Validate software integrity

Validating the integrity of the software used in your organization is crucial to the overall security posture of your environment. If you run software that is not obtained from trusted sources, even the most secure environments have the potential to fall victim to breaches.

What is software integrity

Validating software integrity occurs at multiple stages in the software development lifecycle (SDLC), and when operations teams acquire software.

Validating software integrity takes multiple forms:

• Verify software bill of materials (SBOM): Request and review the software bill of materials to verify all packages and dependencies are secure.

• Source code scanning: Scanners that check for vulnerabilities in source code, such as static and dynamic applications, and scan for secrets in source code that can provide external threats with access to systems.

• Validate package checksums: Verify that the checksum of downloaded packages matches the vendor-provided checksum.

• Use infrastructure as code: Define all systems and artifacts as code.

• Self-service workflows: Build automation for systems and processes to ensure all teams use validated workflows, ensuring proper security processes.

Why should you validate software integrity?

For development teams, validating software integrity involves scanning all packages and dependencies used in the software for vulnerabilities and unauthorized additions introduced by external threats. Development teams also need to scan their source code to ensure there are no vulnerabilities and that they have written the source code as intended.

Operations teams also need to validate software integrity when deploying and building software. Infrastructure operations, for example, need to validate that the software they install on the servers, virtual machines, and containers does not introduce malicious code into the environment. Development operations (DevOps) teams must ensure that continuous integration and continuous delivery (CI/CD) pipelines only use trusted source code when building and deploying software. DevOps teams can also build automation systems to enable developer self-service using validated workflows.

HCP Vault Radar helps both development and operations teams scan source code for leaked secrets. By ensuring you do not include secrets in your source code, you prevent unauthorized access to systems. HashiCorp partners such as Sonar help with static and dynamic application security testing to ensure your source code is free from known vulnerabilities.

Terraform and Packer let you define systems and deployments as code. As a result, you can review and scan infrastructure as code in the same manner as source code reviews. You can also use infrastructure artifacts from trusted sources, like secure container images from Chainguard.

HCP Waypoint helps operations teams provide other teams with a self-service portal to use validated workflows for deploying infrastructure and software. Using a self-service portal ensures that your organization follows secure processes, rather than bespoke one-off processes that may not adequately secure an environment.

All HashiCorp software downloads include valid checksums to validate the integrity of the software. You can learn how to validate all HashiCorp binaries so you can be confident the tools you introduce into your environment come from a trusted source.

HashiCorp resources:

• Secure CI/CD secrets
• Verify binaries
• HCP Vault Radar
• HCP Waypoint
• Packer
• Terraform

External resources:

• Dark Reading
• IBM Application Security
• IBM Code Risk Analyzer Overview
• IBM Dynamic Application Security Testing
• IBM Software Supply Chain Security Trends
• SonarSource
• Chainguard
• API Security Audit Tools
• CISA SBOM

Next steps

In this section of Secure systems, you learned why it’s important to validate and test software to ensure you use secure software. Learn how to validate HashiCorp software integrity by verifying the checksums of the software you download. Validating software integrity is part of the Secure data pillar.

Refer to the following documents to learn more about secure software processes:

• Define infrastructure as code to understand infrastructure as code principles
• Topics in Automate your workflows
  • CI/CD - Implement automation for infrastructure and applications
  • Testing - Implement testing for infrastructure and applications
  • Deployment - Implement deployment for infrastructure and applications
  • Packaging - Package applications for deployment