7 Trust Foundation

 

This chapter covers

  • Determining who the key actors within your network are
  • Defining the roles and responsibilities for the key actors
  • Establishing a root of trust
  • Delegating authority to the actors within your network
  • Auditing your trust foundation
  • Ensuring compliance with standards

Establishing a solid foundation for the trust in your IT environment is crucial to ensure the security and integrity of your software supply chain. This chapter will focus on identifying key actors within your organization and establishing a root of trust through hardware keys, certificate management, and through processes run by critical stakeholders called root key signing ceremonies. By implementing these practices, you can delegate authority safely for various actions, such as attesting to the output of builds and signing software bill of materials (SBOMs). This ultimately promotes a secure and well-managed IT environment safer from supply chain compromise.

7.1 Overview

Imagine we are working at the bank again. It has had its software supply chain compromised. This leads us to begin following the practices in the previous chapters. We begin to threat model the various phases of our SDLC from planning through to maintenance. We begin to design systems and processes that follow standards and best practices for securing the bank’s supply chain. Where do we get started with implementing a more secure SDLC?

7.2 Establishing Roots of Trust

7.2.1 Key Signing Ceremonies

7.2.2 Providing Secure Updates with TUF

7.2.3 Codifying the SDLC with in-toto

7.3 Summary

7.3.1 Answer Key