kalafoto - Fotolia
On the heels of a Presidential Executive Order mandating improvements to software supply chain security, the Department of Defense is expanding its collaboration with private-sector IT vendors to advance DevSecOps.
Since the Department of Defense (DOD) first established its DevSecOps initiative last year, it has launched multiple open source projects meant to improve cybersecurity, not just for the department's internal operations, but for the IT industry in general. It has also released two versions of guidance documents on enterprise DevSecOps fundamentals.
DOD DevSecOps open source projects include the Iron Bank, a repository of DOD-vetted hardened container images, and Platform One, the DevSecOps platform design the department created for internal software deployments.
Platform One is based on the concept of continuous authority to operate, which updated the DOD's procurement process to accommodate the speed and frequency of modern continuous software deployments. Under a project called Platform One Big Bang, the DOD can install an instance of Platform One, called the Customer DevSecOps Platform, on behalf of other organizations and train them to run it.
Now, the DOD is working to turn this Platform One installation, hosting and training process over to private-sector companies.
"It's really becoming a product and an ecosystem," said Nicolas Chaillan, chief software officer at the U.S. Air Force and co-lead for the DOD's Enterprise DevSecOps Initiative. "People are hearing about Platform One and they want to start using it, but they don't know how, and we don't have the bandwidth to help [all] companies."
Over the past six months, the DOD began to offer private-sector companies an 11-day training workshop on Platform One Big Bang. In exchange, the companies agreed to contribute to the project's open source code.
The department has done this most notably so far with Lockheed Martin, which said in February it had signed on with the Air Force to use Platform One in its internal software factory. In that statement, Lockheed Martin also announced a Basic Ordering Agreement with the Air Force that will authorize the defense contractor to help build and support the platform for other companies and defense agencies.
Engineers from Cisco also took the workshop training earlier this year, Chaillan said. Cisco has DevOps engineers working with the Platform One environment, and plans on contributing infrastructure as code, model-driven DevOps pipelines via open source, and IT automation playbooks into the DevSecOps 2.0 initiative, according to a Cisco spokesperson.
However, while Cisco would be open to a public/private partnership on Platform One, it has not been engaged in any specific discussions to finalize such a deal, the spokesperson said.
Overall, the DOD has seen interest from dozens of companies in Platform One Big Bang training, Chaillan said, including Deloitte, General Dynamics IT and Northrop Grumman.
"We have dozens of companies working on bidding to become a reseller," he said but declined to name the bidders.
DOD spearheads software supply chain security effort
Elsewhere, the DOD is working with an emerging IT vendor, BoxBoat Technologies, on a multi-party digital signing mechanism to shore up software supply chain security. The project is part of a response to a Presidential Executive Order prompted by last year's massive SolarWinds breach and a ransomware attack this year on Colonial Pipeline, an oil and gas distributor.
In the SolarWinds attack, malicious actors injected code into SolarWinds' Orion IT monitoring product, which eventually gave them access to SolarWinds customer environments. Reports in The New York Times and Wall Street Journal in January said the breach occurred in a continuous integration (CI) server used to develop SolarWinds' Orion software. JetBrains, makers of the TeamCity CI software named in those reports, publicly denied its system played any role in the breach.
Still, the SolarWinds attack pointed to a cybersecurity frontier the industry must develop better answers for, according to Chaillan: locking down access to CI/CD tools and infrastructure to more effectively detect and prevent similar attacks.
Nicolas ChaillanChief Software Officer, US Air Force
"That's the final risk -- how do we know that these tools are secure?" Chaillan said. "Well, you mostly don't, because you don't have access to the source code, and quite honestly, none of these [code] scanners are capable of finding malicious code ... they're going to find crappy code and messy code, but they're never going to find good code that's malicious in nature."
The DOD signed a Phase I Small Business Innovation Research agreement with BoxBoat, a digital transformation consultancy and systems integrator in Bethesda, Md., which contributed to a Cloud Native Computing (CNCF) white paper published last month on supply chain security. That process began last year and was delayed by the COVID-19 pandemic, according to BoxBoat officials, but it has resumed in recent weeks, Chaillan said.
"What we're starting to look into for Platform One is [to have] every phase of the pipeline get signed with a key, and you cannot bypass each phase without having the key of the phase before," Chaillan said. "The final phase is a trusted artifact that demonstrates the full supply chain was followed and wasn't bypassed."
BoxBoat creates multi-party signing proof of concept
BoxBoat's work on multi-party signing so far involves several open source identity management and verification projects, including the Secure Production Identity Framework for Everyone (SPIFFE) governed by CNCF. SPIFFE assigns cloud-native workloads a secure identity certificate, while the associated SPIFFE Runtime Environment (SPIRE) manages platform and workload attestation.
The BoxBoat project also uses in-toto, a utility "designed to ensure the integrity of a software product from initiation to end-user installation," according to the project's website.
BoxBoat created a fork of the Go version of in-toto that supports certificate authority-based identity verification and signing, which fits into existing enterprise public key infrastructure policies, according to a company blog post published last month.
The initial proof of concept also integrated the in-toto fork with SPIRE to automate workload identity distribution and make the system more resilient to key loss or compromise. SPIRE assumes the use of short-lived keys, which will take further work to integrate into the multi-party signing system, according to the post.
"There's still a lot of work to do," said Cole Kennedy, director of defense initiatives at BoxBoat in an interview this month. "We pushed forward a lot of ideas in the [CNCF] paper, and there's just not the software out there to do that. We need to look more into implementation details around signing artifacts."
BoxBoat is working with the in-toto and SPIFFE/SPIRE teams to bring the two technologies closer together, Kennedy said. The ultimate goal is to be able to prove that software was built within the United States, by a specific compiler, that no privilege escalation or malicious code injection was done during the compilation of that software, and encode that proof into a software bill of materials as required by the Executive Order.
Another requirement to secure the software supply chain lies in feeding information generated by a process such as in-toto into a zero-trust architecture and using it to inform security decisions in production environments, Kennedy said. The Executive Order also requires federal agencies to develop a zero trust architecture plan within 60 days of its issuance.
"The timeline is very, very aggressive ... but I think we can get there," Kennedy said. "It'll require quite a bit of effort."
Linux Foundation project tackles secure signing
The Linux Foundation launched its own software supply chain security project in March with sigstore, a project led by contributors from Red Hat, Google and Purdue University with the goal of making a free, standardized, open source means of cryptographic signing available to individual application developers. The sigstore project would also specify the design of a secure public log to store signing materials.
BoxBoat's Kennedy said he was familiar with the project but hadn't made contributions to it yet.
"We would use something like sigstore to distribute proof of attestation," Kennedy said.
DOD's Chaillan said he had heard of sigstore, but he was under the impression in initial discussions that it was available only as a hosted service. However, sigstore maintainers said this week the software can be used on-premises. Chaillan said he may look at the project again.
Since it's still new, sigstore is still considered in beta while other projects such as Kubernetes are adapted to send signing materials to it, said Chris Aniszczyk, vice president of developer relations at The Linux Foundation and CTO at CNCF.
"In my opinion, the DOD will eventually get involved, but it's literally been only a few months," Aniszczyk said in an email. "You usually don't see the DOD there at Day 1."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.