Red Hat Summit Connect NL - Red Hat Trusted Software Supply Chain in Action

Transcript

1. featuring Red Hat Developer Hub Red Hat Trusted Software Supply

   Chain Kevin Dubois Senior Principal Developer Advocate @kevindubois 1

2. dn.dev/quarkusmaster Kevin Dubois ★ Sr. Principal Developer Advocate at Red

   Hat ★ Based in Belgium 󰎐 ★ 🗣 Speak English, Dutch, French, Italian ★ Open Source Contributor (Quarkus, Camel, Knative, ..) ★ Java Champion @[email protected] youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois @kevindubois.com
3. None
4. None

5. 5 Increased regulations, frameworks, directives SEC Cybersecurity Rule 1 requires

   more governance and management regarding material cybersecurity risks, incidents. White House Cyber Executive Order 14028 European Union Cyber Resilience Act Government Cybersecurity Regulations NSA Cybersecurity Collaboration Center (CCC) National Institute of Standards and Technology (NIST) Cybersecurity and Infrastructure Security Agency (CISA) European Union Agency for Cybersecurity (ENISA) Cybersecurity Agency Frameworks and Directives [1] SEC Final Rule - Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

6. 6 The Supply Chain Security space is relatively young Recent

   activities have highlighted its importance Evolution of the DevOps movement which also includes a security component where there is increased involvement from security teams and methodologies DevSecOps Movement Recent actions by governments across the world have begun to mandate certain steps be implemented in order to utilize software produced or utilized from external sources Government Regulations Organizations are looking for additional methods for securing the content they produce and use Initiatives to Drive Increased Security

7. 7 Software Security is a Journey

8. SLSA Levels (https://slsa.dev/spec/v1.0/levels) Level 0 Level 1 Level 2 Level

   3 Preventing Mistakes Automated Build Process Generated provenance about source, build process, artifact and dependencies Preventing tampering after the build Generated, signed and verifiable provenance Preventing tampering during the build Prevent runs from influencing one another, prevent secret material used to sign provenance from being accessible by the end-user’s defined steps

9. 9 Domains Assessing the composition of software assets for potential

   vulnerabilities Applying cryptographic signature to software assets Signing Defining and enforcing conditions that a software asset may comply with in order for it to be used Policy Management/Enforcement Tools and processes to better understand the software being produced and its components/dependencies (SBOM’s) Software Composition Scanning

10. 10 Security Begins With the Community Open source security is

    Built Upon Thriving Open Source Communities

11. Open Source Projects and Communities 11 Enterprise Contract You Have

    the Opportunity to Influence the Future!

12. Safeguard build systems early 12 Secure the use of source

    code and transitive dependencies Software supply chain security considerations for the software development lifecycle Prevent & identify malicious code Continuously monitor security at runtime

13. Prevent and identify malicious code

14. 14 Start with Trusted Content Code Build Monitor Deploy Profile

    Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content * GUAC: Graph for Understanding Artifact Composition

15. 15 Give your developers the right tools Code Build Monitor

    Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

16. Safeguard build systems early

17. 17 Augment and secure your build process (CI) Code Build

    Monitor Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

18. 18 Augment and secure your deployment process (CD) Code Build

    Monitor Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

19. Continuously monitor security at runtime

20. 20 Manage your Security Posture and monitor your platform Code

    Build Monitor Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

21. 21 So, What Are Customers Interested In? Applying digital signatures

    to container images and other software artifacts Content Signing Policy Enforcement Forbidding the use of software that does not meet defined compliance levels Image Vulnerabilities Understanding the composition of software content and any vulnerabilities that may be present Patterns have emerged that illustrate which aspects of the supply chain security space customers express the greatest interest

22. Terminology Term Definition SLSA Supply Chain Levels for Software Artifacts

    SLSA is a set of standards and technical controls you can adopt to improve artifact integrity, and build SAST Static Application Security Testing Executed at build time as part of the CI DAST Dynamic Application Security Testing Often executed on staging clusters CVE Common Vulnerability and Exposures Provenance Recording of origin, history and who made the changes Attestation Authenticated statement (metadata) about a software artifact or collection of software artifacts Sigstore Sigstore empowers software developers to securely sign software artifacts such as release files, container images, binaries, bill of material manifests and more. Signing materials are then stored in a tamper-resistant public log. SBOM Software Bill of Materials

23. From Source to Production SCM Development QA Staging Production Router

    Users Shift Left Developer

24. From git push to production

25. 25 Define the Software Delivery Process • GitHub Actions •

    GitLab CI/CD • Azure DevOps • Jenkins • Tekton • And more It all starts with the Pipeline. Tekton would be great…. but customers already have invested in their pipeline tools What does it take to develop and deliver software successfully and securely

26. 26 Signing Content Most popular concept from Red Hat’s Trusted

    Software Supply Chain tools Key Considerations • What to sign? • How to sign? • When to sign?

27. 27 What to Sign? Any type of binary (blob) data.

    Popular examples include build artifacts, like Java Archives (.jar) and Helm Charts. cosign sign-blob <content> Additional TSSC assets (SBOMs) cosign sign <imageref> Supplementary Artifacts Most popular type of content to sign cosign sign <imageref> Container Images Binaries

28. 28 Sigstore Key Types Sourced from a Key Management System,

    like HashiCorp Vault or from a Public Cloud Provider (Azure Key Vault) KMS Hardware Tokens Physical device for signing and key management Self Managed Generated by cosign CLI or other encryption utilities There are multiple ways a private key can be provided to sign content using Sigstore

29. 29 While popular in the community, most enterprise customers are

    more comfortable with traditional keyfull based approaches. Keyless Signing Service provided by RHTAS that generates a short lived keypair against an identity using OIDC

30. Code Build Monitor Deploy A generic development process <Your code/>

    Dependencies git commit code repo git pull (maven) package Container build push to registry K8s deployment definition(s) deploy Base images pom.xml requirements.txt go.mod gitops repo Container registry Pipeline Pipeline

31. Code Build Monitor Deploy A security-augmented development process <Your code/>

    Dependencies git commit code repo git pull (maven) package Container build push to registry K8s deployment definition(s) deploy Base images pom.xml requirements.txt go.mod gitops repo Pipeline Pipeline Red Hat Dependency Analytics Red Hat Trusted Content gitsign verify Red Hat OpenShift cosign sign image generate SBOM Red Hat Trusted Profile Analyzer Generates and signs build pipeline provenance, attestation Verify SLSA compliance Continuous security scans of stored images Red Hat Advanced Cluster Security w/ gitsign Red Hat OpenShift GitOps

32. Shift Security Left in the Software Supply Chain Protect the

    components, processes and practices early in your software factory Trust, transparency in code management with integrated templates, guardrails for security-focused pipelines *Note: Red Hat Trusted Application Pipeline is a single product SKU that includes RHDH, RHTAS, RHTPA. + + NEW! NEW! NEW! Roadmap items are subject to change without notice =

33. Developer Challenges 33 of enterprise technologists surveyed plan to modernize

    more than half of their legacy applications in the next 2 years. Source: The Newstack 80% 80% Application Modernization Rise of Generative AI of Enterprises will have deployed Generative AI-Enabled Applications by 2026 Source: Gartner 76% of organizations say the cognitive load is so high that it is a source of low productivity. Gartner predicts 75% of companies will establish platform teams for application delivery. Source: Salesforce Source: Gartner Developer Productivity Average annual increase in software supply chain attacks over the past three years. 45% of organizations will experience attacks. Is a matter of when, not if. Source: Sonatype 742% Software Supply Chain Security

34. 76% of organizations say the cognitive load is so high

    that it is a source of low productivity. Gartner predicts 75% of companies will establish platform teams for application delivery. Source: Salesforce Source: Gartner

35. Developer Portals to relieve cognitive load

36. None

37. DEMO

38. The application Push to give energy windmill 1.Sends click Kafka

    Topic 2.Sends the interaction 3. Updates the UI Dashboard: Green Energy Nickname Team Push to generate energy Cars that needs energy Two teams competing (top 5 players) First wins

39. Quarkus Apache Kafka Infinispan OpenShift GitOps

40. V1

41. Dev Ops Thursday | 4:45 PM

42. Dev Ops Thursday | 4:45 PM Wall of confusion

43. Dev Ops

44. Developer Joy!

45. V2

46. Get started Sign up at developers.redhat.com Find out more about

    Red Hat’s project and products, and what it offers developers

47. Start exploring in the OpenShift Sandbox. Learn containers, Kubernetes, and

    OpenShift in your browser. developers.redhat.com/developer-sandb ox Try Red Hat's products and technologies without setup or configuration.

48. @kevindubois @thekevindubois kdubois @kevindubois slides

49. linkedin.com/showcase/red-hat-developer youtube.com/RedHatDevelopers facebook.com/RedHatDeveloper twitter.com/rhdevelopers 49 Red Hat is the world’s

    leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you Optional section marker or title