The Center for Internet Security (CIS) has recently released the Software Supply Chain Security Guide, a set of practical, community-developed best practices for securing software delivery pipelines. As an initiator and one of the main contributors to this comprehensive and much-needed guidance, we at Aqua aim to help DevOps teams and the broader cloud native community adopt it. That’s why we’ve built Chain-bench, the first open source tool that audits your software supply chain for compliance with the CIS recommendations — making it easier to meet them and establish a secure configuration posture.
The CIS Software Supply Chain Guide: A brief overview
To get a better look at what Chain-bench helps you quickly, efficiently achieve, let’s take a look at what the CIS Software Supply Chain Guide defines as best practices, the standards on which Aqua’s open source tool has been modeled. Divided into five sections, these security recommendations span each aspect of the software supply chain:
1. Source code – Recommendations to manage and secure uncompromised source code.
The first phase of the software supply chain, source code is the de facto source of truth for the rest of the process. Undetected vulnerabilities, bad configurations, and exposed data inherent in your supply chain can create a scenario where it may need to be protected from its own source code.
2. Build pipelines – Recommendations to manage and secure the build components
The second phase of the software supply chain, build pipelines are increasingly targeted in supply chain attacks. A set of instructions dedicated to running a series of tasks on raw source code to generate a final artifact, build pipelines need to be vetted to make recommendations for the security of the build components. This includes the environment they are running on, their management, execution, and more.
3. Dependencies – Recommendations to manage and secure dependencies used in the organization.
Considered the third phase, dependencies are intrinsic through nearly all phases of software supply chain development. Often written by third-party developers, unvetted dependencies may leave you vulnerable to attacks. The ubiquitous log4j attack is a textbook example of how dependencies can leave even the most prestigious products compromised.
4. Artifacts – Recommendations to manage and secure artifacts produced by build pipelines including ones used by the application in the build process itself.
The fourth phase focuses on artifacts produced by build pipelines. They too need to be secure from the moment they are generated to prevent compromised iterations from becoming a part of the supply chain’s ecosystem. This spans from the build phase to when they are stored in the registry to their promotion and progress through CI/CD pipelines.
5. Deployment – Recommendations to manage and secure the application deployment process, the configurations, and the files that come with it.
In the fifth and final phase, the client already uses the application, and it is running in production. It is important to secure all of these to deliver the software to the client safely.
How to get started with Chain-bench
One of the advantages Chain-bench offers is visibility into remediation recommendations, offering an array of do’s and don’ts based on one hundred checks that will strengthen your software supply chain. Each check provides a description, rationale, and method to remediate newly discovered security issues. In cases where you fail a check, Chain-bench provides deeper information based on CIS guidelines, including the best ways to remediate the issue.
Chain-bench is available via your favorite installation method:
- Github Action
- Docker image at aquasec/chain-bench
- Executable from Chain-bench releases
- NixOS package
For more details, see the installation section in the documentation.
As seen above, Chain-bench runs on a sample repository where it fetches relevant information and then runs the CIS controls against it. From there, it presents a detailed security posture status of this repository that includes best practices.
For example, it monitors and analyzes control 1.3.5, which enforces multi-factor authentication for members, control 1.1.3, which enforces any code change approved by two strongly authenticated users, and build phases like 2.3.8, which ensures your pipeline is scanned for exposed sensitive data. There are even more controls that focus on dependencies, artifacts, and deployments that can help discover further risks.
The tool’s power lies in that it updates its benchmark criteria based on Chain-bench metadata.json files which are continually being revised. To get an idea, view the very latest implemented checks at AVD – Software Supply Chain CIS – 1.0, part of the Aqua Vulnerability Database, or AVD, a living knowledge base tracking the most current vulnerabilities and weaknesses in open source applications and cloud native infrastructure.
Summary
By applying the CIS recommendations, DevOps teams have the power to simplify compliance with security regulations, standards, and internal policies. With this practical guide, teams can ensure they are meeting the highest standards in software security controls and best practices, from the instant a developer adds code to the moment the client is using it.
With Chain-bench, Aqua’s open source tool, you’re not only meeting CIS’s highest security standards but also automating the process.
Because Chain-bench is an open source project, contributions are welcome and we’d love for you to try it out and get involved! You can join the CIS community to help shape the evolution of Chain-bench by raising issues and evaluating tests.
As Chain-bench matures and its coverage widens, we plan to add support for a larger variety of platforms. To learn more about the CIS Software Supply Chain benchmark and Aqua Security’s work in the advancement of open source security, go to the project’s GitHub page