Enhancing Validation Through Attestations
Validation of software involves a variety of tests and processes to make it a robust product. Each step is essential to build a release. Utilizing attestations provide proof that the process was followed and that no unauthorized changes have been made throughout creating build artifacts. These attestations can be provided along with the software release package. Providing attestations and a plan layout to your customer gives them confidence that your organization has produced what is provided. Several checks and balances are included. This can eliminate the manual process of performing checksum examinations. An open-source project like in-toto can help to make the supply-chain of your product more secure. These steps can be added to your build pipeline to streamline the whole process. This paper will demonstrate how attestations can enforce policy and give consumers confidence that they have correct products.
The following should be learned from this paper:
- Basic understanding of attestations
- What checks are performed when used
- How nefarious actors will be stifled with examples of attacks
- Few reasons why this is important for business
Brent Clausner
Brent Clausner is a DevOps Engineer at The Software Engineering Institute. His background is rooted in software development having worked as a Software Engineer, Quality Assurance Engineer, and DevOps Engineer. He is a proponent to have projects adhere to the best practices and advocates for robust secure code being implemented.