Installers, patches and updates are digitally signed or provided with cryptographic checksums as part of application development.
Ensure that all compilers, interpreters, and build tools used in the application development process support features that enhance the security of executables. Use the latest versions of these tools, manage updates through a formal change management process, and verify the authenticity and integrity of each tool before use. By doing so, the development environment minimizes the risk of introducing vulnerabilities, and each executable file can be reliably signed, ensuring it originates from a secure and trusted build process. It emphasizes the importance of maintaining secure and trusted development tools to support the digital signing of executables.
To ensure secure and trustworthy software updates, the update system must perform integrity and authenticity checks on downloaded files. These checks verify that the files are not tampered with during download and confirm their source's legitimacy. By validating both the update metadata and the update files, the system can prevent malicious or unauthorized updates from compromising the software.
ID | Operation | Description | Phase | Agent |
---|---|---|---|---|
SSS-02-08-01-01-01 | Verify metadata for updates | Before downloading update files, validate the metadata to ensure it accurately identifies whether updates exist and includes correct information about the required files. | Development | DevOps Teams |
SSS-02-08-01-01-02 | Perform integrity checks on downloaded files | Use cryptographic techniques, such as hashing, to verify the integrity of downloaded files. Ensure the computed hash matches the hash provided in the update metadata to confirm that the files have not been tampered with. | Deployment | Security Teams |
SSS-02-08-01-01-03 | Validate authenticity with digital signatures | Use digital signatures to authenticate the source of the downloaded files. Verify that the files are signed by a trusted authority to prevent unauthorized or malicious updates from being applied. | Deployment | Security Teams |
SSS-02-08-01-01-04 | Implement secure download protocols | Use secure communication protocols, such as HTTPS, for downloading update files to protect against man-in-the-middle attacks and ensure the confidentiality of the downloaded content. | Deployment | IT Operations |
SSS-02-08-01-01-05 | Log and monitor update processes | Maintain detailed logs of update activities, including integrity and authenticity checks. Monitor the logs for anomalies to quickly detect and respond to potential issues in the update process. | Post-deployment | Compliance Teams |
Industry framework | Academic work | Real-world case |
---|---|---|
Information Security Manual (SM-1797) NIST Secure Software Development Framework (PW.6.1) TUF The Update Framework (1.2. Software update system integrity and authenticity checks) |
Define and integrate comprehensive security checks during the build process to validate the integrity of compiled executables. Tailor these checks to the risk profiles of applications, ensuring that only builds meeting predefined security thresholds are allowed to proceed. Establish systems to log and monitor warnings for issues below the threshold and centralize their tracking for action. Introduce exception handling mechanisms to bypass build enforcement only under documented approvals, ensuring rationales for such cases are logged and reviewed. For environments where automatic enforcement is not feasible, substitute with clear policies and periodic audits to maintain equivalent levels of assurance. Centralize code-signing operations on a dedicated server to protect certificates from exposure during the build. Adopt deterministic build methods where possible, ensuring consistent, byte-for-byte reproducible artifacts that minimize risks of tampering or unintended variations. These measures emphasize the importance of trusted tools and processes, supporting secure development environments and the integrity of deliverables.
ID | Operation | Description | Phase | Agent |
---|---|---|---|---|
SSS-02-08-01-02-01 | Define security baseline for builds | Set build criteria such as no high-severity vulnerabilities in dependencies for high-risk applications, using tools like OWASP Dependency-Check. | Preparation | Security team, Development leads |
SSS-02-08-01-02-02 | Integrate security checks into build pipeline | Use tools like SonarQube for static analysis or Snyk for dependency scanning during builds in Jenkins or GitHub Actions. | Development | DevOps team, Security team |
SSS-02-08-01-02-03 | Enforce build failures for non-compliance | Fail builds with critical vulnerabilities but log warnings for medium-severity issues in tools like JIRA for future tracking. | Development | DevOps team, Security team |
SSS-02-08-01-02-04 | Implement an exception approval mechanism | Use a sign-off process in the defect tracking system for temporarily bypassing build failures due to known vulnerabilities. | Deployment | Security team, Product managers |
SSS-02-08-01-02-05 | Handle centralized code signing securely | Use Sigstore or a similar tool to ensure code signing keys are securely managed and artifacts are byte-for-byte reproducible. | Deployment | Security team, DevOps team |
Industry framework | Academic work | Real-world case |
---|---|---|
Information Security Manual (SM-1797) NIST Secure Software Development Framework (PW.6.1) OWASP SAMM: Software Assurance Maturity Model (I-SB-3-A) |
Ensure all provenance attestations are verifiably authentic so consumers can trust their integrity and origin. The build platform’s control plane must generate the provenance and apply a digital signature using a private key only it can access. Consumers must be able to validate this signature to confirm that the provenance was not tampered with and to identify the trusted build platform. Use signing methods that enable rapid detection and remediation of key compromises (e.g., transparency logs or time-stamping). The build platform must prevent tenant tampering, though non-critical fields (e.g., artifact names, optional fields) may be tenant-provided.
ID | Operation | Description | Phase | Agent |
---|---|---|---|---|
SSS-02-08-01-03-01 | Validate Provenance Authenticity | Ensure provenance attestations are digitally signed using private keys accessible only to the build platform. Verify signatures to confirm the attestation has not been tampered with post-build. Use this process to validate the identity of the build platform. | Post-deployment | Security Teams |
SSS-02-08-01-03-02 | Implement Secure Signing Methodologies | Use signing methods that enhance security, such as transparency logs or time-stamping services, to detect and remediate key compromise effectively. Ensure signing keys are securely managed and access is restricted to the control plane of the build platform. | Development | Build Platform Engineers |
SSS-02-08-01-03-03 | Generate Provenance in the Control Plane | Configure provenance generation within the build platform’s trust boundary. Ensure all critical provenance data is obtained directly from the build platform, preventing tenant-generated tampering or inaccuracies in provenance attestations. | Development | DevOps Teams |
SSS-02-08-01-03-04 | Prevent Tenant Tampering with Provenance | Implement security controls on the build platform to deter tenants from altering provenance data. Ensure these controls are robust enough to reduce adversarial risks while maintaining compliance with trust and legal requirements. | Deployment | Build Platform Engineers |
SSS-02-08-01-03-05 | Review and Secure Exceptions | For exceptions, such as artifact names or cryptographic digests, ensure they are generated securely and align with defined guidelines. Regularly review and validate these exceptions to maintain overall provenance trustworthiness. | Post-deployment | Quality Assurance Teams |
Industry framework | Academic work | Real-world case |
---|---|---|
Information Security Manual (SM-1797) NIST Secure Software Development Framework (PW.6.1) SLSA Supply-chain Levels for Software Artifacts (Level 2,3. Build platform-Provenance generation-Authentic) |