Verisign helps enable the security, stability, and resiliency of the internet. We are a trusted provider of internet infrastructure services for the networked world and deliver unmatched performance in domain name system (DNS) services.
We are a mission focused, values driven company where each individual can contribute to building a stronger, more secure internet. We offer a dynamic and flexible work environment with competitive benefits and the ability to grow your career.
Securing the software delivery chain with binary-provenance attestations
Project Description:
Verisign is looking into leveraging attestations to verify and enforce a set of governance criteria that binary artifacts will have to meet before being allowed to execute on its platform. Today, some of the build pipelines for internal artifacts record provenance and SBOM attestations. However, this is not done in a consistent manner for all the builds and types of artifacts (e.g. docker images, RPM packages) that are produced and consumed at Verisign. The signature and key management processes can be improved and ease-of-adoption by application teams should be considered as well. The interface with application teams should be stable and allow integration of additional functionality in a transparent manner. With attestations in place and rolled out consistently, policy frameworks such as OPA Rego or Kyverno may be used to enforce a set of governance criteria that the software running on Verisign platforms must adhere to.
Verisign platforms run a mix of internally developed software, which can be made to adhere to the policy requirements, but also external software that may not have been subject to the same policies. This will prompt the need to identify a solution that applies to external software as well and enforce similar policies on external software.
During this project, the student will acquire theoretical and practical knowledge of a secure SDLC, software attestation, key management and roll out of a new policy and be exposed to industry standard security controls.
Goals
• Review mechanisms to record and sign attestations
• Implement a mechanism for recording and signing provenance and SBOM attestations
• Meet SLSA level 2 or above criteria to ensure the attestations cannot easily be tempered with
• Validate that the attestations document the build steps and static checks the artifacts were assembled with and tested against
• Implement policy enforcement on attestations to prevent execution of binaries that do not comply with attestations
• Ascertain that the process works for both internal software and external software
Skills
During this project the student will have to work with the following technologies and standards:
• Build platforms, such as GitHub Actions, Jenkins or others
• SLSA, in-toto.io formats
• CIS Controls
• OPA Gatekeeper, Rego or Kyverno
• Kubernetes
Verisign is an equal opportunity employer. That means we recruit, hire, compensate, train, promote, transfer, and administer all terms and conditions of employment without regard to their race, color, religion, national origin, sex, sexual orientation, gender identity, age, protected veteran status, disability, or other protected categories under applicable law.
Additional Information:
Our Careers Page
Our Benefits Summary
Verisign in the Community
Our EEO Statement
Our Privacy Notice for Job Applicants/Candidates
Reasonable Accommodations
Staffing agency policy: No fees will be paid for unsolicited resumes submitted to Verisign or our employees by third parties.
Similar Jobs
What We Do
Verisign, a global provider of domain name registry services and internet infrastructure, enables internet navigation for many of the world’s most recognized domain names. Verisign enables the security, stability, and resiliency of key internet infrastructure and services, including providing root zone maintainer services, operating two of the 13 global internet root servers, and providing registration services and authoritative resolution for the .com and .net top-level domains, which support the majority of global e-commerce. To learn more about what it means to be Powered by Verisign, please visit Verisign.com.
