Closing the Validation Gap in a Continuous Deployment Software Supply Chain

Description

Cloud-based services provide modern infrastructure to users on any kind of device. This form of distributing software

gains popularity, not least because it renders the investment in costly hardware unnecessary. As this approach also takes

the software out of the hands of the user, trust is generally formed through certifications of cloud service providers.

Included in verification through such certifications is also the DevOps process, which integrates a specified CI/CD pipeline.

However, attesting the correct execution of such a pipeline leaves open the task of creating a link between such attestations

and the executed software. While single pipeline steps can be certified, their linkage has not yet been fully resolved.

Here we show a way of both generating provenance for a development pipeline and using it to dynamically verify software

running in the cloud. This approach stores attestations created from the CI/CD pipeline and makes them available for lookup.

As a result, it allows for retroactively confirming the verification steps a software release went through during development for

deployed cloud services. Furthermore, by continuously monitoring the state of the cloud environment, deployments of insecure

releases are automatically detected and responded to. The implementation presented here combines concepts used in software

supply chain security with existing authenticity control methods in order to achieve its goal of increasing the transparency of cloud

software services. By implementing this approach, a stronger trust relationship can be formed between cloud service providers and

their users.