Recently, there’s been a lot of attention paid to software supply chain security. In particular, here’s a quote from the May 2021 presidential executive order on improving the nation’s cybersecurity: “The Federal government must … advance toward zero trust architecture; accelerate movement to secure cloud services, including … platform as a service (PaaS).”
There are two parts necessary to create a truly trusted software supply chain; securing the non-technical areas and securing the technical areas.
Non-technical aspects of any secure software supply chain involve having individuals or teams focused on security and audit compliance. Internal company policies that act as a regulatory system and set standards for developers are a must, as are efforts to enforce compliance with security best practices. While this can bode well for large organizations, small software engineering teams and startups do not have the bandwidth, budget or culture to make this a reality.
Envisioning Robust Security Best Practices
Tools that are open source, governed strictly and enable automation of secure build and deployment are the components that form the technical aspects of the solution. Engineering teams must find a way to envision robust security best practices and find a way to apply them without unduly affecting the developer workflow. This is a founding principle of the DevSecOps efforts within the larger community of software development professionals.
Ergo, advocating a technology stack that:
- Is composed of open components
- Provides automated builds
- Reduces the dependency on developers
- Allows security operators to extend control
- and is actively supported by the community is an ideal choice upon which to build a platform for use by development teams.
The focus of this article is to describe a robust stack that will sit above compute resources and power applications. The stack will consist of fully customizable open source components that put reliability and security at the forefront.
Application source code is the single source of truth when working with this stack. The use of Git, a popular version control system that is free and open source will allow developers to work with a source code management system from which all the downstream steps will be triggered.
Kubernetes is an open source container orchestration tool developed under the auspices of the Cloud Native Computing Foundation (CNCF). It serves as an abstraction over the infrastructure and compute layers to power the system from underneath. Kubernetes has managed to gather a large community following—second only to the Linux OS itself. Using Kubernetes will bring homogeneity above the infrastructure layer and will simplify further operations.
Cloud Foundry is an open-source PaaS tool. The use of Kubernetes introduces complexity that introduces a bit of overhead for developers who work with the platform. Cloud Foundry provides a countermeasure that simplifies the developer experience and greatly eases the pain points commonly associated with Kubernetes adoption. The Cloud Foundry platform does the job of deploying all the applications to the Kubernetes infrastructure. The cf push command triggers the export of a container image from the application source code.
When building these containers to deploy to the runtime within Kubernetes, Cloud Foundry uses Paketo buildpacks internally. Paketo buildpacks are an implementation of the cloud-native buildpacks specification which aims to provide a unified means to generate OCI-compatible container images for all languages and frameworks that are commonly used to build applications. Paketo buildpacks are also open source and fully customizable according to the needs of software development teams.
A Trusted Architecture
Together, this platform, built on open tools, supported actively by the community and facilitating the exact needs of software developers helps promote a trusted architecture upon which to stage applications. Using these tools would enable an organization to build a software development ecosystem that satisfies all the requirements implied and enumerated in the various recommendations for improving software security.