Produce Well-Secured Software (PW)
SBOM Tools and Attestation
A Software Bill of Materials (SBOM) provides visibility into software components, dependencies, and security risks**. When combined with attestation mechanisms, SBOMs enhance trust and traceability across the software supply chain.
Open Source Build Signing and Verification
Ensuring software artifacts remain authentic and unmodified** is essential for a trusted software supply chain**. The following tools provide cryptographic verification** to protect against supply chain attacks**.
Security-Enhanced Build and Deployment Tooling
Beyond open-source tools, a secure build and deploy pipeline relies on trusted execution environments, deterministic build systems, cryptographic verification, and policy-enforced deployment mechanisms. These technologies provide tamper-proof guarantees, verifiable attestations, and automated security policies to strengthen the software supply chain.
1. Reproducible and Deterministic Build Systems
Ensuring that software builds are reproducible enhances security by allowing independent verification of artifacts. These systems minimize non-determinism and ensure that a given input always produces the same output.
2. Trusted Execution Environments (TEEs) and Confidential Computing
Trusted Execution Environments (TEEs) provide hardware-backed isolation to secure the build process, key management, and code execution. These environments ensure confidentiality and integrity in the build and deploy process and can be found in major cloud providers.
- Intel TDX
- AMD SEV
- Microsoft CCF (Confidential Consortium Framework)
- AWS Nitro Enclaves
- Confidential Containers
3. Cryptographic Signing and Verification ensures authenticity, integrity, and provenance in the software supply chain.
4. Secure Build and Deployment Policies
Automated security policy enforcement in CI/CD pipelines ensures only verifiably secure software is built and deployed.
.