Frameworks#
In-toto#
In-toto: A framework to secure the integrity of software supply chains.
What is in-toto?
in-toto is designed to ensure the integrity of a software product from initiation to end-user installation. It does so by making it transparent to the user what steps were performed, by whom and in what order. As a result, with some guidance from the group creating the software, in-toto allows the user to verify if a step in the supply chain was intended to be performed, and if the step was performed by the right actor.
Check: https://in-toto.io/
Check here for the github repository.
NIST Security framework#
Whenever you feel the need to draw a process regarding security or risk processes: resist the temptation! The US based NIST organization is a well-known governmental organization that offers great publications on all thinkable subjects regarding security.
One of the simplest, yet most frequently model is displayed here below.
On the NIST site (see references) you can find in-depth information regarding all sub functions of this security framework. The experience is, is that it is far better to check what in your use case needs special attention. If you ever feel the need to create your own security framework, think again. In essence all come down to the high level framework described by the NIST organization. Using a broad used security framework has a number of advantages:
Easier communication with stakeholders;
Easier knowledge and experience transfer between security experts of different organization;
Saves time, time you can use to solve the real context specific issues regarding practice use and implementation of the security functions.
NIST Risk Management Framework RMF#
The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).
Risk management overview:
https://csrc.nist.gov/projects/risk-management
Search for RMF controls (checklist):
https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/search?version=5.1
Good overview on of all controls:
Open Software Supply Chain Attack Reference (OSC&R)#
A great framework for Releasing Secure Products.
Open Software Supply Chain Attack Reference (OSC&R)
Make security a part of product development.
Check: https://pbom.dev/
The Update Framework#
The Update Framework (TUF) helps developers maintain the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system.
TUF is hosted by the Linux Foundation as part of the Cloud Native Computing Foundation (CNCF) and is used in production by various tech companies and open source organizations.
Check: https://theupdateframework.io/
This project is a Linux Foundation project under the Cloud Native Computing Foundation.
Supply-chain Levels for Software Artifacts (SLSA)#
Supply-chain Levels for Software Artifacts, or SLSA (“salsa”). It’s a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. It’s how you get from “safe enough” to being as resilient as possible, at any link in the chain.
Hint
More information: Check the SLSA security framework