{"id":46153,"date":"2022-04-11T22:31:15","date_gmt":"2022-04-11T22:31:15","guid":{"rendered":"https:\/\/www.darkreading.com\/dr-tech\/google-github-collaboration-focuses-on-securing-code-build-processes"},"modified":"2022-04-11T22:31:15","modified_gmt":"2022-04-11T22:31:15","slug":"google-github-collaboration-focuses-on-securing-code-build-processes","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/google-github-collaboration-focuses-on-securing-code-build-processes\/","title":{"rendered":"Google, GitHub Collaboration Focuses on Securing Code Build Processes"},"content":{"rendered":"
<\/div>\n

Google and GitHub have been collaborating on a forgery-proof method for signing source code as part of their efforts to secure the software supply chain.<\/p>\n

Software supply chain security depends on developers and organizations being able to detect that artifacts \u2014 the software components, frameworks, and build tools being used \u2014 are authentic and have not been tampered with. That is the thinking behind Supply chain Levels for Software Artifacts<\/a> (SLSA), a framework for maintaining end-to-end integrity of a software supply chain.<\/p>\n

SLSA’s goal is to generate information that described where, when, and how the artifacts were produced, and give developers and organizations a way to identify where the artifacts diverged from the original. The project, originally built by Google last June in response to National Institute of Standards and Technology’s (NIST) framework for software development<\/a>, is managed by the Open Source Security Foundation<\/a>.<\/p>\n

Knowing a project’s SLSA level can provide developers and organizations with some insights into the project’s security posture.<\/p>\n

Looking at the Build Tools<\/strong>
Google and GitHub’s recent collaboration focuses on build provenance<\/a>, or verifying the authenticity of the entity behind the release processes and whether the build artifacts are protected against tampering. As the attack against SolarWinds<\/a> and Codecov<\/a> showed, threat actors can hijack build tools to disseminate malicious components.<\/p>\n

“[These] attacks could have been prevented if there were a way to detect that the delivered artifacts diverged from the expected origin of the software,” writes Google Open Source Security Team’s Asra Ali and Laurent Simon.<\/p>\n

Google and GitHub announced a prototype tool, written in the Go programming language, that uses GitHub Actions workflows<\/a> and Sigstore<\/a>‘s signing tools to create “tamperless evidence of the build and allow consumer verification.”<\/p>\n

Using those workflows and tools allows “users to not only verify that the software they receive is authentic, but also to verify where it was built and with which software,” writes Jose Palafox<\/a>, GitHub’s director of business development.<\/p>\n

The new workflow, which is available in the Actions tab in any GitHub repository, creates runners, or fresh virtual machine instances, for each job. Different VMs compile the project and generate and sign the SLSA provenance. Projects using GitHub-hosted runners have the guarantee that the code has not been modified.<\/p>\n

“To protect against the possibility of one job (e.g. the build step) tampering with the other artifacts used by another job (the provenance step), this approach uses a trusted channel to protect the integrity of the data,” Ali and Simon write.<\/p>\n

A unique token contains verifiable information about the workflow such as the caller repository, commit hash, trigger, and current workflow path and reference. Users can rely on the signing certificates to verify provenance, and developer don’t need to manage or distribute cryptographic keys for signing.<\/p>\n

GitOps in Security<\/strong>
With cloud-native development, developers are working as quickly and efficiently as possible with their CI\/CD pipelines using Git repos, says Melinda Marks, a senior analyst with ESG. If security is to match the speed of modern software development, security tools need to be integrated into the developer workflow in order to reduce the risk of deploying faulty code. Google and GitHub’s collaboration “illustrate how GitOps is good for security,” Marks says.<\/p>\n

The use of GitHub Actions workflows to automatically generate build provenance and using Sigstore information to track the code is giving developers ways to create reusable trusted workflows, mechanisms to prevent tampering, and records when code is altered, Marks says. <\/p>\n

“These GitHub features and frameworks keep track of the code, where it’s from, who had access, what changes were made, etc., so if there are problems, they can use security tools, testing tools, configuration\/posture management tools, etc., and use the metadata from the repos to fix issues efficiently because they have the data on the code origin, any modifications, access, etc,” she says.<\/p>\n

A Graduated Approach<\/strong>
Recent high-profile breaches highlight how the software supply chain is vulnerable and what kind of damage attacks can cause. Gartner predicts<\/a> that “by 2025, 45% of organizations will have experienced attacks on their software supply chains, a threefold increase from 2021.”<\/p>\n

The SLSA framework recognizes that adopting supply chain security for software builds is not a quick process and that an incremental approach is necessary<\/a>. The framework considers how provenance \u2014 metadata about how an artifact was built, including the build process, top-level source, and dependencies \u2014 is generated and verified. There are four levels:<\/p>\n