Use this skill when:
Prerequisite: The secure-code-review skill must already be applied. Code review is the foundational mitigation — it is the multi-party authorization control that increases the cost of introducing malicious changes before they reach the pipeline. All pipeline controls assume reviewed code enters the source control system.
Before mapping threats to mitigations, identify which adversary types apply to your organization. The threat model has three types:
| Adversary | Definition | Example |
|---|---|---|
| ----------- | ----------- | --------- |
| Benign insider | Engineer who makes mistakes | Accidentally builds from locally modified code with unreviewed changes |
| Malicious insider | Insider who tries to exceed authorized access | Deploys a modified binary that exfiltrates customer credentials |
| External attacker | Compromises machine or account of one or more insiders | Uses a compromised engineer account to push a backdoored build script |
Why this matters: Mitigations have different effectiveness profiles against each adversary type. Code review deters malicious insiders but does not protect against collusion or external attackers who compromise multiple accounts simultaneously. Automation eliminates benign-insider build mistakes but introduces its own attack surface if not locked down. Knowing your adversary scope lets you prioritize controls and document known limitations honestly.
Output: A written adversary scope statement: which adversary types are in scope, which are out of scope and why, and any known limitations.
Walk through each threat category and record: the threat, your current mitigation, and the limitation of that mitigation.
Threat-mitigation mapping (Table 14-1 — basic best practices):
| Threat | Mitigation | Known Limitation |
|---|---|---|
| -------- | ----------- | ----------------- |
| Engineer accidentally introduces a vulnerability | Code review + automated testing | Does not catch all vulnerabilities |
| Malicious insider submits a change with a backdoor | Code review (increases cost; adversary must craft change to pass review) | Does not protect against collusion or external attackers compromising multiple accounts |
| Engineer accidentally builds from locally modified unreviewed code | Automated CI/CD system always pulls from the correct source repository | None if CI/CD is properly locked down |
| Engineer deploys a harmful configuration (e.g., debug features enabled in production) | Treat configuration as code: require configuration changes to be checked in, reviewed, and tested like any code change | Not all configuration can be treated as code |
| Malicious insider deploys a modified binary that exfiltrates data | Production environment requires proof that the CI/CD system built the binary; CI/CD pulls only from the correct source repository | Adversary may exploit breakglass procedures; mitigated by logging and auditing |
| Malicious insider modifies cloud bucket ACLs to exfiltrate data | Treat resource ACLs as configuration; restrict changes to the deployment process only | Does not protect against collusion |
| Malicious insider steals the integrity signing key | Store signing key in a key management system accessible only to the CI/CD system; require key rotation | See "Advanced Mitigation Strategies" for build-specific hardening |
For each row, fill in your current state. Threats with no mitigation or with significant limitations are your highest-priority gaps.
Why configuration-as-code is non-negotiable: Engineers understand they should not build a production binary from a locally modified source copy. But many do not apply the same discipline to configuration. Treating configuration as code — version-controlled, peer-reviewed, tested before deployment — reuses all existing supply chain controls at no additional architectural cost.
The key principle: deployment environments should verify what is being deployed, not only who initiated the deployment. An actor can make a mistake or may be intentionally deploying a malicious change regardless of authorization level.
Implementation:
Two choke point architectures:
Every build stage must produce binary provenance: a cryptographically authenticated record of exactly how the artifact was built — inputs, transformation, and the entity that performed the build.
Why provenance is required beyond auditing: Without provenance, you cannot know what source code a deployed binary came from. During a security incident, reverse engineering a binary is prohibitively expensive; inspecting version-controlled source is fast. Provenance is also the prerequisite for provenance-based deployment policies (Step 5).
Binary provenance schema — required fields:
| Field | Required | Description |
|---|---|---|
| ------- | ---------- | ------------- |
| Authenticity | Yes | Cryptographic signature covering all other fields. Verifies which system produced the provenance and establishes integrity. Usually a signing key accessible only to the CI/CD system. |
| Outputs | Yes | The output artifacts this provenance applies to, each identified by a cryptographic hash of the artifact content (SHA-256). |
| Inputs: Sources | Recommended | The top-level input artifacts — e.g., "Git commit 270f...ce6d from https://github.com/org/repo" or "file foo.tar.gz with SHA-256 78c5...6649". Each input should have both an identifier (URI) and a version (cryptographic hash). |
| Inputs: Dependencies | Recommended | All other artifacts needed for the build — libraries, build tools, compilers — that are not fully specified in sources. Each can affect build integrity. |
| Command | Recommended | The command used to initiate the build, structured for automated analysis. Example: {"bazel": {"command": "build", "target": "//main:hello-world"}} |
| Environment | Optional | Architecture details, environment variables, and any other information needed to reproduce the build. |
| Input metadata | Optional | Metadata about inputs that downstream systems will find useful (e.g., source commit timestamp used by a policy evaluation system). |
| Debug info | Optional | Information useful for debugging but not required for security (e.g., machine on which the build ran). |
| Versioning | Recommended | Build timestamp and provenance format version number, enabling format changes without rollback attack susceptibility. |
Attack surface awareness: Any input not checked by the build system (and therefore not implied by the signature) and not included in the sources (and therefore not peer reviewed) is a vector. If users can specify arbitrary compiler flags, the verifier must validate those flags explicitly.
Propagation guidance: Strongly prefer propagating provenance inline with the artifact (e.g., as a Kubernetes annotation passed to the Admission Controller webhook) rather than storing in a separate database keyed by artifact hash. Database-keyed lookup causes ambiguity when the same artifact hash appears in multiple provenance records, produces unactionable error messages, and introduces latency that may exceed deployment SLOs.
A deployment policy describes the intended properties of each deployment environment. The deployment environment matches this policy against the binary provenance of each artifact at deployment time.
Why provenance-based policies outperform pure code signing:
Example policy rules to implement (tailor to your threat model):
Three-step policy implementation:
Design rules:
Four threats remain unaddressed by basic best practices alone. Apply these advanced mitigations for high-security or large organizations:
Threat-mitigation mapping (Table 14-2 — advanced):
| Threat | Advanced Mitigation |
|---|---|
| -------- | ------------------- |
| Engineer deploys an old version of code with a known vulnerability | Deployment policy requires the code to have undergone a security vulnerability scan within the last N days |
| CI system misconfigured to allow builds from arbitrary source repositories; malicious adversary builds from a repo containing malicious code | CI system generates binary provenance recording which source repository it pulled from; production deployment policy requires provenance proving the artifact originated from an approved repository |
| Malicious adversary uploads a custom build script that exfiltrates the signing key, then signs and deploys a malicious binary | Verifiable build system uses privilege separation: the component that runs custom build scripts (the worker) has no access to the signing key. Only the trusted orchestrator process holds the key. |
| Malicious adversary tricks the CD system into using a backdoored compiler or build tool | Hermetic builds require developers to explicitly specify the compiler and build tool in the source code (fully pinned, peer-reviewed like any other code change). The orchestrator fetches these tools; the worker has no ability to substitute them. |
Verifiable build architecture — three options:
| Architecture | How it works | Best for |
|---|---|---|
| ------------- | ------------- | --------- |
| Trusted build service | A central service the verifier trusts signs provenance with a key only it holds. Build once; no reproducibility required. | Most organizations; used by Google internally |
| Rebuild service | Verifier reproduces the build and checks bit-for-bit identical output. Requires full reproducibility. | Not scalable (builds take minutes; deployments need milliseconds) |
| Rebuilding service | A quorum of independent rebuilders attest to provenance. Hybrid of the two above. | Open source projects (Debian model) where central authority is infeasible |
Hermetic build requirements (prerequisite for the advanced mitigations above):
In emergencies (e.g., an outage requiring an immediate configuration change that would take too long through the normal pipeline), engineers may need to bypass the deployment policy.
Breakglass design requirements:
Post-deployment verification (required even with enforcement):
Even when deployment policies are enforced at the choke point, run post-deployment verification because:
Implementing the full supply chain security model requires many changes. Attempting all of them simultaneously risks disrupting engineering productivity and causing outages. Secure one aspect of the supply chain at a time.
Recommended sequence:
| Phase | Focus | Key Actions |
|---|---|---|
| ------- | ------- | ------------ |
| Phase 1: Foundational | Eliminate human-in-the-loop build steps | Automate all build, test, and deploy steps; script everything so humans and automation execute identical steps; establish code review as mandatory (depends on secure-code-review) |
| Phase 2: Configuration control | Extend supply chain discipline to configuration | Treat all configuration as code: check in, review, and test before deployment; restrict direct configuration changes to the deployment process only |
| Phase 3: Artifact verification | Verify what is deployed, not just who deploys | Add binary provenance to CI/CD output; configure deployment choke points to require provenance; implement basic deployment policies |
| Phase 4: Advanced hardening | Address insider and sophisticated external threats | Implement privilege separation in build system (orchestrator + isolated worker); require hermetic builds; add provenance-based policies covering source repository, scan recency, and version recency |
| Phase 5: Breakglass and monitoring | Close the auditability gap | Implement breakglass with immediate alerting; enable post-deployment verification; run dry-run mode before enforcing new policies |
Lock down the automated system itself: For each path where an administrator can make a change without review — configuring the CI/CD pipeline directly, using SSH to run commands on the build machine — implement a mitigation that requires peer review for that path. This is the hardest step and the one most commonly skipped.
Produce a deployment pipeline security assessment with these sections:
This skill is licensed under CC-BY-SA-4.0.
Source: BookForge — Building Secure and Reliable Systems by Heather Adkins, Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea, Adam Stubblefield.
Install related skills from ClawhHub:
clawhub install bookforge-secure-code-reviewOr install the full book set from GitHub: bookforge-skills
共 1 个版本
暂无安全检测报告