|
SC-CE: Establish and adhere to contribution policies
|
G.1.1 Organizational security requirements
|
|
AU: Scan software for license implications
M-A: Managing software licenses
|
G.1.2 Software license conflict
|
|
BP-SA Sign every step in the build process
A-A Use a store to manage metadata from in-toto
|
G.1.3 Produce attestation
|
|
A-A Distribute in-toto metadata with TUF
D-V Ensure clients can perform Verification of Artifacts and associated metadata
D-V Ensure clients can verify the freshness of files
D-A Use The Update Framework
|
G.1.4 Deliver provenance
|
|
M-V: Generate an immutable SBOM of code
|
G.1.5 Deliver SBOM
|
|
M-V Require SBOMs and VEX statements from third-party suppliers
M-V Track dependencies between open source components
|
G.2.5 Asset inventory
|
|
M-V Require SBOMs and VEX statements from third-party suppliers
|
G.3.1 Security-related contract terms
|
|
A-V Validate the Signatures Generated at Each Step
A-A Use TUF to manage signing of artifacts
|
P.1.2 Software release integrity
|
|
M-A Scan software for vulnerabilities
|
P.2.5 In-house components
|
|
M: Second and third-party risk management
|
P.3.1 Component and container choice
|
|
M-V: Define trusted package managers, repositories, and libraries
|
P.3.2 Trusted repositories
|
|
BP-SA: Sign every step in the build process
SC-V Require verification attestations / confirmation
|
P.3.3 Require signed commits
|
|
A-CE Use a container registry that supports OCI image-spec images
M-V: Verify third party artifacts and open source libraries; SM
M-V Build libraries from source code
M-A Run software composition analysis on ingested software
|
P.3.4 Vetted third-party component and container repositories
|
|
C: Enforce independent 2-party review
|
P.4.1 Security code review
|
|
SC-A: Prevent committing secrets to source code repository
SC-A: Automate software security scanning
M-A: Scan software for vulnerabilities
M-A Run software composition analysis on ingested software
A-V Perform additional checks on the artifact
|
P.4.3 Automated vulnerability detection
|
|
BP-SA Deploy monitoring tools to detect malicious behavior
D-A Continuous vulnerability scanning
|
P.4.5 Regular third-party compliance
|
|
M-V: Require SBOMs and VEX statements from third-party suppliers
M-V Track dependencies between open source components
|
P.5.1 SBOM consumption
|
|
SC-V Authenticate and monitor repository activity
|
E.1.1 Safely store release artifacts
|
|
SC-V Authenticate and monitor repository activity
|
E.1.2 Version control
|
|
SC-SA: Enforce MFA for accessing source code repositories
|
E.1.3 Multi-factor authentication (MFA)
|
|
SC-SA: Use SSH keys to provide developers access to upstream source code repositories
|
E.1.4 Developer SSH key
|
|
SC-V Declare protected repository namespaces
SC-V Require verification attestations / confirmation
SC-CE Establish and adhere to contribution policies
|
E.1.5 Branch protection
|
|
BP-V Enforcing policy
SC-V Require verification attestations / confirmation
A-V Policy
|
E.2.1 Release policy verification
|
|
M-V: Verify third-party artifacts and open source artifacts
BP-V: Validate environments and dependencies before usage
D-V Admission controller/deployment gate
|
E.2.2 Verify dependencies and environment
|
|
BP-A: Build and related CI/CD should be automated
BP-A: Standardize pipeline across projects
BP-A: Build workers should be single-use
BP-CE: Ensure software factory had minimal network connectivity
BP-CE: Pass in build worker environment and commands
BP-SA: Only allow pipeline modifications through 'pipeline as code'
|
E.2.4 CI/CD hosting and automation
|
|
BP-A: Provision a secured orchestration platform
|
E.2.5 Secured orchestration platform
|
|
BP-V Validate build artifacts through verifiably reproducible builds
BP-V Recommendations for Reproducible Builds
|
E.2.6 Reproducible builds
|
|
BP-CE: Write output to a separate secured storage repo
|
E.2.7 Build output
|
|
Build L3: Hardened builds
BP-A Build Workers Should be Single Use
BP-CE Ensure Build Pipeline has minimal network connectivit
BP-CE Segregate the Duties of Each Build Worker
BP-CE Pass in Build Worker Environment and Commands
|
E.2.8 Hardened and isolated builds
|
|
D-V Air-gapped deployment
|
E.3.2 Environmental separation
|
|
A-CE Limit which artifacts any given party is authorized to certify
SC-CE Establish and adhere to contribution policies
SC-CE Define roles aligned to functional responsibilities
BP-SA Define user roles
|
E.3.3 Role-based access control
|
|
BP-SA Deploy monitoring tools to detect malicious behavior
|
E.3.7 Boundary protection
|
|
A-CE Build in a system for rotating and revoking private keys
SC-SA: Have a key rotation policy
|
E.3.8 Key rotation
|
|
SC-SA: Use short-lived/ephemeral credentials
BP-SA Use Short-Lived Workload Certificates
|
E.3.9 Ephemeral credentials
|
|
BP-SA: Follow best practices for establishing a root of trust from an offline source
|
E.3.10 Establish a root of trust
|
|
BP-SA Deploy monitoring tools to detect malicious behavior
D-A Continuous vulnerability scanning
|
D.2.1 System monitoring
|
|
BP-V Validate runtime security of build workers
SC-SA Use short-lived/ephemeral credentials for machine/service access
A-CE Use a container registry that supports OCI image-spec images
|
D.2.2 Build process monitoring
|