The first step in deploying Osiris is to create trusted software builds. The best way to do this is to verify the source, build it offline on a trusted host, and then burn the binary installers to read-only media. Having trusted binaries on read-only media is helpful because you can easily distribute the software to new hosts.

This section covers establishing a trusted build environment and creating installation packages to be used for deployment, including UNIX-like platforms and Windows. Although not necessary, it is helpful to dedicate a system specifically for building Osiris, which makes adding a module to the scan agent or deploying a newer version of the software easier. Ideally, the host used to create trusted builds is never connected to a network, and is secured physically.

This may seem overly cautious, but it is not. As a software engineer, I have seen many broken production build environments: build hosts on the corporate network, unpatched and unsecured; build hosts where all of the developers have access to the system; and build hosts where the root password is written on sticky notes on the side of the box. As a result, I have seen builds with Trojans and releases containing software viruses. When you consider that this software may be deployed on thousands of hosts, it is a serious concern. When you consider what is at stake, the small burden associated with maintaining an isolated build environment is a worthy investment.