SLSA Provenance Blog Series, Part 4: Implementation Challenges for SLSA Provenance for Enterprises

Challenge #1 - Cross-platform support

Although SLSA provides an open-source of-the-shelf solution for GitHub.com, many organizations use different Source Code Management and CI/CD systems, often multiple ones at the same time. Imagine an organization using many pipelines made of different business units (sometimes acquired through M&As). 

Provenance capabilities must be designed to integrate with all different CI/CD vendors beyond Github, such as GitLab, Jenkins, Azure Pipelines, and many more.

Challenge #2 - Keeping your information private

The transparency built into the SigStore model is crucial for the open-source community, but enterprises simply have different needs. To recap - SigStore creates a transparency log that makes build information public. 

Enterprise software is closed-source and built for self-use, and disclosing its build information to the general public cannot be tolerated. To satisfy that need, a solution will need to enable verification, but without relying on a public log. The verification data must reside on-premise or in a private system. Therefore, SigStore is not a plug-and-play solution for provenance verification.

Challenge #3 - Service Availability

When it comes to production pipelines, service availability is a key metric for business improvement. It is crucial to realize that a verification service is going to be a production-grade process that must run successfully to allow software changes.

Using SigStore relies on two components to provide authority during both provenance generation and verification: Fulcio (CA) and Rekor (Transparency log). Whilst many open-source projects may often tolerate downtimes and delays, enterprises have much stricter availability requirements.

Understanding the significance of the independency for enterprise software, a new security model is needed which can be highly available, including backup scenarios when some problem occurs, so there’s nearly 24/7 availability for integrity verification.

Challenge #4 - Simplicity

Implementing provenance and verifying integrity is complex and may seem like a hard and intrusive task.

To make provenance adoption simple, a solution is needed to let application owners, such as security, engineering, and DevOps leaders, be able to quickly generate provenance, store it and be able to build verification gates.

There are a lot of different use cases, which means that the simplicity of the user interface must be accompanied by great flexibility.

Below is a sneak peek into Legit’s solution aimed to simplify and bring provenance generation a click (or CLI command) away:

Provenance Generation

• A RESTful API that supports all the actions you need to generate a provenance.

• A simple CLI that supports:

  • Artifacts listing.

  • Docker containers (parsing, pushing, etc.)

  • Generating the provenance.

  • Uploading the provenance to your preferred registry, as well as to Legit’s storage.

• Templates for specific CIs, such as GitHub Action and GitLab jobs, that automate all that process

Verification

• A RESTful API for online provenance verification and preparation for offline verification.

• A CLI that simplifies:

  • Verifying based on common policies, such as limiting to specific organizations/repositories, forcing main branches, and specific tags.

  • Verifying using custom OPA policies.

• CI-specific customization for pre-deployment checks, such as a GitHub Action.

• A Kuberenetes Admission Controller to bring verification and policy enforcement to the front.

 A sneak preview - Seamless Generation

Whilst these generation tools are simple and handy, integrating provenance using standard tools still means that your DevOps teams will go over hundreds or thousands of jobs and modify them manually.

This kind of effort is not only costly but also drives organizations away from adopting provenance and prioritizing the resources towards easier targets.

To overcome this barrier, Legit is designing a proprietary provenance solution that takes all the effort away. To do that, Legit Platform leverages:

1. Code-to-Cloud correlation: the ability to analyze the SDLC automatically, detect published containers, and correlate them to the specific CI/CD jobs and repositories.

2. Deep Integrations: Integrations with a variety of SCMs and CI/CD systems to interact directly with their APIs and automate the above-mentioned actions with a click

The result is simply an effortless solution: Legit can automatically generate level 3 SLSA Provenance documents for your images!

Conclusion

We discussed 4 main challenges facing an enterprise organization from adoption the provenance generation and verification solution in SLSA:

• Cross-platform

• Privacy

• High availability

• Simplicity

These still require engineering a custom solution and are not solved by out-of-the-box available tools. Legit security is a pioneer in software supply chain security, and we present a sneak preview into a comprehensive, simple toolset we aim to provide, helping organizations to implement integrity almost with a click. Legit leverages unparalleled deep analysis of the SDLC, connecting code with artifacts and build actions, which helps Legit capture relevant data that can be used to enforce integrity with high confidence.

If you’d like to learn more, contact us today!

Up Next

Thank you for reading and finishing the SLSA Provenance Blog Series. Stay tuned for more from Legit Security. If you're new to this four-part blog series and would like to start at the beginning go to SLSA Provenance Blog Series, Part 1: What Is Software Attestation.