Security Baselines & Governance

Document Information

Attribute

Value

Status

Approved

Version

1.0

Last Updated

2024-12-13

Owner

Infrastructure Security Team

Review Cycle

Quarterly

1. SLSA Compliance Target

Overview

The Lithosphere Developer Infrastructure targets SLSA Level 3 compliance for all production artifacts. SLSA (Supply-chain Levels for Software Artifacts) provides a security framework for ensuring the integrity of software artifacts.

SLSA Level Requirements

Level

Requirement

Our Implementation

Level 1

Documentation of build process

GitHub Actions workflows documented

Level 2

Tamper-resistant build service

GitHub-hosted runners, audit logs

Level 3

Hardened build platform

Isolated builds, signed provenance

Level 4

Two-person review

Future target (not Phase 0)

SLSA Level 3 Implementation

1.1 Provenance Generation

All build artifacts MUST include SLSA provenance attestations.

# .github/workflows/build.yaml
- name: Generate SLSA Provenance
  uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
  with:
    image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
    digest: ${{ steps.build.outputs.digest }}

Provenance Contents:

Build timestamp
Builder identity (GitHub Actions)
Source repository and commit
Build instructions (workflow file)
Dependencies (locked versions)

1.2 Artifact Signing

All container images and contract artifacts MUST be signed using Sigstore Cosign.

# Image signing (automated in CI)
cosign sign --yes \
  --key cosign.key \
  --annotations "repo=$GITHUB_REPOSITORY" \
  --annotations "sha=$GITHUB_SHA" \
  ${REGISTRY}/${IMAGE_NAME}@${DIGEST}

# Contract artifact signing
cosign sign-blob --yes \
  --key cosign.key \
  --output-signature contracts.sig \
  artifacts/contracts.tar.gz

Verification (on deployment):

cosign verify \
  --key cosign.pub \
  --annotations "repo=lithosphere/infrastructure" \
  ${REGISTRY}/${IMAGE_NAME}@${DIGEST}

1.3 Build Isolation

Control

Implementation

Ephemeral Runners

GitHub-hosted runners (fresh VM per job)

Minimal Permissions

permissions: {} default, explicit grants only

Network Isolation

No egress except approved registries

Hermetic Builds

Locked dependencies, no network fetches

1.4 SBOM Generation

Software Bill of Materials generated for all artifacts:

- name: Generate SBOM
  uses: anchore/sbom-action@v0
  with:
    image: ${{ env.IMAGE_NAME }}
    format: spdx-json
    output-file: sbom.spdx.json

- name: Attest SBOM
  uses: actions/attest-sbom@v1
  with:
    subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
    sbom-path: sbom.spdx.json

2. Security Policies

2.1 Secret Management

Policy

Requirement

Storage

All secrets in HashiCorp Vault

Rotation

API keys: 90 days, Signing keys: Annual

Access

RBAC with least-privilege

Audit

All access logged and monitored

Encryption

At-rest (AES-256) and in-transit (TLS 1.3)

Prohibited Practices:

Secrets in source code
Secrets in environment variables (use Vault injection)
Shared credentials across environments
Long-lived tokens without rotation

2.2 Access Control

Resource

Access Model

Git Repository

GitHub Teams + Branch Protection

Kubernetes

RBAC with namespace isolation

AWS

IAM Roles with OIDC (no static keys)

Vault

Policy-based with AppRole auth

Branch Protection Rules (mainnet):

Require 2 approving reviews
Require signed commits
Require status checks to pass
Require linear history
Restrict force pushes
Restrict deletions

2.3 Network Security

Layer

Control

Ingress

WAF + DDoS protection (CloudFront/Shield)

Cluster

Network Policies (deny-all default)

Service

mTLS via Istio service mesh

Egress

Explicit allowlist only

2.4 Vulnerability Management

Scan Type

Tool

Frequency

Blocking Threshold

Container CVE

Trivy

Every build

CRITICAL, HIGH

Dependency

Dependabot

Daily

CRITICAL

Smart Contract

Slither

Every build

Medium+

IaC

Checkov

Every build

High

Runtime

Falco

Continuous

Anomaly detection

3. RACI Matrix

Overview

RACI defines roles and responsibilities:

Responsible: Does the work
Accountable: Final decision authority (only one per activity)
Consulted: Provides input before decision
Informed: Notified after decision

3.1 Smart Contract Upgrade

Activity

Dev Team

Security

DevOps

Product

Legal

Exec

Identify upgrade need

Develop upgrade code

Security audit

Audit remediation

Testnet deployment

QA sign-off

Legal review

Mainnet deployment

Post-deploy monitoring

Escalation Path:

Developer → Security Lead → Engineering Manager → CTO → CEO

Approval Requirements:

Testnet: 1 Security + 1 DevOps approval
Mainnet: 2 Security + 1 Legal + 1 Executive approval

3.2 Mainnet Deployment

Activity

Dev Team

Security

DevOps

SRE

Product

Exec

Code complete

Code review

CI/CD pipeline pass

Security scan pass

Staging validation

Change request

Deployment window

Execute deployment

Health check

Rollback decision

Post-deploy review

Deployment Windows:

Environment

Allowed Days

Allowed Hours (UTC)

Devnet

Any

Staging

Mon-Thu

09:00-17:00

Mainnet

Tue-Thu

14:00-16:00

Freeze Periods:

No mainnet deployments during major events
Minimum 48h between mainnet deployments
Holiday freeze: Dec 20 - Jan 5

3.3 Key Rotation

Activity

Dev Team

Security

DevOps

SRE

Compliance

Exec

Schedule rotation

Generate new keys

Update Vault

Deploy new secrets

Verify systems

Revoke old keys

Audit trail update

Compliance sign-off

Key Rotation Schedule:

Key Type

Rotation Frequency

Lead Time

Backup Required

API Keys

90 days

7 days

Yes

Database Credentials

90 days

7 days

Yes

TLS Certificates

90 days (auto)

Auto

Yes

Signing Keys (Cosign)

Annual

30 days

Yes (HSM)

SSH Keys

Annual

14 days

Yes

Root CA

5 years

90 days

Yes (offline)

Emergency Rotation Trigger:

Suspected key compromise
Employee with key access departs
Security incident
Compliance requirement

Emergency Rotation SLA:

Severity

Key Revocation

New Key Deployment

Critical

1 hour

4 hours

High

4 hours

24 hours

Medium

24 hours

72 hours

4. Incident Response

Severity Levels

Level

Description

Response Time

Example

Critical - Production down

15 min

Mainnet RPC unavailable

High - Major feature broken

1 hour

Transactions failing

Medium - Minor impact

4 hours

Dashboard slow

Low - Minimal impact

24 hours

Typo in docs

Escalation Matrix

P1: On-call SRE → SRE Lead (15m) → CTO (30m) → CEO (1h)
P2: On-call SRE → SRE Lead (1h) → Engineering Manager (2h)
P3: On-call SRE → Engineering Manager (next business day)
P4: Ticket queue → Sprint planning

5. Compliance Checklist

Pre-Deployment Checklist

Post-Deployment Checklist

6. Document Control

Change History

Version

Date

Author

Changes

1.0

2024-12-13

Infrastructure Team

Initial release

Review Schedule

Review Type

Frequency

Participants

RACI Review

Quarterly

All stakeholders

Security Policy

Semi-annual

Security + Compliance

Full Document

Annual

All stakeholders + Legal

References

Previousgovernance Nextpackages

Last updated 5 hours ago