Chain of custody is a concept that originated with the handling of evidence in a legal context, tracking who has interacted with the evidence. In this way, chain of custody can help identify cases where evidence has been mishandled or tampered with.

In software, creating a chain of custody can provide insights into an application’s origin, the components of which it is composed, and the processes used to create it, as well as establishing an auditable trail that helps identify root cause when something goes wrong. Any break in the chain represents an opportunity for malicious activity that may compromise the integrity of the asset.

Open source is a large part of any modern software application, but open source software rarely comes with any security guarantees despite the fact that open source exploits are on the rise as hackers shift their focus from production environments to less protected software supply chains. The meaning is clear: user beware. 

The software supply chain extends from the components, libraries and tools an organization imports through the processes it uses to develop, build, and publish software. Similarly, a chain of custody must extend from imported resources through the build process to the delivery and use of software artifacts. 

But a comprehensive chain of custody requires more than just technology and processes since you’ll also need to be able to prove it. Effectively, a chain of custody creates a certification mechanism that enables organizations to effectively sell their application with a “digital passport” that serves as a verifiable transcript of the product’s lifecycle and journey.

Validating Chain of Custody for Open Source

Open source is ubiquitous in the enterprise, and while many organizations have robust processes around it, time to market concerns mean security and compliance concerns are not always met. Organizations need an automated way to create a chain of custody across their entire software development lifecycle in order to be able to attest to the integrity of all software assets.

But implementing this type of automation at scale is a non-trivial undertaking. And while of paramount importance for security-conscious enterprises, it’s rarely a core competency. After all, generating a software chain of custody must be a highly repeatable process in order to ensure that audit evidence is captured for each and every artifact in the software development process. For example:

  • Provenance – refers to the origin of a software component, along with a history of who made changes to it, and how. The more transparency around a component, the easier it is to establish trust. 
    • Software attestations are currently the best way to generate provenance information based on key metadata, including: 
      • The software vendor/creator’s name.
      • A description of the software the attestation refers to.
      • A statement attesting that the software vendor/creator followed secure development practices when creating the software.
  • Bill of Materials – provides a reference document listing all the components that compose a product. This enables organizations to refer to a single source in order to identify and track all third-party components.
    • Software Bill Of Materials or SBOMs is a machine-readable list of all the third party components and APIs that compose a software product, along with key metadata. As a result, customers can verify licenses and identify vulnerabilities quicker. 

And of course, all of it would need to be retained and versioned in order to produce an auditable record over time for the hundreds or thousands of software components typically found in a software enterprise. 

Rather than creating such a system from scratch, the ActiveState Platform has been designed to provide enterprises with the ability to realize chain of custody for their open source language components. The ActiveState Platform automatically builds open source languages packages from source code, and programmatically generates deterministic, secure runtime environments that feature:

  • Provenance – the ActiveState Platform provides both Provenance Attestations and Verification Summary Attestations (VSAs) for runtime environments.
  • SBOMs – the ActiveState Platform generates both an SPDX and JSON SBOM for each runtime environment built.
  • Audit Trail – each change to the runtime environment generates a Git-like save artifact that can be reverted to at any time, allowing you to:
    • Understand who changed what, when.
    • Retrieve an SBOM or attestation for the environment at any point in time, even if the original software artifacts are no longer publicly available.

 All of this is available for tens of thousands of not only Python, Perl, Ruby and Tcl resources, but also components from which these packages may have been built (e.g., Rust crates and C/C++ libraries, Fortran code, etc). In other words, in order to build the runtime environment for a specific OS from source code, the ActiveState Platform needs to be able to resolve the dependency tree to its lowest level. This provides a unique advantage over similar solutions, which are unable to provide attestations and SBOMs that include a complete list of all transitive and OS dependencies, which is the only way for enterprises to be able to meet regulatory and compliance requirements.

Conclusions – Software Chain of Custody Validation

Chain of custody makes the supply chain more transparent, secure and compliant. Just as in manufacturing, where chain of custody aids consumers in identifying products that are built ethically and sustainably, chain of custody in software can help prove that software is securely built and compliant with their governance criteria. 

While SBOMs are gaining good traction, driven primarily by FDA and US Government regulations and supported by a wide range of established vendors, software attestations are not as readily available. Audit trails are generally manually created as an artifact of the release process, and may be incomplete (if they’re generated at all). 

For all these reasons, creating a chain of custody for your software supply chain can be a complicated process. But without a reliable chain of custody, enterprises may be unaware when a break in the chain exposes them to compromise.

Next Steps:

Starting secure is half the battle. Sign up for a free ActiveState account and see how easy it is to generate a secure runtime environment for your project.