Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Australia 2023 - Building Trust Brick b...

apidays
PRO
October 24, 2023
Programming
0
14

apidays Australia 2023 - Building Trust Brick by Brick, Dasith Wijesiriwardena, Juan Burckhardt, Jason Goodsell, Microsoft

apidays Australia 2023 - Platforms, Products, and People: The Power of APIs
October 11 & 12, 2023
https://www.apidays.global/australia/

Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools
Dasith Wijesiriwardena, Senior Software Engineer at Microsoft
Juan Burckhardt, Senior Software Engineer at Microsoft
Jason Goodsell, Senior Software Engineer at Microsoft

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

October 24, 2023
Tweet

More Decks by apidays

See All by apidays
Apidays London 2024 - Securing APIs, Beyond the Basics with Advanced Security Practices, Karanvir Attwal
apidays
PRO
0
20
Apidays London 2024 - From Fragmentation to Federation by Peter Mörsch, Boomi
apidays
PRO
0
15
Apidays London 2024 - Open Standards for Getting your APIs into the Geospatial Ecosystem by Gobe Hobona
apidays
PRO
0
8
Apidays London 2024 - Harmonizing Asynchronous Systems by Artur Ciocanu, Adobe
apidays
PRO
0
8
Apidays London 2024 - Renovate to Innovate 5 by Rashmi Venugopal, Netflix
apidays
PRO
0
7
Apidays London 2024 - Open Standards, AI and Data for Better Decisions by Ravinder Singh
apidays
PRO
0
17
Apidays London 2024 - The Hidden Power Brokers in the EU Data Act Enforcement by David Vazquez Cortizo, apinity
apidays
PRO
0
10
Apidays London 2024 - The Web Sustainability Guidelines by Alexander Dawson, W3C
apidays
PRO
0
11
Apidays London 2024 - Battle-tested APIs_Tech and Business working together by Jean Burellier, Sanofi
apidays
PRO
0
10

Other Decks in Programming

See All in Programming
外部システム連携先が10を超えるシステムでのアーキテクチャ設計・実装事例
kiwasaki
1
280
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
24k
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
480
Tauriでネイティブアプリを作りたい
tsucchinoko
0
350
OpenTelemetryでRailsのパフォーマンス分析を始めてみよう(KoR2024)
ymtdzzz
5
2k
JavaでLチカしたい! / JJUG CCC 2024 Fall LT
nhayato
0
120
イベント駆動で成長して委員会
happymana
1
270
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
590
CSC509 Lecture 09
javiergs
PRO
0
140
Ethereum_.pdf
nekomatu
0
370
デプロイを任されたので、教わった通りにデプロイしたら障害になった件 ~俺のやらかしを越えてゆけ~
techouse
53
34k
C++でシェーダを書く
fadis
6
3.9k

Featured

See All Featured
A better future with KSS
kneath
238
17k
A Tale of Four Properties
chriscoyier
156
23k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
KATA
mclloyd
29
14k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
How GitHub (no longer) Works
holman
310
140k
Making Projects Easy
brettharned
115
5.9k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Why Our Code Smells
bkeepers
PRO
334
57k
Documentation Writing (for coders)
carmenintech
65
4.4k

Transcript

  1. Building Trust Brick by Brick Exploring the Landscape of Modern

    Secure Supply Chain Tools 11-12 OCT 2023 Dasith Wijesiriwardena Juan Burckhardt Jason Goodsell
  2. None

  3. HELLO! Jason Dasith Juan @dasiths https://dasith.me @jsburckhardt

  4. Container Registries as artefact stores Introduction to supply chain threats

    Agenda Consumer focused tools Producer focused tools Questions

  5. Software Supply Chain What is it? Software supply chain is

    composed of the components, libraries, tools, and processes used to develop, build, and publish a software artefact.

  6. Introduction to Supply Chain Threats

  7. Producer Threats https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/

  8. Producer Threats https://slsa.dev/spec/v1.0/threats-overview

  9. Consumer Threats https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/

  10. Consumer Threats https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/

  11. Example Scenario

  12. Example Scenario

  13. Producer Focused Tools & Workflows

  14. Example Scenario

  15. Example Scenario

  16. Example Scenario

  17. Example Scenario

  18. Example Scenario 2 reviewers required to approve any PR =

    Reduce risk of insider threats

  19. Example Scenario

  20. Example Scenario SBOM at a Glance (ntia.gov) Transparency Security Compliance

  21. Example Scenario And More… https://anchore.com/sbom/how-to-generate-an-sbom-with-free-open-source-tools/

  22. Example Scenario

  23. Example Scenario

  24. Example Scenario Provenance: Describe how an artifact or set of

    artifacts was produced.

  25. Securely Storing And Sharing Supply Chain Artefacts

  26. Example Scenario

  27. Example Scenario

  28. Example Scenario

  29. Example Scenario

  30. Example Scenario

  31. Example Scenario

  32. Example Scenario

  33. Example Scenario

  34. Example Scenario

  35. Example Scenario https://notaryproject.dev/

  36. Example Scenario https://www.sigstore.dev/ https://github.com/in-toto/attestation

  37. Example Scenario Artefact? You mean container image?

  38. Example Scenario https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md Content other than OCI container images MAY

    be packaged using the image manifest. Artefact? You mean container image?

  39. Example Scenario Image, SBOM, Signatures, etc = Artefacts

  40. Example Scenario OCI Registry As Storage - https://oras.land/ Image, SBOM,

    Signatures, etc = Artefacts

  41. Example Scenario Image, SBOM, Signatures, etc = Artefacts

  42. Tools & Workflows Consumer Focused

  43. Example Scenario

  44. Example Scenario Check For… ❑Signature ❑Provenance ❑SBOM ❑Other

  45. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT?

  46. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B)

  47. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B) 4. Build any custom images that have the base as the image we ingested. • Go to step (2)…

  48. Example Scenario Continuous vulnerability scanning of container images in internal

    repositories. • Every X hours • Scan for vulnerabilities using the SBOM • Store report • Create alerts & quarantine

  49. Example Scenario Continuous vulnerability scanning of container images in internal

    repositories. Microsoft Defender For Cloud And More…

  50. Example Scenario Protecting the last mile using “admission control” Allows

    you to enforce policy like… • Only packages from “trusted” sources can be run. • Check if pulled image has vulnerability report with high severity items, etc.

  51. Example Scenario Protecting the last mile using “admission control” Ratify

  52. Example Scenario

  53. Wrapping Up ▪ Generate SBOMs + Provenance ▪ Sign and

    Attest ▪ OCI Registry As Storage ▪ Verify Signature ▪ Continuous Vulnerability Scanning ▪ Admission Control

  54. Any questions? THANKS! @dasiths dasith.me https://www.nationalgeographic.com/travel/destinations/asia/sri-lanka/ @jsburckhardt burckman.com

  55. Links • https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/ • https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/ • SLSA Supply Chain Threats:

    https://slsa.dev/spec/v1.0/threats-overview • https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom • Tern: https://github.com/tern-tools/tern • BOM: https://github.com/kubernetes-sigs/bom • SYFT: https://github.com/anchore/syft • MS-SBOM-Tool: https://github.com/microsoft/sbom-tool • SLSA Provenance: https://slsa.dev/spec/v1.0/provenance • Notary Project/Notation CLI: https://notaryproject.dev/ • Cosign: https://github.com/sigstore/cosign • In-toto attestation framework: https://github.com/in-toto/attestation • ORAS: https://oras.land/ • Trivy: https://github.com/aquasecurity/trivy • Grype: https://github.com/anchore/grype • OPA Gatekeeper: https://github.com/open-policy-agent/gatekeeper • Ratify: https://ratify.dev/ • Kyverno: https://kyverno.io/ https://speakerdeck.com/dasiths/building- trust-brick-by-brick-exploring-the- landscape-of-modern-secure-supply-chain- tools Slides:

  56. Presentation template designed by powerpointify.com Special thanks to all people

    who made and shared these awesome resources for free: CREDITS Photographs by unsplash.com Free Fonts used: https://www.fontsquirrel.com/fonts/oswald @dasiths