Unauthorised modification of the authoritative source for software is prevented.
Ensure the integrity of software releases by making verification information accessible to authorized software acquirers.For example, securely post cryptographic hashes on a protected website, employ code signing with a trusted certificate authority, and regularly review and enhance code signing processes. These measures help prevent unauthorized modifications by enabling acquirers to verify the authenticity and integrity of the software, thereby safeguarding the authoritative source.
Verify the integrity of deployment artifacts by utilizing cryptographic signatures generated at build time. Ensure that all software, including in-house binaries and third-party artifacts, has signatures validated against trusted certificates before deployment. Reject deployment of any artifact with invalid or expired certificates. Periodically review and update the list of trusted certificates, particularly for third-party suppliers, to ensure alignment with the organization's governance and security standards. For critical deployments, implement manual approval processes at least once during automated deployments, especially when human validation provides significantly higher accuracy than automated methods. This layered approach ensures the authenticity and integrity of software releases, safeguarding the authoritative source while maintaining trust across the software supply chain.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-01-05-01-01-01 | Sign binaries at build time | Implement automated signing of binaries during the build process using trusted certificates. Ensure that both in-house and third-party binaries are signed. | Development | DevOps team, Security team |
| SSS-01-05-01-01-02 | Verify artifact signatures before deployment | Automate the verification of binary signatures during the deployment process. Reject any artifacts with invalid, missing, or expired signatures. | Deployment | DevOps team, Security team |
| SSS-01-05-01-01-03 | Manage and audit trusted certificates | Maintain an up-to-date list of trusted certificates, including third-party ones. Periodically review and align these with organizational governance policies. | Deployment | Security team, Vendor management team |
| SSS-01-05-01-01-04 | Require manual approval in key deployments | For critical or sensitive deployments, include a manual review step to verify artifact integrity or configurations that require a higher accuracy level than automation. | Deployment | DevOps team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1816) NIST Secure Software Development Framework (PS.2.1) OWASP SAMM: Software Assurance Maturity Model (I-SD-3-A) |
Digitally sign all open-source software (OSS) components that you rebuild or modify post-build to ensure their integrity. Use trusted cryptographic methods to generate signatures that validate the authenticity of the software and protect it from unauthorized changes. This process enables acquirers and users to verify the integrity of the OSS, ensuring that it meets security and reliability standards while safeguarding the authoritative source.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-01-05-01-02-01 | Digitally sign rebuilt oss artifacts | Apply digital signatures to any open-source software (OSS) components you rebuild internally to verify their integrity and authenticity in subsequent use. | Development | DevOps team, Security team |
| SSS-01-05-01-02-02 | Verify oss integrity before use | Automatically validate the integrity of OSS components during the build process by checking their signatures against trusted certificates or hash values. | Development | DevOps team, Security team |
| SSS-01-05-01-02-03 | Maintain and audit trusted oss sources | Use a centralized repository for OSS components and maintain an approved list of trusted sources. Periodically audit sources to ensure no unauthorized changes. | Deployment | Security team, Procurement team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1816) NIST Secure Software Development Framework (PS.2.1) S2C2F: Secure Supply Chain Consumption Framework (REB-2) |