Software Supply Chain security is becoming a critical element in an organization’s overall security strategy, and hackers are increasingly using the software supply chain as a vector for malicious attacks. For example, according to Sonatype, in the last year the number of open source packages that have malicious code embedded has tripled. In other words, in the last year alone, there have been twice as many supply chain attacks than the cumulative number of all previous years.
One way to address attacks against the supply chain is by implementing rigorous security controls throughout the DevSecOps lifecycle. Implementing the recommendations of the Supply Chain Levels for Software Artifacts (SLSA) framework can help identify and address security issues in your code.
SLSA is a security framework that helps ensure the integrity of software artifacts. SLSA is a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure.
SLSA was developed to help organizations and Independent Software Vendors (ISVs) improve their software supply chains. SLSA focuses on protecting software from source through its deployment. It allows users to make automated decisions about the integrity of the artifacts they are using.
SLSA is organized into a series of tracks and levels that provide increasing supply chain security guarantees. For the build track, the levels can be found here: https://slsa.dev/spec/v1.0/levels
DevSecOps on IBM Cloud now supports SLSA Build Level 3 (L3)
SLSA Build L3 provides much stronger protections against tampering than earlier levels by preventing specific classes of threats, such as cross-build contamination. For example, SLSA Build L3 requires two-person review of all changes and a hardened, reproducible build process. The DevSecOps toolchain templates and Deployable Architecture in IBM Cloud Continuous Delivery (CD) now fully supports SLSA Build L3.
Part of the level 3 controls include verifying the build process and providing evidence that each task in a delivery pipeline has been successfully completed. One way that IBM Cloud Continuous Delivery delivery pipelines enables supply chain security is by leveraging Tekton chains to observe each Tekton pipeline execution and produce SLSA attestations automatically.
When used in conjunction with the DevSecOps toolchains, SLSA attestations are automatically collected during Continuous Integration (CI) in case of future audit, along with other kind of security evidence to automate regulated change deployments.
Tekton Chains is a Kubernetes Custom Resource Definition (CRD) controller that allows software development teams to manage their supply chain security in Tekton, a powerful and flexible open-source framework for creating CI/CD systems, that allows developers to build, test, and deploy across cloud providers and on-premise systems.
Benefits of using DevSecOps on IBM Cloud
IBM offers a complete secure software supply chain on IBM Cloud, configurable in few clicks, that meets regulatory industry controls and is designed to prevent software security problems and supply chain attacks from reaching production systems while streamlining compliance audits.
The IBM Cloud DevSecOps solution provides a set of opinionated and predefined toolchains for continuous integration (CI), continuous deployment (CD) and continuous compliance (CC), which are capable of managing application code, infrastructure as code, ZDevOps, hybrid deployments, and more, and can be configured to orchestrate a wide set of cloud and on-prem IBM, third party, and open-source tools.
This solution is curated by IBM, and is constantly enhanced at no additional charge, allowing organizations to standardize and secure the entire development process including streamlining compliance audits, orchestrating security scans, signing artifacts, creating Software Bill of Materials (SBOM), generating change requests, tracking deviations, reporting on compliance, remediating code, and much more. Evidence is collected to demonstrate to auditors that every change in the process meets the necessary regulatory controls.
IBM Cloud DevSecOps implements the following industry standards out of the box: NIST 800-53 Configuration Management/vulnerability Management, NIST 800-218 Secure Software Development Framework (SSDF), Supply-chain Levels for Software Artifacts (SLSA), Software Bill Of Materials (SBOM), and more.
It is available as a cloud-native, hosted, regional solution on IBM Cloud with 99.99% availability and disaster recovery, leveraging services certified with ISO27K, GDPR, SOC2, EU-Managed, and IBM Cloud for Financial Services, including DevOps capabilities, identity and access management, secret managements, auditable storage, compliance monitoring, eventing, private pipeline workers and more.
Next steps
You can begin using the capabilities of Tekton Chains in the DevSecOps toolchain templates today. For information on how to configure the collection of SLSA attestations, see the documentation.
If you’d like to share any feedback with us or suggest additional capabilities you’d like to see, you can reach out to the IBM Cloud Continuous Delivery development team by joining us on Slack.
Additional resources