Considerations for building a secure software supply chain

You need to consider the following when building a secure software supply chain solution:

• Tooling Ecosystem: There are two major tooling ecosystem approaches - notation and sigstore/cosign. Each of these approaches makes decisions that should be understood. Those decisions impact how security artifacts are stored and how the security artifact information can be accessed. Also how security artifacts are signed and verified.
• Signing Infrastructure: A good understanding of certificates, trust chains, and management of certificates is required since one of the core aspects of a secure software supply chain is signing.
• Component Registry and Inventory: Package managers and sbom tools are typically aligned well with a set of coding languages and/or ecosystems. A basic understanding of how each of these tools supports the software environment being used is important.
• Vulnerability Infrastructure: Vulnerability databases are heavily skewed towards support for Linux only in the OSS world. The vulnerability database support for Windows is typically available in commercial offerings. Ensure a basic understanding of the software release os requirements and the impact on how and where you can do vulnerability scanning.
• Attestations: Attestations are non-trivial to work with in the ecosystem at this time. Sigstore has made some progress in simplifying their use for simple cases. Consider what additional information within the secure software supply chain needs to be attested and consider using the knowledge graph to persist the attestation and its relationship to other artifacts.
• Artifact Repository: Typically in containerized workloads, the container registry is the artifact repository. Depending on notation or cosign alignment, there are other considerations as to where the security artifacts and signatures will be present. Depending on implementation, the software release, and security artifacts, could be located in different systems. This is something to be aware of when building out the secure supply chain infrastructure.
• Policy Infrastructure: A basic understanding of the various policy frameworks, ecosystems, and infrastructure is required. Each has different approaches to policy language and integrations into various stages of the software supply chain. Consider also if there is a requirement around centralized policy management and the projection of those policies into the various stages of the software supply chain.
• Knowledge Graph: This capability is in the early stages of being solved in the broader ecosystem. This is not mature yet.

For more information

• Notary Project: Standards-based spec and tooling for securing software supply chains
• Sigstore: Sign. verify. protect. Making sure your software is what it claims to be.
• Linux Foundation: What is a Software Bill of Materials (SBOM) ?
• Cloud Native Computing Foundation (CNCF): A MAP for Kubernetes supply chain security
• MS Learn: Introduction to Microsoft's framework for securing containers