Validate software integrity across your development lifecycle

Organizations face constant security threats from compromised software and malicious code. Validating software integrity protects your environment by ensuring every package, dependency, and tool comes from a trusted source and contains no vulnerabilities. This guide covers validation methods including SBOM verification, checksum validation, and source code scanning to strengthen your security posture.

Software integrity validation methods

Validating software integrity occurs at multiple stages in the software development lifecycle (SDLC), and when operations teams acquire software.

Validating software integrity takes multiple forms:

• Verify software bill of materials (SBOM): Request and review the software bill of materials to verify all packages and dependencies are secure.

• Source code scanning: Scanners that check for vulnerabilities in source code, such as static and dynamic applications, and scan for secrets in source code that can provide external threats with access to systems.

• Validate package checksums: Verify that the checksum of downloaded packages matches the vendor-provided checksum.

• Use infrastructure as code: Define all systems and artifacts as code.

• Self-service workflows: Build automation for systems and processes to ensure all teams use validated workflows, ensuring proper security processes.

Protect development and operations teams with integrity validation

For development teams, validating software integrity involves scanning all packages and dependencies used in the software for vulnerabilities and unauthorized additions introduced by external threats. Development teams also need to scan their source code to ensure there are no vulnerabilities and that they have written the source code as intended.

Operations teams also need to validate software integrity when deploying and building software. Infrastructure operations, for example, need to validate that the software they install on the servers, virtual machines, and containers does not introduce malicious code into the environment. Development operations (DevOps) teams must ensure that continuous integration and continuous delivery (CI/CD) pipelines only use trusted source code when building and deploying software. DevOps teams can also build automation systems to enable developer self-service using validated workflows.

HCP Vault Radar helps both development and operations teams scan source code for leaked secrets. By ensuring you do not include secrets in your source code, you prevent unauthorized access to systems. HashiCorp partners such as Sonar help with static and dynamic application security testing to ensure your source code is free from known vulnerabilities.

Terraform and Packer let you define systems and deployments as code. As a result, you can review and scan infrastructure as code in the same manner as source code reviews. You can also use infrastructure artifacts from trusted sources, like secure container images from Chainguard.

HCP Waypoint helps operations teams provide other teams with a self-service portal to use validated workflows for deploying infrastructure and software. Using a self-service portal ensures that your organization follows secure processes, rather than bespoke one-off processes that may not adequately secure an environment.

All HashiCorp software downloads include valid checksums to validate the integrity of the software. You can learn how to validate all HashiCorp binaries so you can be confident the tools you introduce into your environment come from a trusted source.

HashiCorp resources:

• Secure CI/CD secrets
• Verify binaries
• HCP Vault Radar
• HCP Waypoint
• Packer
• Terraform

External resources:

• Dark Reading
• IBM Application Security
• IBM Code Risk Analyzer Overview
• IBM Dynamic Application Security Testing
• IBM Software Supply Chain Security Trends
• SonarSource
• Chainguard
• API Security Audit Tools
• CISA SBOM

Next steps

In this section of Secure systems, you learned why it’s important to validate and test software to ensure you use secure software. Learn how to validate HashiCorp software integrity by verifying the checksums of the software you download. Validating software integrity is part of the Secure data pillar.

Refer to the following documents to learn more about secure software processes:

• Define infrastructure as code to understand infrastructure as code principles
• Topics in Automate your workflows
  • CI/CD - Implement automation for infrastructure and applications
  • Testing - Implement testing for infrastructure and applications
  • Deployment - Implement deployment for infrastructure and applications
  • Packaging - Package applications for deployment