Software Supply Chain Security Is Our Top Priority
After the President of the United States issued an executive order in May 2021 tasking both public and private entities with improving the nation’s cybersecurity, there has been a significant rise in security awareness. The software development industry, and the CI/CD community in particular, are implementing features that improve software vendors’ ability to comply with the secure software supply chain initiative.
We have outlined below how Travis CI addresses security within our CI/CD tool. To ensure our clients are as protected as possible, we will continue to add new software supply chain security features in the future. Feel free to reach out to our team with any questions on the latest in Travis CI’s security measures.
What Is a Software Supply Chain Attack?
A software supply chain attack is any attempt by malicious actors to uncover confidential information by gaining access to the software supply chain. Continuous integration and deployment (CI/CD) tools such as Travis CI that are used to build, test, and deploy software automatically have become a target for attacks because their builds contain confidential information.
Attackers may exploit vulnerabilities to insert malicious code into the software supply chain, which allows them to steal proprietary data and code, spy on ongoing updates, or disrupt the organization’s software. Some attackers will then hold company information for ransom, threatening to sell the data or release it publicly if they are not paid a significant amount of money. Many of these malicious actors are in states such as Russia, which makes them difficult to catch and charge with a crime.
What Is a Potential Supply Chain Security Risk?
There are potential risks at every level of the software development supply chain. Many vulnerabilities come from human error, which is why it is important for organizations to properly and continuously train their staff on security protocols.
Travis CI has a range of comprehensive software supply chain security tools that work to protect companies, especially those working between the source and build stages of the supply chain. Many of these tools are built to limit access to secret information to only essential personnel. Our tools are also built to help our clients continuously monitor their builds for potential security breaches.
How We Maintain a Secure Software Supply Chain
Travis CI’s team has decades of combined experience in creating and maintaining security protocols in software development. We have worked to provide a reliable and well-priced solution to companies looking for a platform that exceeds security standards. Travis CI is trusted by more than 700,000 active users who have more than 300,000 active projects in development on our platform.
- Two-factor authentication
- User permission documentation
- Certified PrivacyShield
- 24/7/365 security monitoring
- Data encryption in geographically diverse areas with redundant facilities
Software Supply Chain Security Tools
Build Job Log Scanning
Our platform censors secrets configured for the build jobs to prevent their open-text exposition in the build job log. However, if a threat actor was able to get access to the build logs, it would be possible for the actor to search the logs for passwords, keys, tokens, and other proprietary information.
That’s why Travis CI also scans every build job log with independent scanners shortly after the build is finished. If the scan discovers a secret in the job log, our tools will censor the entire line of the log and produce a log scan report. The report is available to repository administrators for seven days and provides a detailed breakdown of the raw job file, including potential secret entries. This enables developers to investigate the anomaly and find the source of any potential leaks.
Hashicorp Vault Integration
Travis CI allows clients to put an encrypted string into their build definition file and use the software’s native engine and stored internal keys to decrypt the secret. However, some of our clients prefer to use a central key management system (KMS) to maintain confidential information due to its ability to rotate secrets quickly.
To facilitate that process, Travis CI now provides ways to easily integrate our software with Hashicorp Vault. While clients have been able to use Hashicorp Vault previously by providing instructions in their build definitions, they are now able to use the software more easily with a .travis.yml syntax.
Travis CI now allows users to digitally sign their software before releasing it using our cosign tool. Our digital certificates ensure that software has not been tampered with and that the receiver can safely download it. We allow customers to sign both on the client and server sides.
Build Job Log Access
Build job logs often contain supplementary information such as environment variables, names, and values, as well as custom debug outputs that may contain vulnerable secrets such as credentials and tokens.
To protect this information, Travis CI provides customizable limitations on its access. This helps ensure that only essential personnel can view secret information.
Under Travis CI’s default settings, build job logs older than 365 days are not available to anyone. But administrators can change this setting to allow access to those logs through API authentication. This option allows clients to enable or disable access to old build job logs to a group of repository collaborators with write access. Administrators can also limit access to all build job logs to users with write/push access only.
The job log requires users to provide API authentication tokens for both public and private repositories. In addition, job logs requested through API will only be given through API. This helps prevent confidential information from leaking through historical data.
How You Can Strengthen Your Supply Chain Security
No single security measure is bulletproof. While Travis CI works to ensure our clients are as protected as possible, every organization needs to be continuously vigilant with its security practices to prevent potential security breaches.
- Keep environment variables hidden in job logs.
- Encrypt sensitive data used in the build definition.
- Protect keys used for security signatures.
- Provide continuous security training to employees.
- Limit access to sensitive information to essential staff.
- Continuously monitor code and procedures to ensure security protocols are followed.
Trust Travis CI with Your Supply Chain Management Software
Our staff works tirelessly to ensure your secret information is safe on our platform. Make sure to ask our experienced team how Travis CI’s software supply chain security tools can protect your code.