Securing the software supply chain through automated attestation

Aug 10, 2022 · 4 min read · Leave a comment
Sandra Gittlen GitLab profile

Securing the software supply chain is not a one-and-done proposition. Instead, organizations, especially those in the public sector, must level up their protections as governing bodies add to their security frameworks. If you need proof of this, look no further than the sudden emergence of attestation requirements.

Attestation is an authenticated statement (metadata) about a software artifact or collection of software artifacts. Attestation is a key feature of SLSA(Supply chain Levels for Software Artifacts) Certification Level 2, which requires organizations to protect against software tampering and add minimal build integrity guarantees. The concept of attestation, along with presenting a software bill of materials (SBOM), is featured prominently in the NIST Secure Software Development Framework and ISACA’s Certified Information Security Auditor training.

“In the past few months and in the wake of high-profile security breaches, the major governing bodies have been laser-focused on attestation and the ability to provide a verified artifact from your continuous integration (CI) pipelines that show you’ve completed all your security scans in a way that would be acceptable and compliant with the standards they set forth,” says Joel Krooswyk, senior manager of solutions architects at GitLab.

“While the government is certainly leading on these requirements, the need for attestation applies to everyone,” says Sam White, principal product manager at GitLab. 

The demand for attestation automation

Organizations might have previously felt comfortable performing periodic self-audits for compliance attestation, but the stakes are now too high and public sector agencies, as well as private sector organizations, must consider automating this critical task, according to Krooswyk.

“Until now, attestation has been a manual undertaking, which has been burdensome, expensive, and error-prone,” he says. “The more automation we can apply to attestation, and the more consistency we can incorporate from standards requirements, the better off software supply chain security will be and the more confidence we will have in development collaboration.”

GitLab introduced automated compliance attestation in Release 15.1. GitLab Runner can generate and produce attestation metadata for all build artifacts. To enable this feature, you must set the RUNNER_GENERATE_ARTIFACTS_METADATA environment variable to “true”. This variable can either be set globally or it can be set for individual jobs. The metadata is then rendered in a plain text .json file that’s stored with the artifact. 

Learn how to automatically generate GitLab SLSA Level 2 Build Artifact Attestation:

Building attestation into the development lifecycle

Software development is a collaborative effort and organizations need to know that upstream dependencies have been built in a secure manner. “Not only do you need to know that the software has been developed without vulnerabilities, but that the machine that software was built on has not been compromised,” White says. “How can you know, without attestation, that the binary itself is authentic and that the risk has been minimized?” By automating attestation, organizations can help protect users of their software from code that has been injected with malware or build servers that have been overtaken.

Join us at GitLab Commit 2022 and connect with the ideas, technologies, and people that are driving DevOps and digital transformation.

“If developers don’t have to worry about the setup or ongoing complexity of attestation, it will be a game-changer for the security industry, because you are validating right at the point of software development,” White says.

Next up: Integrated code signing and broader participation

As the public sector wades deeper into compliance, the next logical step is to introduce accountability through code signing. “Next, developers need to cryptographically sign both the build artifact and the attestation file,” White says. “This will add another layer of confidence in the build artifacts and the software supply chain overall.”

Attestation also must become the norm upstream throughout the open source community. “Attestation is very much a network effect where the more people adopt it, the more effective it gets,” Krooswyk says. “Everyone needs to generate their own attestation at the point in time when they build their artifact.” 

Krooswyk adds that in addition to SBOM validation, he would like to see attestations expand to include all vulnerabilities that are known at the time a project is built. “We need a continuous ability to create a birth-to-death artifact history,” he says.

All users on a GitLab 15.1 or later release can get started with generating attestation for their build artifacts by setting RUNNER_GENERATE_ARTIFACTS_METADATA: true in their CI pipeline.  For a more comprehensive approach, users can take advantage of security approvals, code scanning, and compliance auditing by using GitLab Ultimate. To test out building a more overarching software supply chain security strategy, try GitLab Ultimate for free with a 30-day trial today.

“Standards bodies want to know how orgs are protecting against software tampering. Learn how automated compliance attestation can help.” – Sandra Gittlen

Click to tweet

Open in Web IDE View source