Software Supply Chain Security Series, #4
Overview
The article discusses how Palantir implemented in-toto to enhance their software supply chain security, detailing the challenges faced and lessons learned throughout the process. It covers the complexities of their deployment model, the design of their supply chain security, and the verification processes established to ensure software authenticity and integrity.
What You'll Learn
How to implement in-toto for software supply chain security
Why understanding deployment complexity is crucial for security
When to apply verification processes in software releases
How to manage trust distribution in software attestations
Prerequisites & Requirements
- Understanding of software supply chain security concepts
- Familiarity with in-toto framework(optional)
- Experience with software development lifecycle (SDLC)
Key Questions Answered
How did Palantir address software authenticity and tampering?
What challenges did Palantir face while implementing in-toto?
What lessons did Palantir learn from their in-toto implementation?
How does Palantir verify software releases in Apollo?
Key Statistics & Figures
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Key Actionable Insights
1Implement a controlled signing ceremony for layout files to enhance security.By having select individuals sign layout files using GPG keys stored on Yubikeys, organizations can ensure that only authorized personnel can approve changes, thereby reducing the risk of unauthorized modifications.
2Utilize a soft enforcement model during the rollout of new security tools.This approach allows teams to gradually integrate security measures without blocking critical services, facilitating smoother transitions and minimizing operational disruptions.
3Incorporate multiple verification points throughout the software release process.By verifying software at both the build and install stages, organizations can catch potential tampering earlier and ensure that only verified software reaches production environments.
4Leverage existing infrastructure for storing attestations to streamline processes.Using established systems like Artifactory for attestation storage can simplify the implementation and management of software artifacts, making it easier to locate and verify them.