Binary attestation

Nov 2019

As the usage of containers, deployment of large fleet of services by autonomous teams and increased speed of continuous delivery become common practice for many organizations, the need for automated deploy-time software security controls arise. Binary attestation is a technique to implement deploy-time security control; to cryptographically verify that a binary image is authorized for deployment. Using this technique, an attestor, an automated build process or a security team signs off the binaries that have passed the required quality checks and tests and are authorized to be deployed. Services such as GCP Binary Authorization enabled by Grafeas, and tools such as in-toto and Docker Notary support creating attestations and validating the image signatures before deployment.