SEC06-BP04: Validate software integrity
Implement mechanisms to validate software integrity throughout the software lifecycle. For example, use code signing for your applications, and validate the signatures before running the software. Use a checksum to validate the integrity of software packages before installation. These mechanisms help you identify unauthorized modifications and ensure that you are running authentic software.
Implementation guidance
Software integrity validation is critical for ensuring that the software running in your environment has not been tampered with or corrupted. By implementing comprehensive integrity validation mechanisms, you can protect against supply chain attacks, unauthorized modifications, and ensure that only authentic, verified software executes in your compute environment.
Key steps for implementing this best practice:
- Implement code signing and verification:
- Sign all application code and executables with digital certificates
- Verify code signatures before execution or deployment
- Use trusted certificate authorities for code signing certificates
- Implement certificate lifecycle management and rotation
- Establish code signing policies and procedures
- Validate package and dependency integrity:
- Verify checksums and hashes for all software packages
- Use package managers with built-in integrity verification
- Implement dependency scanning and validation
- Maintain approved software catalogs and repositories
- Monitor for compromised or malicious packages
- Establish secure software supply chain:
- Implement software bill of materials (SBOM) tracking
- Verify the integrity of third-party components and libraries
- Use trusted software repositories and registries
- Implement provenance tracking for software artifacts
- Establish vendor security assessment processes
- Configure runtime integrity monitoring:
- Implement file integrity monitoring (FIM) systems
- Monitor for unauthorized changes to critical files
- Use host-based intrusion detection systems
- Implement application whitelisting and control
- Configure system call monitoring and filtering
- Implement container and image integrity:
- Sign container images with digital signatures
- Verify image signatures before deployment
- Use content trust and notary services
- Implement image scanning and vulnerability assessment
- Establish secure image build and distribution pipelines
- Establish integrity validation automation:
- Automate integrity checks in CI/CD pipelines
- Implement continuous integrity monitoring
- Create automated responses to integrity violations
- Establish integrity validation reporting and alerting
- Integrate integrity validation with security orchestration
Implementation examples
Example 1: Code signing and verification pipeline
Example 2: Container image signing with Docker Content Trust
Example 3: File integrity monitoring with AIDE
Example 4: Software supply chain security with SBOM
AWS services to consider
Benefits of validating software integrity
- Supply chain security: Protects against compromised or malicious software components in the supply chain
- Tamper detection: Identifies unauthorized modifications to software and configuration files
- Compliance assurance: Helps meet regulatory requirements for software integrity and authenticity
- Incident response: Provides forensic capabilities to investigate security incidents and determine impact
- Trust establishment: Builds confidence in software authenticity through cryptographic verification
- Risk reduction: Minimizes the risk of running compromised or malicious software in production environments
- Automated validation: Enables continuous integrity monitoring without manual intervention