In-toto and SLSA (Supply-chain Levels for Software Artifacts) can indeed be used together to enhance the security and integrity of the software supply chain. They are not mutually exclusive and can complement each other in the following ways:
Complementary Usage
End-to-End Verification with In-toto:
In-toto provides detailed, step-by-step tracking and verification of each phase in the software supply chain. By generating and verifying metadata at each step, it ensures that all parts of the supply chain are secure and untampered.
Implementation: Use In-toto to define the steps involved in your software development lifecycle (SDLC), generate link metadata, and verify that each step was executed as expected.
Incremental Security Levels with SLSA:
SLSA offers a framework for achieving varying levels of supply chain security. By following SLSA’s levels, you can gradually improve the security posture of your software supply chain.
Implementation: Focused on aligning your practices with SLSA’s levels, starting from basic requirements (Level 1) and progressing toward higher levels (Level 4), which include rigorous controls such as two-person reviews and hermetic builds.
How They Work Together
1. Initial Setup and Baseline Security:
We start by implementing SLSA Level 1 requirements to ensure our build processes are scripted and automated. This sets a strong foundation for security.
We use In-toto to define and track each specific step in our build and deployment processes, generating metadata along the way.
2. Improving Provenance and Metadata:
As we progress to SLSA Level 2 and beyond, our focus shifts to generating provenance data for our builds.
We integrate In-toto’s link metadata with SLSA’s provenance requirements, providing comprehensive verification for each step and the final artifact.
3. Advanced Security Controls:
At higher SLSA levels (3 and 4), we implement stronger source controls and review processes.
In-toto continues to play a key role, ensuring that each step, including these advanced controls, is verifiable and meets our defined security policies.
Example Workflow Integration
Step Definition:
We use In-toto to define every step in our SDLC, such as code commit, build, test, and deploy.
Provenance Generation:
Each step generates link metadata with In-toto and overall provenance data, as required by SLSA.
Verification and Compliance:
We regularly verify the integrity of the supply chain using In-toto’s metadata checks and ensure compliance with SLSA levels.
Continuous Improvement:
As we advance through the SLSA levels, we enhance our In-toto configurations to incorporate new security controls and verification mechanisms.
Summary
Using In-toto and SLSA together allows us to leverage the detailed, end-to-end verification capabilities of In-toto, along with the structured, incremental security improvements that SLSA provides. This integrated approach ensures a robust and secure software supply chain by combining the strengths of both frameworks.
Comentários