Security by Default: How Verizon New Business Incubation Uses Sigstore to Demonstrate Provenance and Improve Customer Confidence

This is a Sigstore case study contributed by Aaron Bacchi of Verizon

When people think of 5G networks, they typically think solely of the speed and bandwidth that distinguishes the 5G network from its predecessors. However, the real story is the innumerable applications and use cases that 5G makes possible. 5G technology can help entrepreneurs and enterprises create a host of new possibilities in the form of smart spaces — cities, buildings, and homes — where high-speed wireless connectivity, combined with robotics and automation tools, can transform the world we live in and the way we live in it.

At Verizon New Business Incubation (NBI), we work to support and facilitate Industry 4.0 and IoT initiatives to create autonomous ecosystems using Verizon’s 5G infrastructure as a foundation. Our team sets our sights to help build the future — and this vision recently led us to take some pretty big steps to improve our software supply chain.

It Takes Two to SLSA

A slew of high-profile cyber attacks on the software supply chain in 2020 put a spotlight on one of the Open Source Security Foundation’s (OpenSSF) groups, the Supply chain Levels for Software Artifacts framework (SLSA). SLSA is an open source, multi-stakeholder security framework comprising standards and controls used to prevent tampering, improve software integrity, and secure packages and project infrastructure.

One of SLSA’s key requirements is the generation of provenance, which is a fancy way of answering the question: “Where does this artifact originate? Who created this code? Can I trust it and safely use it as part of our ecosystem?” It’s a new way of thinking. Customers and end users used to implicitly trust the software they received, but recent cyber attacks have changed that. SLSA gives developers the ability to trace the provenance, or origin, of most artifacts in an application’s supply chain. It builds trust in a product and leaves breadcrumbs if something goes wrong.

With SLSA’s provenance requirement, producers can now directly link metadata, like scan results, to specific artifacts. When an artifact’s provenance is missing or has unexpected values, it’s a sign to other users that something is wrong and further investigation is needed.

SLSA Is Only the Beginning

SLSA provides a robust supply chain security framework, but that’s just the start. The open source community has come together to create new tools that are adjacent to and supplement the SLSA requirements.

Sigstore, an open source project under the OpenSSF, is a group of applications that work together to handle digital signing, verification, and checks of an artifact’s provenance. Cosign is part of Sigstore and can be used to authenticate the SLSA provenance generated by the build system. Automating this locks out bad actors who could otherwise write up and edit hand-coded provenance documents.

Fraudulent provenance attestations are a big problem. If a malicious actor can create or edit that provenance document and send it to the consumer, trust goes out the window. Cosign offers a way to issue digital signatures that conclusively demonstrate the source and authenticity of artifacts. These signatures create the digital equivalent of a tamper-proof seal, ensuring the contents of the provenance document are safe and have not been altered in any way.

Automating Artifact Provenance in Verizon New Business Incubation’s CI/CD Pipeline

Verizon NBI is at the forefront of using DevOps pipelines to automate the deployment of applications. This practice makes it easy to add a DevSecOps layer with SLSA provenance authentication. This extra step bolsters the security of the code without significantly increasing workloads or lengthening development cycles.

The general industry is in the first phase of a broader movement. Traditionally, securing software is a static operation that mostly involves scanning code for vulnerabilities. However, adversaries are shifting their focus onto the development pipeline infrastructure to abuse less hardened portions of the delivery system. This requires securing the software supply chain at every level.

The software supply chain typically works by bringing in third-party components, packaging them with in-house code, and distributing the application to internal users or external customers. This method of producing software requires you to authenticate and secure components, containers, and artifacts — whether you created them or not. But to adequately protect your customers and users from malicious code, you have to go a step further and incorporate security into build systems across your entire software supply chain.

Many open source projects and organizations have started to generate provenance. The next phase is getting consumers to embrace evaluating the provenance. This technology is so new that people might not know how it works or why they need it. That’s why it’s important to work with the open source community — including the people behind SLSA and Sigstore — to push the adoption of provenance authentication in the software supply chain into the mainstream.

Open Source Solutions in an Enterprise Environment

SLSA is a maturing framework that is working towards its 1.0 release. Sigstore, and specifically Cosign are powerful tools that automate artifact signing and authentication. These tools are geared toward the open source community but can easily be adopted by large enterprises.

Significant cyberattacks continue to ramp up in intensity year over year. One example was in 2021 when attackers tampered with a software testing company’s bash uploader which lets customers interact with their platform. This was a major threat because the malicious modification gathered build environment variables like credentials and tokens, then exfiltrated them to a third-party server. Through an error in the company’s image creation process, the attacker obtained a key that allowed them to switch the artifact offered to customers for download and use. This could have been mitigated by providing authenticated provenance to the customers who could then detect that the artifact was not built with the expected steps.

This example is just one of many, and the stakes continue to get higher. Proving provenance and authenticating artifacts with SLSA and Sigstore Cosign is helpful for mitigating these types of attacks. It is also good business because Verizon can reassure our customers that our software artifacts are traceable to their source, and therefore more secure.