Earlier this year, I explored how important attribution is within critical infrastructure systems, so that we can understand, without a doubt, all actors and their actions within these important environments. We do this by auditing every interaction of an actor in the ecosystem and create an immutable chain.
A great place to start is the origin of the software, building the immutable chain in the creation of code.
Right now, proper coding includes identity authentication when the code is committed in a repository such as GitHub. For those readers who are not using a repository in their organization, stop reading here, go fix that, and come back to reading the article once you are finished. It really is that critical.
Yet even with the repository of source code, there is little to no attribution while the code is being authored. In most current processes, code is only stamped with attribution when it is committed, if credentials have been stolen, or a compromise has been made on the user’s computer. There is no way of verifying what happens between commits.