New paper demonstrates an actionable approach to architecting a secure supply chain amidst an increase in cyber attacks

SAN FRANCISCO, Calif. – May 14, 2021 – The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, today announced a new paper, Software Supply Chain Security Best Practices, designed to provide a holistic approach to supply chain security by highlighting the importance of layered defensive practices. The paper was compiled by members of the CNCF Security Technical Advisory Group (TAG), which produces resources that enable secure access, policy control, and safety for operators, administrators, developers, and end users across the cloud native ecosystem.  

“The Security TAG has been focused on supply chain security for a few years, first with the catalog of supply chain compromises and now the paper,” said Emily Fox, co-chair of the CNCF Security TAG. “It is critical that organizations and open source communities seriously consider not only what their software does but the mechanisms by which it comes to be. As security practitioners, we recognize the difficulty in rapidly pivoting from incident to incident but now is the time to thoughtfully consider a better, more secure end-to-end architecture responsible for our innovations.”

Recent high-profile cyber attacks on government entities worldwide have demonstrated the importance of addressing vulnerabilities in complex software supply chains. The Security TAG has documented instances of such attacks since 2003 and has seen increased frequency since 2017. The paper draws its recommendations and insights from the collective knowledge and experience of active security practitioners in the Security TAG, academic research, and the work of the United States Air Force’s ‘software factory’ approach.

“The recent executive order highlights the ever-growing importance of security in software architectures in a dynamic system,” said Jeyappragash Jeyakeerthi, co-founder and CTO at Tetrate and co-chair of the CNCF Security TAG. “The boundary of security extends all the way from source to runtime, and it is great to see CNCF’s security community contribute towards educating and improving the security posture for modern enterprises.”

The paper fills a gap in documentation of best practices for supply chain security. It evaluates many of the available tools and defines four key principles for supply chain security and steps for each, including:

  1. Trust: Every step in a supply chain should be “trustworthy” due to a combination of cryptographic attestation and verification. 
  2. Automation: Automation is critical to supply chain security and can significantly reduce the possibility of human error and configuration drift.  
  3. Clarity: The build environments used in a supply chain should be clearly defined, with limited scope.  
  4. Mutual Authentication: All entities operating in the supply chain environment must be required to mutually authenticate using hardened authentication mechanisms with regular key rotation.

“With the rise of connected software over the past decades, security practices have not kept pace with changes in infrastructure, despite mature cryptographic algorithms and proven techniques,” said Sarah Allen, co-chair of the CNCF Security TAG. “It’s exciting to see CNCF projects, like in-toto providing a key part of supply chain security.”

“Given the increase in cadence and impact of cyber attacks, this is a critical time for the industry to take action,” Chris Aniszczyk, CTO of the Cloud Native Computing Foundation. “It’s important for software producers and consumers to work together to provide practitioners with the tools and standard procedures necessary to create secure environments and mitigate potential breaches. We invite the whole industry to participate in the CNCF Security TAG to improve the state of cloud native security supply chain practices.”

Read more in a blog post from the Security TAG, which includes an adoption framework for organizations to assess their own architectures and download the full Software Supply Chain Security Best Practices paper.

About Cloud Native Computing Foundation

Cloud native computing empowers organizations to build and run scalable applications with an open source software stack in public, private, and hybrid clouds. The Cloud Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure, including Kubernetes, Prometheus, and Envoy. CNCF brings together the industry’s top developers, end users, and vendors, and runs the largest open source developer conferences in the world. Supported by more than 500 members, including the world’s largest cloud computing and software companies, as well as over 200 innovative startups, CNCF is part of the nonprofit Linux Foundation. For more information, please visit www.cncf.io.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page. Linux is a registered trademark of Linus Torvalds.

Media Contact

Katie Meinders 

The Linux Foundation

PR@CNCF.io