From 380dea26fcfd0ae55027a68f14f3845f6ea1bfa7 Mon Sep 17 00:00:00 2001 From: Emmanuel Ferdman Date: Tue, 29 Oct 2024 03:52:16 -0700 Subject: [PATCH] Update CNCF SSCP PDF reference Signed-off-by: Emmanuel Ferdman --- .../projects/flatcar/joint-assessment.md | 2 +- .../fluentd/fluentd/self-assessment.md | 2 +- .../v1/secure-software-factory.md | 4 ++-- ...ive-security-whitepaper-cn-Sept2023-v2.pdf | Bin 1382756 -> 1382806 bytes .../v2/cloud-native-security-whitepaper-it.md | 4 ++-- .../v2/cloud-native-security-whitepaper-ja.md | 4 ++-- ...-security-whitepaper-simplified-chinese.md | 4 ++-- .../v2/cloud-native-security-whitepaper.md | 4 ++-- .../Secure_Software_Factory_Whitepaper.pdf | Bin 5713959 -> 5714034 bytes .../secure-software-factory.md | 4 ++-- .../supply-chain-security-paper/README.md | 2 +- 11 files changed, 15 insertions(+), 15 deletions(-) diff --git a/community/assessments/projects/flatcar/joint-assessment.md b/community/assessments/projects/flatcar/joint-assessment.md index 03c0f8e4d..9223a9aff 100644 --- a/community/assessments/projects/flatcar/joint-assessment.md +++ b/community/assessments/projects/flatcar/joint-assessment.md @@ -44,7 +44,7 @@ Compromising the update server would allow an attacker to “un-publish” a new
2. Maintainers: That's a good catch, I've added 1.c. to discuss repository settings. 11. SSH credential password enforcement 12. 2FA for code repositories, build infrastructure, and VPN access -13. Usage of soft/hard tokens as opposed to SMS 2FA as per [CNCF_SSCP_v1.pdf](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) +13. Usage of soft/hard tokens as opposed to SMS 2FA as per [CNCF_SSCP_v1.pdf](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) 14. Consider preventing any outbound internet access to the build infrastructure, to avoid command and control for hostile actors diff --git a/community/assessments/projects/fluentd/fluentd/self-assessment.md b/community/assessments/projects/fluentd/fluentd/self-assessment.md index 6dcef073f..5588ff51c 100644 --- a/community/assessments/projects/fluentd/fluentd/self-assessment.md +++ b/community/assessments/projects/fluentd/fluentd/self-assessment.md @@ -172,7 +172,7 @@ Fluentd is the default standard to solve Logging in containerized environments, - Security vulnerabilites are to be reported at https://github.com/fluent/fluentd/security/advisories, as stated in their [security policy](https://github.com/fluent/fluentd/blob/master/SECURITY.md) * Incident Response. - Fluentd is trying to follow supply chain security using [DCO](https://probot.github.io/apps/dco/) - [(Supply chain security)](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) + [(Supply chain security)](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) - Because Fluentd is built on top of the Ruby Ecosystems, they must also check the licenses of dependent gems. ## Appendix diff --git a/community/resources/security-whitepaper/v1/secure-software-factory.md b/community/resources/security-whitepaper/v1/secure-software-factory.md index 100bf985a..564140ee5 100644 --- a/community/resources/security-whitepaper/v1/secure-software-factory.md +++ b/community/resources/security-whitepaper/v1/secure-software-factory.md @@ -1,6 +1,6 @@ ## Introduction -A software supply chain is the series of steps performed when writing, testing, packaging, and distributing application software to end consumers. Given the increased prominence of software supply chain exploits and attacks, the [Cloud Native Computing Foundation (CNCF) Technical Advisory Group for Security](https://github.com/cncf/tag-security) published a whitepaper titled [“Software Supply Chain Best Practices”](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)[^1], which captures over 50 recommended practices to secure the software supply chain. That document is considered a prerequisite for the content described in this reference architecture. +A software supply chain is the series of steps performed when writing, testing, packaging, and distributing application software to end consumers. Given the increased prominence of software supply chain exploits and attacks, the [Cloud Native Computing Foundation (CNCF) Technical Advisory Group for Security](https://github.com/cncf/tag-security) published a whitepaper titled [“Software Supply Chain Best Practices”](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)[^1], which captures over 50 recommended practices to secure the software supply chain. That document is considered a prerequisite for the content described in this reference architecture. This publication is a follow-up to that paper, targeted at system architects, developers, operators, and engineers in the areas of software development, security, and compliance. This reference architecture adopts the “Software Factory” model[^2] for designing a secure software supply chain. @@ -1554,7 +1554,7 @@ Software Factory: [https://en.wikipedia.org/wiki/Software_factory](https://en.wi CNCF TAG-Security: [https://github.com/cncf/tag-security](https://github.com/cncf/tag-security) -CNCF Supply Chain Security Paper: [https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) +CNCF Supply Chain Security Paper: [https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) CNCF Cloud Native Security Whitepaper: [https://github.com/cncf/tag-security/blob/main/security-whitepaper/CNCF_cloud-native-security-whitepaper-Nov2020.pdf](https://github.com/cncf/tag-security/blob/main/security-whitepaper/CNCF_cloud-native-security-whitepaper-Nov2020.pdf) diff --git a/community/resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-cn-Sept2023-v2.pdf b/community/resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-cn-Sept2023-v2.pdf index b78f2501862af194c9135e0a70b7077ce56a8ccc..c829608d7039cd6aa106fb6b7f526e73486413a3 100644 GIT binary patch delta 134 zcmaE|DP-E_kcJk<7N!>F7M2#)7Pc1l7LFFq7OpMatAr$y^K)}c^D;{+^~>{%vNQA2 zb<>OTOACspKitP1w*9{l_v6(#)wBcE05J~`^8zs+5c31E01yiTu@DdoZ-2N?q&W%z DfMGlG delta 84 zcmbQXIpoQvkcJk<7N!>F7M2#)7Pc1l7LFFq7OpMatAwVD?B@>ME+NeQcy&9F3B)`= b%nQVPK+F%s0zfPX#6mzUyj^6!NK+I56xJS6 diff --git a/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-it.md b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-it.md index 9d7a3e4ee..63ef172d0 100644 --- a/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-it.md +++ b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-it.md @@ -686,7 +686,7 @@ Gli amministratori e i team di sicurezza dovrebbero archiviare tutte le informaz Un programma SBOM, CVE e VEX maturo e automatizzato può fornire informazioni rilevanti ad altri controlli di sicurezza e conformità. Ad esempio, l'infrastruttura può segnalare automaticamente i sistemi non conformi a una piattaforma di osservabilità o negare di fornire l'identità crittografica di un workload, mettendola effettivamente in quarantena da sistemi conformi in ambienti Zero-Trust. -La CNCF ha pubblicato il [Whitepaper sulle Best Practice nella Supply Chain](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) per fornire un supporto nella progettazione di un processo sicuro all’interno della supply chain. Questo whitepaper fornisce maggiori dettagli sulla protezione della supply chain del software e discute i progetti CNCF rilevanti che sviluppatori e operatori possono utilizzare per proteggerne le varie fasi. +La CNCF ha pubblicato il [Whitepaper sulle Best Practice nella Supply Chain](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) per fornire un supporto nella progettazione di un processo sicuro all’interno della supply chain. Questo whitepaper fornisce maggiori dettagli sulla protezione della supply chain del software e discute i progetti CNCF rilevanti che sviluppatori e operatori possono utilizzare per proteggerne le varie fasi. ##### GitOps (novità nella v2) @@ -1106,7 +1106,7 @@ Runtime 26. [Secure Defaults: Cloud Native 8](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md) -27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) +27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) 28. Cloud Native Security Map - [https://cnsmap.netlify.app](https://cnsmap.netlify.app) diff --git a/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-ja.md b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-ja.md index 2b5469d25..d2f95b5bf 100644 --- a/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-ja.md +++ b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-ja.md @@ -653,7 +653,7 @@ SBOMには何千もの依存関係が含まれていることがあり、それ 成熟し自動化されたSBOMやCVEおよびVEXプログラムは、他のセキュリティおよびコンプライアンス管理に関連情報を提供する可能性があります。例えば、インフラストラクチャは、非準拠のシステムを観測可能性プラットフォームに自動的に報告したり、必要な暗号化ワークロードのID提供を拒否したりして、ゼロトラスト環境において準拠システムから効果的に隔離することができます。 -CNCFは、安全なサプライチェーンプロセスの設計を支援するために、[ソフトウェアサプライチェーンのベストプラクティス白書](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)を作成しました。この白書は、ソフトウェアサプライチェーンのセキュリティ確保に関する詳細を提供し、開発者とオペレータがサプライチェーンの様々な段階でのセキュリティ確保に利用できるCNCFの関連プロジェクトについて説明しています。 +CNCFは、安全なサプライチェーンプロセスの設計を支援するために、[ソフトウェアサプライチェーンのベストプラクティス白書](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)を作成しました。この白書は、ソフトウェアサプライチェーンのセキュリティ確保に関する詳細を提供し、開発者とオペレータがサプライチェーンの様々な段階でのセキュリティ確保に利用できるCNCFの関連プロジェクトについて説明しています。 ##### GitOps(v2で追記) @@ -1037,7 +1037,7 @@ RV.3.2 24. [ATT&CK’s Threat matrix for containers](https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1) 25. [NIST Incident Response Guide](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf) 26. [Secure Defaults: Cloud Native 8](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md) -27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) +27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) 28. Cloud Native Security Map - [https://cnsmap.netlify.app](https://cnsmap.netlify.app) 29. [Center for Internet Security (CIS)](https://www.cisecurity.org/) 30. [OpenSCAP](https://www.open-scap.org/) diff --git a/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-simplified-chinese.md b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-simplified-chinese.md index 4280e54c7..c68f0b399 100644 --- a/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-simplified-chinese.md +++ b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper-simplified-chinese.md @@ -638,7 +638,7 @@ ATT&CK 的威胁矩阵由行和列组成,行表示技术,列表示战术。 成熟和自动化的 SBOM、CVE 和 VEX 程序可为其他安全和合规控制提供相关信息。例如,基础设施可能会自动向可观察平台报告不符合要求的系统,或拒绝提供必要的加密工作负载身份,从而在零信任环境中有效地将其与符合要求的系统隔离开来。 -CNCF 制作了[软件供应链最佳实践白皮书](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf),以帮助您设计安全的供应链流程。本白皮书提供了有关保护软件供应链的更多详细信息,并讨论了开发人员和运营商可用于保护供应链各个阶段的相关 CNCF 项目。 +CNCF 制作了[软件供应链最佳实践白皮书](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf),以帮助您设计安全的供应链流程。本白皮书提供了有关保护软件供应链的更多详细信息,并讨论了开发人员和运营商可用于保护供应链各个阶段的相关 CNCF 项目。 ##### GitOps(v2 新增) @@ -898,7 +898,7 @@ GitOps 流程负责向生产环境提供更改,如果该流程受到危害, 24. [ATT&CK’s Threat matrix for containers](https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1) 25. [NIST Incident Response Guide](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf) 26. [Secure Defaults: Cloud Native 8](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md) -27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) +27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) 28. Cloud Native Security Map - [https://cnsmap.netlify.app](https://cnsmap.netlify.app) 29. [Center for Internet Security (CIS)](https://www.cisecurity.org/) 30. [OpenSCAP](https://www.open-scap.org/) diff --git a/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md index bbb3761bc..2bc3d79cb 100644 --- a/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md +++ b/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md @@ -1306,7 +1306,7 @@ deny providing a necessary cryptographic workload identity, effectively quaranti Zero-Trust environments. The CNCF has produced -the [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) +the [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) to assist you with designing a secure supply chain process. This whitepaper provides more details about securing the software supply chain and discusses relevant CNCF projects that developers and operators can use to secure various stages of the supply chain. @@ -1815,7 +1815,7 @@ Runtime 24. [ATT&CK’s Threat matrix for containers](https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1) 25. [NIST Incident Response Guide](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf) 26. [Secure Defaults: Cloud Native 8](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md) -27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) +27. [Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) 28. Cloud Native Security Map - [https://cnsmap.netlify.app](https://cnsmap.netlify.app) 29. [Center for Internet Security (CIS)](https://www.cisecurity.org/) 30. [OpenSCAP](https://www.open-scap.org/) diff --git a/community/working-groups/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf b/community/working-groups/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf index a6ca03245fe5626cca52fb7d327dee32bd664b46..c3c6b99f8444fa1d78fef15ace5baba12d37d1bf 100644 GIT binary patch delta 331 zcmaLRxlRHB0EFR)_l-B=fhgW0ilVNH2i|xsUN2xlh`<_@7&?nT*_uYOm8CCW!pm6r z3>Mao51_@@O=jlp^TYKe&s5-|k}9gHp_V%8X`qoNnrWdGH*K`jK_^{w(}Razy!6q} z0E74#!p|@x1Q=zEaVD5#ifLvDGE0a#<_WXFA`zBYW(9*))>wa!`W(-#mC59@smDU- z$;#cOvdLgFXXWo7N<|}aW~ZH~Y{;f;$+pB~M|NdT_T@kh=2&0VQW}FEonPQq5W-;(E$2 -This reference architecture focuses specifically on the critical concern of provenance and primarily on the activity stage of the “build.” There are numerous other publications and guides which address issues around trustworthiness, including practices like SAST/DAST scanning, code signing, etc, including the [CNCF Software Supply Chain Best Practices Paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf). We direct readers to these documents for more information on those facets of supply chain security. +This reference architecture focuses specifically on the critical concern of provenance and primarily on the activity stage of the “build.” There are numerous other publications and guides which address issues around trustworthiness, including practices like SAST/DAST scanning, code signing, etc, including the [CNCF Software Supply Chain Best Practices Paper](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf). We direct readers to these documents for more information on those facets of supply chain security. Our decision to emphasize provenance and the build pipeline in this paper is based on the foundational role provenance verification plays in other supply chain security concerns. Provenance provides the evidence, for example, that SAST/DAST scanning was completed as claimed. If you are relying on the results of SAST/DAST scans of a software artefact to inform your decision on its trustworthiness, you need to know that those claims are accurate. Provenance provides that assurance. It also provides assurance that an artefact which claims to be the product of a specific codebase and a specific build process is in fact the product it claims to be or that the artefact downloaded from a remote source is the same one you expected to receive. All of these claims are foundational to being able to make informed decisions about an artefact's trustworthiness: you must be able to trust the evidence presented about an artefact’s trustworthiness is valid evidence before you can trust the claims that evidence makes about the artefact. diff --git a/community/working-groups/supply-chain-security/supply-chain-security-paper/README.md b/community/working-groups/supply-chain-security/supply-chain-security-paper/README.md index 363848536..18b8f7a8c 100644 --- a/community/working-groups/supply-chain-security/supply-chain-security-paper/README.md +++ b/community/working-groups/supply-chain-security/supply-chain-security-paper/README.md @@ -64,4 +64,4 @@ approval on the PR. At which point the markdown state will be changed to Links: * [Managed version in Markdown](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md) -* [Final PDF](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) +* [Final PDF](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)