Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Australia 2023 - Building Trust Brick by Brick, Dasith Wijesiriwardena, Juan Burckhardt, Jason Goodsell, Microsoft

apidays
PRO
October 24, 2023
Programming
0
8

apidays Australia 2023 - Building Trust Brick by Brick, Dasith Wijesiriwardena, Juan Burckhardt, Jason Goodsell, Microsoft

apidays Australia 2023 - Platforms, Products, and People: The Power of APIs
October 11 & 12, 2023
https://www.apidays.global/australia/

Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools
Dasith Wijesiriwardena, Senior Software Engineer at Microsoft
Juan Burckhardt, Senior Software Engineer at Microsoft
Jason Goodsell, Senior Software Engineer at Microsoft

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

October 24, 2023
Tweet

More Decks by apidays

See All by apidays
apidays Australia 2023 - A programmatic approach to API success including OpenAPI, Paul Bradley, Excelsa
apidays
PRO
0
25
apidays Singapore 2023 - Securing and protecting our digital way of life, Veronica Tan, Cyber Security Agency of Singapore
apidays
PRO
0
30
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays
PRO
0
68
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays
PRO
0
25
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singapore Customs
apidays
PRO
0
18
apidays Singapore 2023 - Business resilience: keeping a finger on the pulse and digitizing for productivity, Jene Lim, Experian Asia Pacific
apidays
PRO
0
29
apidays Singapore 2023 - Changing the culture of building software, Aman Dhamija, Goldman Sachs & Green Software Foundation
apidays
PRO
0
26
apidays Singapore 2023 - Building a digital-first investment management model, Scott Treloar, Noviscient
apidays
PRO
0
14
apidays Singapore 2023 - Digitalising agreements with data, design & technology, Charlie Loo, DocuSign
apidays
PRO
1
19

Other Decks in Programming

See All in Programming
Polars入門
daikikatsuragawa
1
140
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
120
Elm Form Validation
bkuhlmann
0
510
"config" ってなんだ? / What is "config"?
okashoi
0
250
dbtのドメイン分割による データ基盤の改善とDigdagとの連携
sakama
0
420
Ruby Pattern Matching
bkuhlmann
0
930
Fast JSX: Don't clone props object #28768
yossydev
1
150
Goのmultiple errorsについて (2024年4月版)
syumai
4
1.1k
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
840
MicrosoftのPlatform Engineeringガイドを読んで実際になにかやってみた
ymd65536
1
480
2 週間で Twitter Bot を作ってみた
contour_gara
0
720
Kotlin Multiplatform at Stable and Beyond (Android Makers 2024)
zsmb
0
410

Featured

See All Featured
Agile that works and the tools we love
rasmusluckow
325
20k
A better future with KSS
kneath
231
16k
Building Better People: How to give real-time feedback that sticks.
wjessup
356
18k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
660
120k
Thoughts on Productivity
jonyablonski
59
3.8k
4 Signs Your Business is Dying
shpigford
176
21k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
12
8.3k
Rebuilding a faster, lazier Slack
samanthasiow
74
8.2k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
21
1.9k
Build The Right Thing And Hit Your Dates
maggiecrowley
25
2k
[RailsConf 2023] Rails as a piece of cake
palkan
26
4k
The Art of Programming - Codeland 2020
erikaheidi
43
12k

Transcript

  1. Building Trust Brick by Brick Exploring the Landscape of Modern

    Secure Supply Chain Tools 11-12 OCT 2023 Dasith Wijesiriwardena Juan Burckhardt Jason Goodsell
  2. None

  3. HELLO! Jason Dasith Juan @dasiths https://dasith.me @jsburckhardt

  4. Container Registries as artefact stores Introduction to supply chain threats

    Agenda Consumer focused tools Producer focused tools Questions

  5. Software Supply Chain What is it? Software supply chain is

    composed of the components, libraries, tools, and processes used to develop, build, and publish a software artefact.

  6. Introduction to Supply Chain Threats

  7. Producer Threats https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/

  8. Producer Threats https://slsa.dev/spec/v1.0/threats-overview

  9. Consumer Threats https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/

  10. Consumer Threats https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/

  11. Example Scenario

  12. Example Scenario

  13. Producer Focused Tools & Workflows

  14. Example Scenario

  15. Example Scenario

  16. Example Scenario

  17. Example Scenario

  18. Example Scenario 2 reviewers required to approve any PR =

    Reduce risk of insider threats

  19. Example Scenario

  20. Example Scenario SBOM at a Glance (ntia.gov) Transparency Security Compliance

  21. Example Scenario And More… https://anchore.com/sbom/how-to-generate-an-sbom-with-free-open-source-tools/

  22. Example Scenario

  23. Example Scenario

  24. Example Scenario Provenance: Describe how an artifact or set of

    artifacts was produced.

  25. Securely Storing And Sharing Supply Chain Artefacts

  26. Example Scenario

  27. Example Scenario

  28. Example Scenario

  29. Example Scenario

  30. Example Scenario

  31. Example Scenario

  32. Example Scenario

  33. Example Scenario

  34. Example Scenario

  35. Example Scenario https://notaryproject.dev/

  36. Example Scenario https://www.sigstore.dev/ https://github.com/in-toto/attestation

  37. Example Scenario Artefact? You mean container image?

  38. Example Scenario https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md Content other than OCI container images MAY

    be packaged using the image manifest. Artefact? You mean container image?

  39. Example Scenario Image, SBOM, Signatures, etc = Artefacts

  40. Example Scenario OCI Registry As Storage - https://oras.land/ Image, SBOM,

    Signatures, etc = Artefacts

  41. Example Scenario Image, SBOM, Signatures, etc = Artefacts

  42. Tools & Workflows Consumer Focused

  43. Example Scenario

  44. Example Scenario Check For… ❑Signature ❑Provenance ❑SBOM ❑Other

  45. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT?

  46. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B)

  47. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B) 4. Build any custom images that have the base as the image we ingested. • Go to step (2)…

  48. Example Scenario Continuous vulnerability scanning of container images in internal

    repositories. • Every X hours • Scan for vulnerabilities using the SBOM • Store report • Create alerts & quarantine

  49. Example Scenario Continuous vulnerability scanning of container images in internal

    repositories. Microsoft Defender For Cloud And More…

  50. Example Scenario Protecting the last mile using “admission control” Allows

    you to enforce policy like… • Only packages from “trusted” sources can be run. • Check if pulled image has vulnerability report with high severity items, etc.

  51. Example Scenario Protecting the last mile using “admission control” Ratify

  52. Example Scenario

  53. Wrapping Up ▪ Generate SBOMs + Provenance ▪ Sign and

    Attest ▪ OCI Registry As Storage ▪ Verify Signature ▪ Continuous Vulnerability Scanning ▪ Admission Control

  54. Any questions? THANKS! @dasiths dasith.me https://www.nationalgeographic.com/travel/destinations/asia/sri-lanka/ @jsburckhardt burckman.com

  55. Links • https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/ • https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/ • SLSA Supply Chain Threats:

    https://slsa.dev/spec/v1.0/threats-overview • https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom • Tern: https://github.com/tern-tools/tern • BOM: https://github.com/kubernetes-sigs/bom • SYFT: https://github.com/anchore/syft • MS-SBOM-Tool: https://github.com/microsoft/sbom-tool • SLSA Provenance: https://slsa.dev/spec/v1.0/provenance • Notary Project/Notation CLI: https://notaryproject.dev/ • Cosign: https://github.com/sigstore/cosign • In-toto attestation framework: https://github.com/in-toto/attestation • ORAS: https://oras.land/ • Trivy: https://github.com/aquasecurity/trivy • Grype: https://github.com/anchore/grype • OPA Gatekeeper: https://github.com/open-policy-agent/gatekeeper • Ratify: https://ratify.dev/ • Kyverno: https://kyverno.io/ https://speakerdeck.com/dasiths/building- trust-brick-by-brick-exploring-the- landscape-of-modern-secure-supply-chain- tools Slides:

  56. Presentation template designed by powerpointify.com Special thanks to all people

    who made and shared these awesome resources for free: CREDITS Photographs by unsplash.com Free Fonts used: https://www.fontsquirrel.com/fonts/oswald @dasiths