How Palantir Mastered In-Toto

Software Supply Chain Security Series, #4

Palantir
27 min readadvanced
--
View Original

Overview

The article discusses how Palantir implemented in-toto to enhance their software supply chain security, detailing the challenges faced and lessons learned throughout the process. It covers the complexities of their deployment model, the design of their supply chain security, and the verification processes established to ensure software authenticity and integrity.

What You'll Learn

1

How to implement in-toto for software supply chain security

2

Why understanding deployment complexity is crucial for security

3

When to apply verification processes in software releases

4

How to manage trust distribution in software attestations

Prerequisites & Requirements

  • Understanding of software supply chain security concepts
  • Familiarity with in-toto framework(optional)
  • Experience with software development lifecycle (SDLC)

Key Questions Answered

How did Palantir address software authenticity and tampering?
Palantir addressed software authenticity and tampering by implementing in-toto, which allows for the validation of software through attestations at various stages of the software development lifecycle. This framework ensures that the software deployed is genuine, untampered, and has passed through all required controls.
What challenges did Palantir face while implementing in-toto?
Palantir faced challenges such as the lack of a mature standard for software supply chain security, the need to support multiple build systems, and ambiguities in the in-toto framework. These complexities required them to make opinionated decisions in their implementation.
What lessons did Palantir learn from their in-toto implementation?
Palantir learned the importance of adapting the in-toto specification to their specific needs, managing the complexity of their deployment environments, and the necessity of gradual enforcement of verification processes to avoid blocking critical services. They also recognized the need for a robust key management strategy.
How does Palantir verify software releases in Apollo?
Palantir verifies software releases in Apollo by using a webhook to trigger in-toto verification services whenever a new release is published. This process checks the attestations and the corresponding artifacts in Artifactory to ensure they have not been tampered with.

Key Statistics & Figures

P99 verification times
Less than fifteen minutes
This significant reduction in verification time was achieved by moving to SHA of the HEAD commit and tag signatures as the basis for attestations.
Attestation size
From 50MBs to KBs
The change in attestation generation methodology led to a drastic reduction in the size of attestations, improving efficiency.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Framework
In-toto
Used for securing the software supply chain through attestations.
Tool
Gpg
Used for signing layout files to ensure authenticity.
Storage
Artifactory
Used for storing software artifacts and attestations.
Platform
Apollo
Used for software distribution and monitoring.
Infrastructure
Rubix
Custom Kubernetes distribution used for deployments.

Key Actionable Insights

1
Implement a controlled signing ceremony for layout files to enhance security.
By having select individuals sign layout files using GPG keys stored on Yubikeys, organizations can ensure that only authorized personnel can approve changes, thereby reducing the risk of unauthorized modifications.
2
Utilize a soft enforcement model during the rollout of new security tools.
This approach allows teams to gradually integrate security measures without blocking critical services, facilitating smoother transitions and minimizing operational disruptions.
3
Incorporate multiple verification points throughout the software release process.
By verifying software at both the build and install stages, organizations can catch potential tampering earlier and ensure that only verified software reaches production environments.
4
Leverage existing infrastructure for storing attestations to streamline processes.
Using established systems like Artifactory for attestation storage can simplify the implementation and management of software artifacts, making it easier to locate and verify them.

Common Pitfalls

1
Failing to account for the complexities of heterogeneous build environments can lead to ineffective security measures.
Many organizations attempt to implement a one-size-fits-all solution, which often results in gaps in security coverage. It's crucial to tailor security implementations to the specific needs and structures of the organization.
2
Overloading attestations with excessive data can lead to performance issues and false positives.
Including every individual file in attestations can cause verification failures due to discrepancies in repository states. A more streamlined approach focusing on key identifiers can mitigate these issues.

Related Concepts

Software Supply Chain Security
Attestation Frameworks
Key Management Strategies
Verification Processes In Software Development