Home SecurityApplication Security How the Secure Software Factory Reference Architecture protects the software supply chain

How the Secure Software Factory Reference Architecture protects the software supply chain

Source Link

The term “factory” related to software production might seem bizarre. Most still associate it with the collection, manipulation and manufacturing of hard materials such as steel, automobiles or consumer electronics. However, software is produced in a factory construct as well. “Software factory” generally refers to the collection of tools, assets and processes required to produce software in an efficient, repeatable and secure manner.

The software factory concept has taken hold in both the public and private sector, being recognized by organizations such as MITRE and VMware. The U.S. Department of Defense (DoD) has a robust ecosystem of at least 29 software factories, most notably Kessel Run and Platform One. Given the concern over software vulnerability, particularly in the software supply chain, it’s important to execute the software factory approach in a secure manner.

The Cloud Native Computing Foundation (CNCF) has provided guidance on this with its Secure Software Factory Reference Architecture. Here’s a breakdown of what it covers.

What is the Secure Software Factory Reference Architecture?

CNCF defines a software supply chain as “a series of steps performed when writing, testing, packaging and distributing application software to end consumers.” The software factory is the logical construct in aggregate that facilitates that delivery of software. When done correctly, it ensures security is a key component of that application delivery process.

The CNCF Secure Software Factory (SSF) guidance builds on previous CNCF publications such as the Cloud-native Security Best Practices and Software Supply Chain Best Practices. The reference architecture emphasizes existing open-source tooling with an emphasis on security. It also rallies around four overarching principles from the Software Supply Chain whitepaper, each of which is required to ensure secure software delivery from inception to code to production:

  • Defense in depth
  • Signing and verification
  • Artifact metadata analytics
  • Automation

The SSF Reference Architecture isn’t focused on areas such as code scanning and signing but instead takes a deeper focus on code provenance and build activities. The rationale for this focus is that downstream activities such as SAST/DAST are reliant on validating the provenance and the identity of the party you are receiving something from a trusted entity. These may be identities tied to a human user or a machine identity. The combination of a signature and validating that it is coming from a trusted source are key to assurance of provenance.

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment