Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools

Dasith Wijesiriwardena
October 09, 2023
Technology
0
130

Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools

https://youtu.be/n7noS4pLb0U

In the rapidly evolving landscape of software development, open source dependencies have become the building blocks of modern applications, enabling rapid innovation and collaboration. However, this newfound efficiency comes with inherent risks, as the supply chain for software becomes increasingly complex and vulnerable to various threat vectors.

In "Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools," we embark on a captivating journey through the critical importance of secure supply chains in the software development lifecycle. Join us as we delve into the challenges posed by open source dependencies and the innovative tools that have emerged to address them.

We live in a Kubernetes world. As more and more workloads are run on Kubernetes, it becomes essential that every dependency that contributes to compiling, building, and running workloads need to come under the scanner. We will explore tools that allow you to build a chain of trust from source code to running container instances.

During this talk, we will explore how the convergence of software development and secure supply chains has become paramount in instilling confidence and mitigating risks. We will examine the threat vectors that jeopardize the integrity of the software supply chain and highlight the need for comprehensive security measures.

Dasith Wijesiriwardena

October 09, 2023
Tweet

More Decks by Dasith Wijesiriwardena

See All by Dasith Wijesiriwardena
Lessons learned from doing EdgeDevOps (GitOps) in the bush, air and underwater - API Days Australia 2022
dasiths
0
260
Propagating context and tracing across your distributed process boundaries using OpenTelemetry
dasiths
1
690
The Shell Game Called Eventual Consistency
dasiths
2
390
Not all “Microservices frameworks” are made the same
dasiths
1
300
Building Distributed Systems On the Shoulders of Giants
dasiths
1
380
Microservices snakes and ladders
dasiths
1
1.6k

Other Decks in Technology

See All in Technology
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
ルーターでプレゼンする
puhitaku
1
3.2k
コードや知識を組み込む / Incorporate Code and knowledge
ks91
PRO
0
130
【SORACOM UG 東海】あらゆるモノがつながる社会へ、IoT と SORACOM
soracom
PRO
1
130
One engineer company with Ruby on Rails
rstankov
2
400
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
4
860
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
1
350
Handling focus in 2024
tahia910
0
200
EM完全に理解した と思ったけど、 やっぱり何も分からなかった話 / EM Night Fukuoka #1
hirutas
0
240
require(ESM)とECMAScript仕様
uhyo
4
940
On Your Data を超えていく!
hirotomotaguchi
2
750
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
2
250

Featured

See All Featured
Code Review Best Practice
trishagee
56
15k
Into the Great Unknown - MozCon
thekraken
14
1k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
26
2.3k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Writing Fast Ruby
sferik
622
60k
Build The Right Thing And Hit Your Dates
maggiecrowley
25
2k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
660
120k
Thoughts on Productivity
jonyablonski
59
3.8k
Music & Morning Musume
bryan
41
5.6k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
228
16k
Rebuilding a faster, lazier Slack
samanthasiow
74
8.2k
Creatively Recalculating Your Daily Design Routine
revolveconf
211
11k

Transcript

  1. Building Trust Brick by Brick Exploring the Landscape of Modern

    Secure Supply Chain Tools 11-12 OCT 2023 Dasith Wijesiriwardena Juan Burckhardt Jason Goodsell

  2. HELLO! Jason Dasith Juan @dasiths https://dasith.me @jsburckhardt

  3. Container Registries as artefact stores Introduction to supply chain threats

    Agenda Consumer focused tools Producer focused tools Questions

  4. Software Supply Chain What is it? Software supply chain is

    composed of the components, libraries, tools, and processes used to develop, build, and publish a software artefact.

  5. Introduction to Supply Chain Threats

  6. Producer Threats https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/

  7. Producer Threats https://slsa.dev/spec/v1.0/threats-overview

  8. Consumer Threats https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/

  9. Consumer Threats https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/

  10. Example Scenario

  11. Example Scenario

  12. Producer Focused Tools & Workflows

  13. Example Scenario

  14. Example Scenario

  15. Example Scenario

  16. Example Scenario

  17. Example Scenario 2 reviewers required to approve any PR =

    Reduce risk of insider threats

  18. Example Scenario

  19. Example Scenario https://www.ntia.gov/sites/default/files/publications/sbom_at_a_glance_apr2021_0.pdf Transparency Security Compliance

  20. Example Scenario And More… https://anchore.com/sbom/how-to-generate-an-sbom-with-free-open-source-tools/

  21. Example Scenario SBOM - filesystem > trivy fs --format cyclonedx

    <path> > SBOM.cyclonedx.json SBOM – container > trivy image --format cyclonedx <image> > SBOM.cyclonedx.json Container Image – Trivy https://aquasecurity.github.io/trivy/v0.47/docs/target/container_image/ Filesystem – Trivy https://aquasecurity.github.io/trivy/v0.47/docs/target/filesystem/

  22. Example Scenario

  23. Example Scenario

  24. Example Scenario Provenance: Describe how an artifact or set of

    artifacts was produced.

  25. Securely Storing And Sharing Supply Chain Artefacts

  26. Example Scenario

  27. Example Scenario

  28. Example Scenario

  29. Example Scenario

  30. Example Scenario

  31. Example Scenario

  32. Example Scenario

  33. Example Scenario

  34. Example Scenario

  35. Example Scenario https://notaryproject.dev/

  36. Example Scenario > IMAGE=repo/net-monitor@sha256:073b..555a > notation sign --signature-format cose $IMAGE

    > notation ls $IMAGE repo/net-monitor@sha256:073b..555a └── application/vnd.cncf.notary.v2.signature └── sha256:ba3a..38b Signing View Signature

  37. Example Scenario > notation policy import ./trustpolicy.json > notation verify

    $IMAGE Trust Policy Verify Signature https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust- policy.md#trust-policy

  38. Example Scenario https://www.sigstore.dev/ https://github.com/in-toto/attestation

  39. Example Scenario Signing – With Key > cosign sign --key

    cosign.key <IMAGE> Verify – With Key > cosign verify --key cosign.pub <IMAGE> https://github.com/sigstore/cosign/blob/main/doc/cosign_verify.md https://github.com/sigstore/cosign/blob/main/doc/cosign_sign.md

  40. Example Scenario Attest – With Key > cosign attest --predicate

    <FILE> --type <TYPE> --key cosign.key <IMAGE> Verify Attestation – With Key > cosign verify-attestation --key cosign.pub --type <PREDICATE_TYPE> <IMAGE> https://github.com/sigstore/cosign/blob/main/doc/cosign_verify- attestation.md https://github.com/sigstore/cosign/blob/main/doc/cosign_attest.md

  41. Example Scenario Signing - Keyless > cosign sign $IMAGE Generating

    ephemeral keys... Retrieving signed certificate... Note that there may be personally identifiable information associated with this signed artifact. This may include the email address associated with the account with which you authenticate. This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later. By typing 'y', you attest that you grant (or have permission to grant) and agree to have this information stored permanently in transparency logs. Are you sure you would like to continue? [y/N] y Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore... Successfully verified SCT... tlog entry created with index: 12086900 Pushing signature to: $IMAGE

  42. Signing - Keyless

  43. Example Scenario Verify - Keyless > cosign verify $IMAGE --certificate-identity=$IDENTITY

    --certificate-oidc-issuer=$OIDC_ISSUER

  44. Example Scenario Storage

  45. Example Scenario Artefact? You mean container image?

  46. Example Scenario https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md Content other than OCI container images MAY

    be packaged using the image manifest. Artefact? You mean container image?

  47. Example Scenario https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md Content other than OCI container images MAY

    be packaged using the image manifest. { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0", "size": 32654 }

  48. Example Scenario https://github.com/opencontainers/image-spec/blob/main/manifest.md Subject: This value, used by the referrers

    API, indicates a relationship to the specified manifest. { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0", "size": 32654 }

  49. Example Scenario Image, SBOM, Signatures, etc = Artefacts

  50. Example Scenario OCI Registry As Storage - https://oras.land/ Image, SBOM,

    Signatures, etc = Artefacts

  51. Example Scenario > IMAGE=repo/net-monitor@sha256:073b..555a > oras attach --artifact-type example.sbom.v0 $IMAGE

    sbom.spdx.json ORAS Attach

  52. Example Scenario Image, SBOM, Signatures, etc = Artefacts

  53. Tools & Workflows Consumer Focused

  54. Example Scenario

  55. Example Scenario Check For… ❑Signature ❑Provenance ❑SBOM ❑Other

  56. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT?

  57. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B)

  58. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B) 4. Build any custom images that have the base as the image we ingested. • Go to step (2)…

  59. Example Scenario Continuous vulnerability scanning of container images in internal

    repositories. • Every X hours • Scan for vulnerabilities using the SBOM • Store report • Create alerts & quarantine

  60. Example Scenario Continuous vulnerability scanning of container images in internal

    repositories. Microsoft Defender For Cloud And More…

  61. Example Scenario Scan SBOM > trivy sbom sbom.spdx.json > cat

    sbom.spdx.json | grype

  62. Example Scenario

  63. Example Scenario Protecting the last mile using “admission control” Allows

    you to enforce policy like… • Only packages from “trusted” sources can be run. • Check if pulled image has vulnerability report with high severity items, etc.

  64. Example Scenario Protecting the last mile using “admission control” Ratify

  65. Example Scenario

  66. Example Scenario

  67. Wrapping Up ▪ Generate SBOMs + Provenance ▪ Sign and

    Attest ▪ OCI Registry As Storage ▪ Verify Signature ▪ Continuous Vulnerability Scanning ▪ Admission Control

  68. Any questions? THANKS! @dasiths dasith.me https://www.nationalgeographic.com/travel/destinations/asia/sri-lanka/ @jsburckhardt burckman.com

  69. Links • https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/ • https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/ • SLSA Supply Chain Threats:

    https://slsa.dev/spec/v1.0/threats-overview • https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom • Tern: https://github.com/tern-tools/tern • BOM: https://github.com/kubernetes-sigs/bom • SYFT: https://github.com/anchore/syft • MS-SBOM-Tool: https://github.com/microsoft/sbom-tool • SLSA Provenance: https://slsa.dev/spec/v1.0/provenance • Notary Project/Notation CLI: https://notaryproject.dev/ • Cosign: https://github.com/sigstore/cosign • In-toto attestation framework: https://github.com/in-toto/attestation • ORAS: https://oras.land/ • Trivy: https://github.com/aquasecurity/trivy • Grype: https://github.com/anchore/grype • OPA Gatekeeper: https://github.com/open-policy-agent/gatekeeper • Ratify: https://ratify.dev/ • Kyverno: https://kyverno.io/ https://speakerdeck.com/dasiths/building- trust-brick-by-brick-exploring-the- landscape-of-modern-secure-supply-chain- tools Slides:

  70. Presentation template designed by powerpointify.com Special thanks to all people

    who made and shared these awesome resources for free: CREDITS Photographs by unsplash.com Free Fonts used: https://www.fontsquirrel.com/fonts/oswald @dasiths