Patterns that Protect

Transcript

1. Patterns that Protect Securing Workloads in Automated Deployments

2. Sr. Developer Advocate at HashiCorp he / him @ksatirli Kerim

   Satirli

3. OSS has won.

4. 98% of applications have OSS dependencies and they're in your

   repos.

5. Software Lifecycle developer's machine or remote / hosted IDE build

   developer's machine or build server compile build server or artifact storage store orchestration platform (Kubernetes, Nomad etc) run

6. This is about Trust.

7. Software Lifecycle developer's machine or remote / hosted IDE trust

   developer's machine or build server trust build server or artifact storage trust orchestration platform (Kubernetes, Nomad etc) trust

8. 01 Trusting the Build Process

9. ! > dscl . -read /Groups/admin GroupMembership GroupMembership: root kerim

   #

10. Endpoint Protection is important.

11. Assume Hostile Intent for Unverified Code.

12. 02 Trusting the Compilation Process

13. Always Verify your Code. Automatically.

14. SLSA Level -1

15. Shared Responsibility

16. variable "actions_config" { description = "Object of GitHub Actions Configuration."

    default = { # see github.com/reviewdog/action-actionlint/releases actionlint = { owner = "reviewdog" repository = "action-actionlint" version = "v1.37.0" } # see github.com/actions/checkout/releases checkout = { owner = "actions" Building Trust into the Pipeline

17. # get GH Release Tag Ids by polling the Releases

    Data Source data "github_release" "actions" { for_each = { for id, action in var.actions_config : id => action } repository = each.value.repository owner = each.value.owner retrieve_by = "tag" release_tag = each.value.version } Building Trust into the Pipeline

18. # get Commitish by polling Ref data source using Tag

    Name data "github_ref" "actions" { for_each = data.github_release.actions repository = each.value.repository owner = each.value.owner ref = "tags/${each.value.release_tag}" } Building Trust into the Pipeline

19. resource "github_actions_organization_permissions" "main" { allowed_actions = "selected" # require all

    repositories to abide by this policy enabled_repositories = "all" allowed_actions_config { github_owned_allowed = true verified_allowed = true patterns_allowed = [ for action in local.actions_config : "${action.owner}/${action.repository}@${action.sha}" ] } } Building Trust into the Pipeline

20. github.com/organizations/workloads/settings/actions Building Trust into the Pipeline

21. 03 Trusting the Artifact Storing Process

22. Security is a product of consistent behavior.

23. Sign Everything.

24. Create and Store Verifiable Build Logs

25. Attestation

26. Artifact Security

27. 04 Trusting the Orchestration Process

28. Hermetic Builds

29. Running Trustable Workloads

30. task "preflight_check" { lifecycle { hook = "prestart" sidecar =

    false } driver = "docker" config { image = "workloads/preflight:sha256:7bd...171" # v0.9.0 } template { destination = "config/preflight.hcl" data = ... } } Preflight Checking

31. We shifted Security Left.

32. Security is a Team Sport.

33. Co-op Learning https://github.com/workloads

34. Thank you speakerdeck.com/ksatirli