Profile Applicability:
Level 1
Description:
Build and release pipelines must include steps to digitally sign the Software Bill of Materials (SBOM) generated during the build process. Signing the SBOM ensures its authenticity and integrity, allowing stakeholders to verify that the SBOM has not been tampered with and accurately represents the software components used.
Rationale:
Digitally signing the SBOM protects the software supply chain by enabling verification of the SBOM’s provenance and preventing unauthorized modifications. This strengthens trust in the software delivery process and supports compliance with security and regulatory requirements.
Impact:
Pros:
Ensures integrity and authenticity of the SBOM.
Enhances software supply chain transparency and trust.
Supports audit and compliance activities.
Facilitates incident response through verified component inventories.
Cons:
Adds complexity to build and release processes.
Requires management of signing keys and related infrastructure.
Default value:
Many pipelines generate SBOMs without signing them, which leaves them vulnerable to tampering.
Audit:
Review build pipeline configurations for SBOM signing steps. Verify presence and validity of digital signatures on released SBOMs.
Remediation:
Integrate digital signing tools into CI/CD pipelines for SBOMs. Establish key management policies and train teams on signing processes.
References:
SPDX Digital Signatures: https://spdx.dev/specifications/
The Update Framework (TUF): https://theupdateframework.io/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/