scrutinize the software's dependencies for known vulnerabilities, license compliance issues, and outdated components.
  6. Infrastructure as Code (IaC) security attestation: This attestation verifies that an IaC security tool, such as Checkov or Terrascan, has been utilized to analyze infrastructure configuration files, including Terraform or CloudFormation templates, to identify potential security risks and misconfigurations.
  7. Continuous Integration/Continuous Deployment (CI/CD) attestation: This attestation endorses that a CI/CD tool, like Jenkins or GitLab CI/CD, has been employed to automate the software development, testing, and deployment process, ensuring that security checks and best practices are consistently applied throughout the pipeline.
  8. Code review attestation: This attestation confirms that a formal code review process, which may involve collaboration tools like GitHub or GitLab, has been followed to detect and address potential security, performance, or maintainability issues within the codebase.
By requiring these attestations to be signed by trusted parties, such as developers, security experts, or automated tools, attestation-based security adds a layer of trust and validation to the software supply chain. This approach fosters confidence in the security and reliability of the software being produced, as it ensures that all parties involved are accountable for their actions and have met the necessary security requirements.
Attestation-based security not only offers a more robust security solution but also promotes a culture of collaboration and shared responsibility. By involving all stakeholders in the software supply chain and requiring them to attest to the security and integrity of their work, organizations can create a more transparent and trustworthy software development process. This, in turn, leads to improved overall security and a reduced risk of supply chain attacks.
Attestation software development process

Automating Attestations:

Implementing attestation-based security requires a shift in mindset, with organizations focusing on continuous validation of the software supply chain. Automation plays a crucial role in ensuring that attestations are created and collected consistently and accurately throughout the process. By using standardized templates and predefined rules, organizations can streamline the creation and collection of attestations, reducing the likelihood of human error and increasing efficiency.
For example, integrating a SAST scanner into the CI/CD pipeline can automatically generate an attestation each time the code is scanned
For example, integrating a SAST scanner into the CI/CD pipeline can automatically generate an attestation each time the code is scanned, ensuring that security vulnerabilities are identified and addressed promptly. Similarly, automating code review attestations can provide a standardized way of recording the outcome of each review, ensuring consistency and traceability.

Secure Signatures:

Attestation-based security is an effective approach to securing the software supply chain, as it relies on trusted parties to provide signed attestations that confirm adherence to security standards throughout the development process. One crucial aspect of attestation-based security is the management of cryptographic keys used for signing these attestations.
Long-lived keys, which are often stored on disk, can be complex and time-consuming to manage. The risk of key compromise increases with the duration of key storage, potentially enabling unauthorized access to sensitive information or manipulation of the attestations. In contrast, short-lived, ephemeral keys that are generated on-the-fly for each signature operation offer a more secure and efficient alternative.
Using short-lived keys for signing attestations provides several advantages. First, it ensures that the attestations themselves are more secure, as the keys are generated only when needed and are not stored long-term. This approach makes it harder for attackers to gain access to these keys and use them for malicious purposes.
Second, the use of short-lived keys encourages a more agile and flexible approach to attestation management. Organizations can quickly generate and sign attestations as needed, without the overhead of managing long-lived keys. This flexibility can lead to more efficient and streamlined security processes, enabling organizations to adapt and respond to changing threats more effectively.

Benefits of Attestation-Based Security:

  1. Comprehensive approach: Securing every step in the software supply chain, reducing the likelihood of security risks or breaches.
  2. Proactive security: Reducing the chances of vulnerabilities being introduced in the first place.
  3. Continuous validation: Providing a higher level of assurance that the software is secure and trustworthy.
  4. Tamper-evident: Ensuring the integrity of the information and preventing bad actors from introducing malicious code or manipulating the software supply chain.
  5. Scalability: Maintaining a consistent level of effort regardless of the number of software artifacts.

Considerations:

Embracing attestation-based security, bolstered by automation and secure signatures, provides a transformative approach to software security. By placing trust and validation at the center of the software supply chain, organizations can achieve higher assurance against evolving threats and ensure a secure and trustworthy software supply chain, protecting stakeholders from potential risks and vulnerabilities.
However, it is essential to address additional factors for a comprehensive approach. Implementing this strategy may involve increased costs, learning curves, and challenges in managing ephemeral keys. The potential for compromised trusted parties must be tackled through rigorous vetting and monitoring processes. Combining attestation-based security with traditional scanning methods is crucial for a more robust, multi-layered defense. Customizing attestations to specific industries ensures relevant security requirements are met, and seamless integration of open-source solutions like Witness and Archivista with existing tools and processes is vital for a smooth transition. By considering these factors, organizations can optimize their software supply chain security and minimize potential risks and vulnerabilities.
Ready to take the leap into attestation-based security and protect your software supply chain? Start today by checking out Witness and Archivista, two powerful open-source solutions designed to streamline and secure your software development process. Witness simplifies the creation and verification of attestations, while Archivista serves as a centralized database for storing and managing these essential security artifacts. Together, these tools provide an end-to-end solution that can be easily integrated into your existing processes. Don't leave your software supply chain security to chance. Explore the potential of Witness and Archivista now and begin building a safer, more reliable software ecosystem for your organization and its users. Visit the Witness and Archivista project pages to learn more and get started on your journey towards a secure and trustworthy software supply chain.