OpenShift Commons - Automate Security on Openshift with Trusted Application Pipeline

Transcript

1. with Trusted Application Pipeline Automate Security on OpenShift Kevin Dubois

   Senior Principal Developer Advocate Red Hat 1

2. @kevindubois Kevin Dubois ★ Sr. Principal Developer Advocate at Red

   Hat ★ Based in Belgium 󰎐 ★ 🗣 Speak English, Dutch, French, Italian ★ Open Source Contributor (Quarkus, Camel, Knative, ..) ★ Java Champion youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois @kevindubois.com @[email protected]

3. The application Push to give energy windmill 1.Sends click Kafka

   Topic 2.Sends the interaction 3. Updates the UI Dashboard: Green Energy Nickname Team Push to generate energy Cars that needs energy Two teams competing (top 5 players) First wins

4. 4 V1 Scan to play!

5. 5

6. 6 Increased regulations, frameworks, directives SEC Cybersecurity Rule 1 requires

   more governance and management regarding material cybersecurity risks, incidents. White House Cyber Executive Order 14028 European Union Cyber Resilience Act Government Cybersecurity Regulations NSA Cybersecurity Collaboration Center (CCC) National Institute of Standards and Technology (NIST) Cybersecurity and Infrastructure Security Agency (CISA) European Union Agency for Cybersecurity (ENISA) Cybersecurity Agency Frameworks and Directives [1] SEC Final Rule - Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

7. Safeguard build systems early 7 Secure the use of source

   code and transitive dependencies Software supply chain security considerations for the software development lifecycle Prevent & identify malicious code Continuously monitor security at runtime

8. Code Build Monitor Deploy A generic development process <Your code/>

   Dependencies git commit code repo git pull (maven) package Container build push to registry K8s deployment definition(s) deploy Base images pom.xml requirements.txt go.mod gitops repo Container registry Pipeline Pipeline 8

9. Code Build Monitor Deploy A security-augmented development process <Your code/>

   Dependencies git commit code repo git pull (maven) package Container build push to registry K8s deployment definition(s) deploy Base images pom.xml requirements.txt go.mod gitops repo Pipeline Pipeline Red Hat Dependency Analytics Red Hat Trusted Content gitsign verify Red Hat OpenShift cosign sign image generate SBOM Red Hat Trusted Profile Analyzer Generates and signs build pipeline provenance, attestation Verify SLSA compliance Continuous security scans of stored images Red Hat Advanced Cluster Security w/ gitsign Red Hat OpenShift GitOps 9

10. DEMO

11. Push to give energy windmill Kafka Topic 2.Sends the interaction

    Dashboard: Green Energy Nickname Team SHAKE! to generate energy Cars that need energy Two teams competing (top 5 players) First team wins @kevindubois @alexsotob

12. Quarkus Apache Kafka Infinispan OpenShift GitOps

13. Shaking Time :)

14. V2 Scan the QR Code with your phone to play

15. Shift Security Left in the Software Supply Chain Protect the

    components, processes and practices early in your software factory Trust, transparency in code management with integrated templates, guardrails for security-focused pipelines *Note: Red Hat Trusted Application Pipeline is a single product SKU that includes RHDH, RHTAS, RHTPA. + + NEW! NEW! NEW! = 15 developers.redhat.com/products/trusted-software-supply-chain/overview

16. Get started Sign up at developers.redhat.com Find out more about

    Red Hat’s project and products, and what it offers developers 16

17. Thank you! @[email protected] youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois slides

18. linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat 18 Red Hat is the world’s

    leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you