Commit Virtual 2021: Securing the Software Supply Chain with SBOM and Attestation

Introduction

Introduction

During the recent Commit Virtual 2021 session, the importance of securing the software supply chain using Software Bills of Materials (SBOM) and attestation was thoroughly discussed. The session featured Cole Kennedy from BoxBoat Technologies and Nicole Schwartz from GitLab, who explored the challenges customers face in software supply chain security and the solutions being developed to address these issues.

Understanding SBOM

An SBOM is a crucial blueprint that lists all components, including third-party code and dependencies that constitute a software application. The necessity of SBOM arose from the growing awareness of the risks associated with software systems, particularly as there was an inadequate understanding of the risk levels of the software running on various systems. Historically, software producers lacked incentives to provide a clear statement of the software's components, hindering software consumers from assessing risk levels effectively.

In response to these challenges and the dire need for transparency, regulatory frameworks have emerged. The recent executive order emphasizes that the trust placed in digital infrastructure must correspond with its reliability and transparency. As a result, software producers are now required to generate SBOMs alongside their software artifacts, ensuring consumers have the insights needed to gauge the risk of the software they are utilizing.

Zero Trust Architecture

Central to the conversation was the concept of Zero Trust Architecture (ZTA). ZTA is not just a product; it is a design philosophy built on three pillars: identity, policy, and control. Effective identity systems must utilize cryptographic tokens to verify workloads and user attributes, fostering a high level of trust in the systems deployed.

Kennedy explained that in a traditional CI/CD pipeline, risks can arise if verification is not adequately incorporated. Therefore, leveraging SBOM along with in-depth verification of CI/CD metadata is essential for establishing trust relationships among the software supply chain components.

Demonstration of Solutions

The session transitioned into a practical demonstration of the processes discussed. Utilizing open-source tools like In-Toto and SPIRE, the speakers introduced methods for signing build metadata and enforcing verification in a CI/CD pipeline.

In the demonstration:

• A build policy was established that was entirely decoupled from actual build steps, enabling verification before artifacts are pushed to the registry.
• The concept of attestation was introduced, which involves validating that the actions taken in the CI/CD pipeline were executed according to predefined policies.

The presenters also highlighted the crucial role of metadata in verifying the integrity and authenticity of the build artifacts throughout the software development lifecycle. Through the automated signing of metadata and implementing strict controls, organizations can significantly enhance their software supply chain security.

GitLab’s Commitment

Nicole Schwartz shared GitLab's ongoing efforts to integrate SBOM generation and verification tools into its platforms. With increasing customer requests, GitLab is keen on staying informed about developments in the Linux Foundation's Digital Bill of Materials initiative and mapping relevant roadmaps that will enhance compliance and security.

Conclusion

The session offered valuable insights into the crucial role of SBOM and attestation in securing the software supply chain. As the digital landscape continues to evolve in complexity and risk, the steps discussed provide a strong foundation for establishing robust security measures in software development processes.

Keywords

• Software Bill of Materials (SBOM)
• Software supply chain
• Zero Trust Architecture (ZTA)
• Attestation
• CI/CD pipeline
• Metadata verification
• Regulatory compliance
• Build policy

FAQ

Q1: What is an SBOM?
A1: An SBOM is a comprehensive list of all components and dependencies that comprise a software application, offering transparency and insight into its risk levels.

Q2: Why are SBOMs required for software producers?
A2: SBOMs are mandated to ensure transparency about the software’s components, enabling consumers to assess the risk level associated with the software they use.

Q3: What is Zero Trust Architecture?
A3: Zero Trust Architecture is a security framework centered on the principle of "never trust, always verify," emphasizing identity, policy, and control to ensure a high level of security.

Q4: How does In-Toto enhance the CI/CD pipeline?
A4: In-Toto enhances the CI/CD pipeline by enabling the signing and verification of metadata at various build stages, ensuring that all actions conform to security policies.

Q5: What is GitLab’s role in SBOM generation?
A5: GitLab is working on integrating SBOM generation and verification into its platform, responding to increased customer demand for tools that enforce software integrity and compliance.