feat: add provenance page

Author: kahboom

docs/compliance/SLSA.md

@@ -1,3 +1,7 @@
+---
+slug: "/slsa-supply-chain-levels-compliance-for-software"
+---
+
 # SLSA Compliance
 
 **Supply-Chain Levels for Software Artifacts**, or **SLSA** _(pronounced "salsa")_, is a security framework providing guidance on building and delivering software securely.

docs/software-supply-chain-security/index.mdx

@@ -33,6 +33,8 @@ Supply chain attacks are not a new concept. A well-known example is the Trojan h
 
 But hidden within the horse were Greek soldiers, who emerged at night to open the gates for their army, leading to Troy's fall. The Greeks didn't attack directly; they exploited trust in the "supply."
 
+Supply chain attacks have become more sophisticated over time, but are still regular occurrences around the world on a daily basis. Think counterfeit goods, tampered machinery and materials, to name just a few.
+
 In software, supply chain attacks work similarly: attackers corrupt a trusted source or process, leading to widespread compromise. As a consumer, how can you be certain that the software you receive hasn't been tampered with along the way?
 
 ## Shifting Left: Evolution of Attacks
@@ -45,19 +47,21 @@ Over time, attackers have shifted their focus further up the chain. Instead of t
 
 In parallel, they employ broader tactics like ransomware, data breaches, and intellectual property theft, disrupting supply chains and rendering organizations unable to deliver their products or services.
 
+One example of a recent supply chain attack was the SolarWinds hack in 2020. Hackers infiltrated the build process of SolarWinds' Orion software (a popular IP network management tool) and added malware to an update, causing customers who trusted in SolarWinds to install the malware unknowingly.
+
 :::info[Did You Know?]
 
 1 in 5 data breaches is a software supply chain attack.
 
 :::
 
-This raises a critical question: **What if the code you trust the most is what makes your systems vulnerable?**
+These events raise a critical question: **What if the code you trust the most is what makes your systems vulnerable?**
 
-In many cases, there’s no guarantee that the software we run is the same as the software we built. This gap creates opportunities for attackers to exploit.
+In many cases, there is no guarantee that the software we run is the same as the software we built. This gap creates opportunities for attackers to exploit.
 
 ### Who is involved in a supply chain?
 
-If your organization provides products or services to others, your organization is part of the supply chain. Imagine making a pizza:
+If your organization provides products or services to others, your organization is part of the supply chain. Imagine the steps involved in making a pizza:
 
 1.	A farmer grows tomatoes.
 2.	A factory turns tomatoes into sauce.
@@ -66,21 +70,19 @@ If your organization provides products or services to others, your organization
 5.	A pizzeria assembles the ingredients into a pizza.
 6.	The pizza is delivered to your door.
 
-Each step involves different participants, each contributing to the final product. If any part of this process is disrupted or tampered with, the quality and safety of the pizza are at risk.
+Each step involves different participants, each contributing to the final product. If _any_ part of this process is disrupted or tampered with, the quality and safety of the pizza are at risk. Software supply chains don't operate all that differently. Let's take a closer look in the next section.
 
 ### Software Supply Chains
 
-Software supply chains operate similarly to traditional supply chains. Here's a simplified view:
+A **software supply chain** is an interconnected network of people, processes, software libraries, firmware, and technologies used in the creation, development, publication, production, and distribution of digital products. The primary difference to general supply chain security is the software or firmware development and its distribution.
+
+Here is a simplified view of a software supply chain:
 
 ```mermaid
 flowchart LR
     Source-->Build
     Build-->Deploy
     Deploy-->Monitor
-    click Source callback "Tooltip for a callback"
-    click Build "#" "This is a tooltip for a link"
-    click C call callback() "Tooltip for a callback"
-    click D href "#" "This is a tooltip for a link"
 
 ```
 
@@ -89,4 +91,4 @@ flowchart LR
 3. **Deploy**: Delivering software to customers or systems.
 4. **Monitor**: Observing software in production to detect issues.
 
-Traditionally, cybersecurity focused on "Source" and "Monitor." However, incidents like Log4Shell have demonstrated the need to secure the entire chain—especially build and deployment processes.
+Traditionally, the world has focused on "Source" and "Monitor." However, incidents like Log4Shell have demonstrated the need to secure the entire chain—especially build and deployment processes.

docs/software-supply-chain-security/provenance.mdx

@@ -1,5 +1,21 @@
 ---
-draft: true
+slug: "/what-is-software-provenance-and-why-is-it-important-for-security"
 ---
 
 # Provenance
+
+In the context of software, **provenance** refers to the origin or source of the code. It aims to answer questions like, _Where did this code or system come from? Who wrote it? Who built it? Has it been changed over time? Who verified it?_
+
+These kind of questions are tantamount to risk management and ensuring the integrity of our systems, because when you know exactly where a particular piece of software comes from, you are in a much greater position to identify trusted sources and potential risks.
+
+Provenance is an important factor in software supply chain security, and a key element of [compliance](/category/compliance), where regulations (e.g. GDPR, HIPAA) may require organizations to track and document software origins to ensure proper data handling and security.
+
+## How does provenance work?
+
+We can incorporate provenance into our software delivery lifecycle using a variety of approaches, but the most common being a version control system, or VCS, like git or Mercurial. A VCS tracks changes in code and show who made what changes and when.
+
+**Digital signatures** are becoming increasingly relevant in this space, as they provide developers and organizations the ability to sign software releases to prove authenticity (for example, using vendor agnostic tools like <a href="https://sigstore.dev" rel="nofollow" target="_blank">Sigstore</a>).
+
+[SBOMs](/what-is-an-sbom-software-bill-of-materials-and-why-does-it-matter) are detailed lists of all the components and dependencies in a software project, which can also aid in providing the transparency required for provenance.
+
+In addition, there are specific provenance tracking tools available, with two of the most popular being [in-toto](https://in-toto.io/) and [SLSA](/slsa-supply-chain-levels-compliance-for-software).

docs/software-supply-chain-security/sboms.mdx

@@ -1,6 +1,6 @@
 ---
 sidebar_position: 2
-slug: "/sbom-software-bill-of-materials"
+slug: "/what-is-an-sbom-software-bill-of-materials-and-why-does-it-matter"
 ---
 import { Scrollycoding } from "/src/components/scrollycoding";
 

docusaurus.config.ts

@@ -97,24 +97,24 @@ const config: Config = {
 		footer: {
 			style: "dark",
 			links: [
-				{
-					title: "Docs",
-					// items: [
-					// 	{
-					// 		label: "Tutorial",
-					// 		to: "/docs/category/security-fundamentals",
-					// 	},
-					// ],
-				},
-				{
-					title: "Community",
-					items: [
-						{
-							label: "Stack Overflow",
-							href: "https://stackoverflow.com/questions/tagged/supply-chain-security",
-						},
-					],
-				},
+				// {
+				// 	title: "Docs",
+				// items: [
+				// 	{
+				// 		label: "Tutorial",
+				// 		to: "/docs/category/security-fundamentals",
+				// 	},
+				// ],
+				// },
+				// {
+				// 	title: "Community",
+				// 	items: [
+				// 		{
+				// 			label: "Stack Overflow",
+				// 			href: "https://stackoverflow.com/questions/tagged/supply-chain-security",
+				// 		},
+				// 	],
+				// },
 				{
 					title: "More",
 					items: [
@@ -146,16 +146,11 @@ const config: Config = {
 				{
 					type: "docSidebar",
 					sidebarId: "tutorialSidebar",
-					position: "left",
+					position: "right",
 					label: "Learning",
 				},
 				// {to: '/blog', label: 'Blog', position: 'left'},
 				// { href: "/resources", label: "Resources", position: "left" },
-				{
-					href: "https://github.com/securesign/trusted-foundations",
-					label: "GitHub",
-					position: "right",
-				},
 			],
 		},
 		prism: {

src/css/custom.css

@@ -39,7 +39,6 @@ body {
   --docusaurus-highlighted-code-line-bg: rgba(0, 0, 0, 0.3);
 }
 
-
 .footer--dark {
   --ifm-footer-background-color: #212427;
 }
@@ -48,7 +47,6 @@ body {
   margin-top: 5em;
 }
 
-
 /* Make the screen narrower for easy reading */
 @media (min-width: 1416px) {
   .main-wrapper {
@@ -63,13 +61,37 @@ body {
   max-width: 1360px;
 }
 
+h1, h2, h3, h4, h5, h6 {
+  font-family: "IBM Plex Mono", serif;
+}
 
-.docusaurus-mermaid-container {
-  text-align: center;
+h1 {
+  font-size: 2rem;
 }
 
-h1, h2, h3, h4, h5, h6 {
-  font-family: "IBM Plex Mono", serif;
+h2 {
+  font-size: 1.8rem;
+}
+
+h3 {
+  font-size: 1.5rem;
+}
+
+h4 {
+  font-size: 1.2rem;
+}
+
+h5 {
+  font-size: 1.1rem;
+}
+
+h6 {
+  font-size: 0.9rem;
+  text-transform: uppercase;
+}
+
+.docusaurus-mermaid-container {
+  text-align: center;
 }
 
 .ibm-plex-mono-thin {

src/pages/index.tsx

@@ -23,7 +23,7 @@ function HomepageHeader() {
 				<div className={styles.buttons}>
 					<Link
 						className="button button--secondary button--lg"
-						to="#"
+						to="/software-supply-chain-security"
 					>
 						Software Supply Chain Security in 5min ⏱️
 					</Link>