Fortify & Forget

Transcript

1. Fortify & Forget Minder’s Approach to Simplifying Supply Chain Security

2. 2 ©Stacklok, Inc 2024 Thank you!

3. Who am I? Juan Antonio “Ozz” Osorio Staff Security Beard

   3 ©Stacklok, Inc 2024 Mexican living in Finland Talk to me about: • Supply chain security • Vulnerability management • Cloud security • Craft beer • Running • Heavy metal

4. Who are we? Stacklok est. May 2023 4 ©Stacklok, Inc

   2024 We're passionate about making open source software safer. We help you • Build safer software • Make safer dependency choices • Keep your software pipelines secure We aim to simplify supply chain security

5. How? Trusty Package trust scoring Minder Today’s talk 5 ©Stacklok,

   Inc 2024

6. Agenda • Why? • What? • How? • Huh?... Demo

   time! • What’s next? • How you can help! 6 ©Stacklok, Inc 2024 Minder

7. This is f*cking hard! Anybody dealing with supply chain security…

   probably… 7 ©Stacklok, Inc 2024

8. Supply chain security buzzwords • Dependency management • Repository (VCS)

   security • SBOMs • Attestations • Image signatures 8 ©Stacklok, Inc 2024 Why?

9. Supply chain security puzzle • Scorecards • Sigstore • in-toto

   • CycloneDX • SLSA • VEX 9 ©Stacklok, Inc 2024 Why?

10. Minder to the rescue! 10 ©Stacklok, Inc 2024 • Automate

    repository security settings • Enforce best-practices • Track packages from your repositories • Protect against vulnerable dependencies • Automatic remediations/fixes • Multi-tenant

11. Minder to the rescue! 11 ©Stacklok, Inc 2024 • Automate

    repository security settings • Enforce best-practices • Track packages from your repositories • Protect against vulnerable dependencies • Automatic remediations/fixes • Multi-tenant • It’s open source!

12. Minder to the rescue! 12 ©Stacklok, Inc 2024 • Automate

    repository security settings • Enforce best-practices • Track packages from your repositories • Protect against vulnerable dependencies • Automatic remediations/fixes • Multi-tenant • It’s open source! • Available as a service!

13. Concepts 13 ©Stacklok, Inc 2024 What? Providers Repositories Pull requests

    Artifacts

14. Policies --- version: v1 type: profile name: stacklok-github-profile context: provider:

    github alert: "off" remediate: "off" repository: - type: secret_scanning def: enabled: true skip_private_repos : true artifact: ... pull_request : ... 14 ©Stacklok, Inc 2024 What?

15. Policies --- version: v1 type: profile name: stacklok-github-profile context: provider:

    github alert: "off" remediate: "off" repository: ... artifact: - type: artifact_signature params: tags: [latest] name: minder/server def: is_signed: true is_verified : true is_bundle_verified : true pull_request : ... 15 ©Stacklok, Inc 2024 What?

16. Minder • Rules are pluggable and extensible. ◦ You can

    write your own! • We aim to track and map the different aspects of the supply chain, not just repositories. 16 ©Stacklok, Inc 2024 What?

17. How? 17 ©Stacklok, Inc 2024

18. Internals speedrun • Learning from k8s: Level vs edge triggering

    ◦ Events and reconciliations • Deploy on k8s but keep state out of it • State is tracked in Postgres not etcd • Identity is kept outside entirely ◦ OIDC via Keycloak • Package verifications and attestations handled via Sigstore 18 ©Stacklok, Inc 2024 How?

19. Demo time! 19 ©Stacklok, Inc 2024

20. Roadmap • Way more rules! • A shiny UI •

    Build environment attestations • Workload mapping • Hierarchical multi-tenancy • Re-vamped authorization engine (OpenFGA-based) 20 ©Stacklok, Inc 2024 What’s next?

21. Minder is OSS • Try it out! ◦ We have

    a running production instance • Check it out! ◦ https://github.com/stacklok/minder • Give us feedback! ◦ You can issue a GitHub issue or even talk to us on Discord • Document or code! ◦ We’re happy to review 21 ©Stacklok, Inc 2024 How you can help!

22. Thank you! Minder in GitHub Join us in Discord! Try

    out Trusty! We’re hiring! 22 ©Stacklok, Inc 2024