Profile Applicability:
Level 1
Description:
The authority to certify or sign software artifacts must be strictly limited to a small, trusted group of authorized personnel. These individuals are responsible for validating the authenticity and integrity of artifacts before release or deployment, ensuring only verified software is distributed.
Rationale:
Limiting certification authority reduces the risk of unauthorized or fraudulent artifact signing, which could lead to the distribution of malicious or compromised software. It enforces accountability and supports secure software supply chain practices and compliance with regulatory standards.
Impact:
Pros:
Enhances trust in the software supply chain.
Prevents unauthorized artifact certification and distribution.
Supports accountability and traceability of certifications.
Aligns with security best practices and compliance requirements.
Cons:
May create operational bottlenecks if certification authority is too narrowly assigned.
Requires strong governance and key management processes.
Default value:
By default, artifact certification authority may be broadly assigned without strict controls.
Audit:
Review lists of personnel authorized to certify artifacts. Verify processes for certification and associated access controls. Audit cryptographic key usage and signing logs.
Remediation:
Establish clear policies restricting artifact certification authority. Implement role-based access controls and key management procedures. Conduct regular access reviews and audits. Train authorized personnel on certification responsibilities.
References:
The Update Framework (TUF): https://theupdateframework.io/
Software Supply Chain Security Best Practices: https://www.ncsc.gov.uk/files/Supply%20Chain%20Security%20Guidance.pdf
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/