APP-012 Software Integrity Verification
Description
Mechanisms are in place to verify the integrity of software, firmware, and configuration artefacts in the build and deployment pipeline. Build artefacts are signed and signatures are verified at deployment. Unexpected changes to deployed software are detected and alerted. The software supply chain is auditable.
Rationale
Supply chain attacks (e.g. compromised build pipelines, tampered dependencies) can result in malicious code reaching production undetected. Integrity verification provides a technical control that detects or prevents such attacks.
Framework Mappings (4)
| 8.29 | Security testing in development and acceptance | informative |
| SA-10 | Developer Configuration Management | partial |
| SI-7 | Software, Firmware, and Information Integrity | full |
| CC6.8 | Controls to Prevent or Detect and Act Upon the Introduction of Unauthorized or Malicious Software | partial |
Evidence (2)
Build pipeline and signing configuration showing that build artefacts are signed and that signature verification is enforced at deployment.
Example: CI/CD pipeline configuration (e.g. GitHub Actions workflow) showing a code-signing step using Sigstore/Cosign, Notary, or GPG, and a deployment step that verifies the signature before pushing to production. Container registry policy (e.g. AWS ECR image scanning + signing policy) showing unsigned images are rejected.
Test: Review the CI/CD pipeline signing configuration and deployment policy. Verify: (1) every production build artefact (container image, binary, or package) is signed using an approved mechanism, (2) the deployment pipeline verifies the signature before deployment and fails if verification fails — confirm by reviewing the pipeline failure behaviour, (3) container registry or artefact repository is configured to reject unsigned artefacts.
File integrity monitoring or runtime integrity tool output confirming that deployed software has not been tampered with since the signed build.
Example: AWS Security Hub findings for CodeArtifact integrity checks, Falco runtime security alert log, Wiz or Lacework runtime report, or equivalent tool output showing no integrity violations detected in the deployed production environment over the last 30 days.
Test: Request the most recent integrity monitoring report or alert log for the production environment. Verify: (1) the monitoring tool is active on all production compute resources, (2) no unresolved integrity violation alerts are open, (3) alerts are configured to notify the security team within a defined response time, (4) the last 30 days show no unexplained integrity events.
Questions (2)
Are build artefacts (container images, binaries, packages) cryptographically signed, and are signatures verified before deployment to production?
Signing and verification must both be in place and automated. Signing without verification provides no meaningful protection. Unsigned artefacts should be rejected by the deployment pipeline.
Which software integrity controls are in place in your build and deployment pipeline?
Signing plus deployment-time verification is the baseline. Runtime integrity monitoring and SBOM generation indicate a mature supply chain security posture.