Leveraging Spinnaker to secure your software supply chain from SUNBURST-style threats
Government employees are reeling from revelations over the weekend that FireEye had discovered an active threat from a trojanized software supply chain. Due to this revelation, CISA has issued an emergency directive to remove SolarWinds from United States Department of Defense IT systems. Compromises in the software supply chain are becoming increasingly more frequent, and with this uptick comes an increasing need for Secure Software Supply Chain (SSSC).
Understanding the threat of SUNBURST
A software supply chain attack is when a malicious party injects malicious code straight into the source of a signed and trusted app. This app can then be distributed through legitimate software updates. The motive behind this act is to contaminate the trusted source and gain access to a huge cluster of trusting victims.
In this recent supply chain attack, a malicious party compromised the Solarwinds build stages before making alterations to either:
- The source code
- An artifact used during the build process
- The release process
In spite of this discrepancy, the malware was still signed with Solarwind’s own certificates, indicating mismanagement of certificate keys and a lack of hardware-based signing mechanisms, or worse, an oversight on authenticating their build process practices.
Next, these compromised binaries were downloaded and installed onto production systems where the malware has been running undetected since at least March 2020. This vulnerability allows attackers to forge SSO tokens that impersonate any of the organization’s existing users and accounts.
At this time, it is unclear how many systems are currently affected. The emergency guidance given by CISA is to shut down all systems running SolarWinds which will leave many network operators without a network monitoring solution, thereby amplifying the risk.
Spinnaker automates the process of build verification
A secure software supply chain requires signed code commits and trusted build artifacts, so implementing an organizational change management process for code review and sign-off of commits is the most essential part of delivering secure software. Upon every new build, there need to be steps that verify the software’s integrity, just like a physical supply chain.
In an ideal environment, a secure software supply chain would potentially leverage Spinnaker to automate the process of signing release and artifact metadata. A best practice for this would be to implement Notary for running and interacting with trusted collections. With Notary, publishers can sign their content offline using keys that are kept highly secure. Once the publisher is ready to make the content available, they can push their signed trusted collection to a Notary Server.
If you want to take it a step further, you can leverage Open Policy Agent to implement strict policies for your secure software supply chain. OPA is a declarative framework that allows you to decouple policy from your service’s code so you can release, analyze, and review policies (which security and compliance teams love) without sacrificing availability or performance. You can pair OPA with Notary to implement fine-grained policies that only allow images to be deployed is they have been signed by Notary, taking you one major step towards a secure software supply chain. In fact here at Armory, we offer some pretty great features in our Policy Engine that allow you to automate Policy Enforcement in your pipelines so you can get the full benefit of a DevSecOps workflow. Check out a short demo below!
Lastly, there is the option of using a tool such as in-toto to ensure the integrity of your entire software supply chain. In-toto is an open metadata standard that is designed to make it transparent to the user what steps were performed, by whom and in what order during the build and release process. As a result, in-toto allows the user to verify if a step in the supply chain was intended to be performed and if the step was performed by the right actor.
If you’re a Jenkins shop, there is a very helpful plugin called the in-toto provenance agent, which allows for some very nice automation ability. We’ve discussed a bit about the benefits of leveraging Jenkins as a continuous integration tool paired with Spinnaker to manage continuous delivery in this webinar.
Spinnaker integrates with your favorite DevSecOps tools
Spinnaker was built from the ground up to be a modular platform that enables the extensible addition of new features. Here at Armory, we have recently launched our Plugin Framework to the public to enable Spinnaker users to add their own new features and extend Spinnaker without the commitment of contributing lengthy code to the entire Spinnaker project. Historically, building a Spinnaker Plugin required approval from the community to be added to the core project. With the Plugin Framework, Armory has made it easy for you to integrate your favorite tools into Spinnaker, in turn keeping your environment more secure. Check out our CEO describing the Plugin Framework in this interview:
Implementing a proper change management process for processes such as code review and build verification is fundamental to maintaining a secure software supply chain. By using tools such as Spinnaker to leverage the full benefits of DevSecOps, you and your team can automate the tedious and repeatable process such as commit signing, repository scanning, and policy enforcement.
It is impossible to become perfectly secure, but by enforcing strict rulesets and managing proper change management procedures, you can protect yourself and your organization from risks such as SUNBURST. Don’t be the next news headline.