Introduction

The Challenge

The company aimed to enhance its security levels and enhance traceability in response to the exponential growth of next-generation supply chain attacks. The driving force behind this initiative was not only to safeguard against these threats but also to ensure stringent data and privacy protection. This included maintaining detailed records of the creation of each software artifact, including the libraries and third-party software it contained. This comprehensive approach was crucial for enabling traceability and rapid response capabilities in the event of another global supply chain attack, ensuring that the company could quickly identify and mitigate potential breaches.

The Solution

The strategy involved the implementation of CI/CD technologies, employing GitLab runner infrastructure, Docker registries, and the SLSA framework tooling for artifact signing with Sigstore. Key components of the solution included:

• Cultural Adaptation: Developers and third party suppliers were required to adhere to new software security standards.
• Onboarding Process: Implementing strict compliance checks for packages during QA processes.
• Monitoring and Compliance: Utilization of Security & Compliance visualizations, ensuring every component was labeled with a Software Bill of Materials (SBOM) for complete traceability.
• Enforcement of Signed Software: Mandated the use of signed software for Docker images to ensure integrity.

Implementation Process

• Requirements Gathering: Collaboratively assess and document specific customer needs, existing technologies, and desired security maturity levels.
• Architectural Planning: Customize the architectural framework to integrate essential security protocols, processes and compliance measures within the CI/CD pipeline.
• Process Integration: Implement changes to the CI/CD processes including:
  • Automated compliance checks.
  • Quality gate pipelines.
  • Proactive monitoring and notification systems.
• Deployment and Monitoring: Roll out the updated CI/CD infrastructure across the organization, with ongoing monitoring to manage and mitigate any arising issues effectively.

Results Achieved

• Secure Deployments: Ensured that only secure components were operational in production.
• Traceability: All artifacts in production were checked, secure, and traceable.
• Rapid Response Capability: Ability to quickly determine if affected by a supply chain attack.
• Compliance Achievement: Successfully met all compliance requirements.

Lessons Learned

• Incremental and Adaptable Implementation:
  The project highlighted the benefits of adopting security levels gradually, using an agile approach to allow for continuous improvements and more robust security measures over time, ensuring sustainable progress.
• Early Stakeholder Involvement: Highlighted the crucial importance of involving all relevant stakeholders: delivery, platform, development, and security teams—early in the project to ensure alignment.
• Process Automation: Focused on streamlining and automating processes to enhance efficiency and reduce human error.
• Continual Development of Tooling: Acknowledged that while the tooling for frameworks like SLSA is still evolving, ongoing development work is still essential to meet requirements.