In part 2 of the series, we dived into the internals of the provenance document to understand its content and usage.
In this part, we will explore the different SLSA levels for generating provenance and go through the different challenges you might face when adopting SLSA provenance.
Finally, we will review the challenges in adopting SLSA provenance as an enterprise.
Let's explore the three different levels defined for SLSA provenance generation and how each level improves the security of your pipeline.
To comply with SLSA provenance requirements for the second security level, consumers must be able to verify the authenticity and integrity of the provenance.
Ensure integrity: Verify that the digital signature of the provenance attestation is valid and the provenance was not tampered with after the build.
To comply with SLSA provenance requirements for the third security level, it must be strongly resistant to forgery by specific build jobs.
In practical terms, the provenance generation procedure and the private key used to sign the provenance must not be accessible to build steps of any jobs.
Generating and signing the provenance on the build platform level ensures the content of the provenance can be trusted regardless of the specific build it describes, i.e., the process is immune to modifications by an insider threat or a compromised developer account.
As of now, the only official open-source solution for provenance level 3 generation is using GitHub Actions.
The SLSA project maintains the slsa-github-generator repository, which provides a solution for provenance generation to be used by open source projects.
Uploads the signed provenance to the workflow artifacts.
Run the workflow to generate a signed provenance that contains false data.
Combined with branch protection, SLSA provenance level 3 prevents the attacker from deploying their malicious code without an approval from a legitimate user.
Generating provenance using the standard SLSA tooling discloses private information, namely the provenance content, to the general public.
A full integration of provenance into the CI/CD pipeline means blocking deployment in case the provenance verification fails.
Integrating provenance generation involves manually modifying your CI/CD workflows to trigger the provenance generation, specifying the inputs and adjusting it to the different technologies used in your pipelines.
In our next blog post in the SLSA Provenance series we are going to address these questions and more.
We will introduce Legit's Autonomous Provenance Generation service and see how an enterprise can integrate provenance without effort and without conflicting with the needs for information privacy and service independence.
Legit Security provides a seamless solution for SLSA provenance generation that meets SLSA level 3 requirements: simply integrate your organization to generate provenance documents for your SCM without any extra action.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 28 Dec 2023 00:43:05 +0000