In the first part of our interview with OpenCredo, I discussed Venafi-Vault Wizard with Trent Rosenbaum, lead consultant at OpenCredo, and how this plugin simplifies developers’ ability to access machine identities from HashiCorp Vault directly through Venafi, while improving visibility of these identities for InfoSec teams.
In this post, I discuss Secure Software Pipeline Verifier, OpenCredo’s other new solution, in a conversation with Hieu Doan, DevOps consultant at OpenCredo. Secure Software Pipeline Verifier is a utility that automates secure control policy checks across GitHub and GitLab repositories through policy-as-code. It currently focuses on the first four controls described in the Secure Software Pipeline Blueprint that Venafi and Veracode authored with contributions and support from Sophos and CloudBees, which are:
- Restrict administrative access to CI/CD (Continuous Integration/Continuous Development)
- Only accept commits signed with a developer GPG key
- Automation access controls expire automatically
- Reduce automation access to read-only
Secure Software Pipeline Verifier
What are some of the primary challenges most organizations face in securing the software development pipeline?
Hieu: Everybody is building software. All businesses are software organizations now, and whether they are using software internally or exposing it to their customers, you need to be sure that the pipeline to build that software is secure and the users can trust what’s been published. The bad news is there isn’t an easy way to get visibility into the entire signing process and set up notifications that can be configured to alert administrators when there are divergences from patterns or malicious activity, let alone the ability to block them.
What does Secure Software Pipeline Verifier do to help alleviate the problem?
Hieu: Secure Software Pipeline Verifier is a tool that helps warn when any of the first four controls of the Blueprint have been compromised within the CI/CD pipeline. It can be configured to send alerts to InfoSec teams whenever this happens.
We based the tool specifically on the Venafi Blueprint because the Blueprint offers the clearest delineation of what needs to happen to secure software supply chains. It understands that ultimately, everything is based on trust. If a piece of code uses dependencies and that data dependency is somehow tampered with, how do we trust the vendor if the vendor has no way of maintaining that trust? There must be a way to warn us that a dependency is compromised.
I feel like every organization needs to implement a standard that can prevent tampering of their dependencies because their dependency might be using other dependencies.
Can you give an example of how Secure Software Pipeline Verifier works?
Hieu: In Control 1, we focus on GitHub and GitLab because they’re the most popular repositories. Let’s say a user tries to make changes to a CI/CD config file within a GitHub workflow. Secure Software Pipeline Verifier is immediately triggered. It checks whether the user is allowed to modify the config by not only checking whether the username is in that file, but also it checks against the database where the user is listed. If the user is in the database, the tool doesn’t send an alert because it knows that the user is authorized to modify that file.
In Control 2, we check to make sure the comments are signed, so we check the authorship of the comments to ensure they’re valid. In Control 3, we check whether the key is expired, and by default, the tool sends an alert if the key is older than one month. Then, in Control 4, we check to make sure the deployment key is read-only.
Why are these first four controls so important?
Hieu: Those first four controls are quite intimate to a developer’s initial engagement on a project. And we wanted to make sure our tool didn’t inadvertently block developers from doing their jobs, yet provide that baseline security the organization needs. And we felt that with our tool we could address these controls without impacting speed of development. We stay out of the way of developers, letting them continue to use their normal processes, while at the same time, warning when anything happens that doesn’t conform to enterprise security policy.
This is important because we want it to be easy to set up and implement—because we need everyone to accept and appreciate it in order to adopt it. We want all stakeholders to see Secure Software Pipeline Verifier as an asset not a hindrance.
This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how theVenafi Ecosystem is evolving above and beyond just technical integrations.