[Threat Modelling] Verify that our produced container images are signed and only published to trusted container registries

[tobiscr]

Description

To avoid that malicious code can be injected into our productive systems by injecting untrusted container images, we have to verify our build and delivery process and ensure that

• all container images are build following SAP SLC-29 compliancy guidelines (using trusted build infrastructure, sign images)
• the publishing of container images happens only via trusted container registries
• consumption/deployments of container images are using only trusted container registries

AC:

• Ensure that our build pipeline is using an SLC-29 compliant build-mechanism to product container images (image is also signed by the SAP Signify service)
• Verify that any produced container image is only published and consumed from a trusted container registry (review of deployment manifests)

Steps to exploit

Attacker find a way to inject malicious code into our productive systems because container images were build on untrusted systems, not signed and published to untrusted container registries.

Risk assessment
Part of the Threat Modelling workshop from 2023-11-29.

Proposed mitigation

Review the build process of our container images and ensure they are build by using SLC-29 compliant build-pipelines and getting signed by SAP Signify. Verify also the deployment manifests and ensure that only images from trusted container registries will be deployed.

[tobiscr]

Mural Board: https://app.mural.co/t/sap10/m/sap10/1701162989605/93d8a5cfd1937c1ed568d324926d51d6d4c96669?sender=u03d165e43fbc397bd7057627