Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Patterns that Protect

Patterns that Protect

In this presentation, I explain what security and deployment patterns work when you need to protect workloads at runtime.

This version of the talk was given at the 2023 Edition of Open Source Summit North America as part of the "SupplyChainSecurityCon" track.

Kerim Satirli

May 12, 2023

More Decks by Kerim Satirli

Other Decks in Technology

Transcript

  1. Patterns that Protect
    Securing Workloads in Automated Deployments

    View full-size slide

  2. Sr. Developer Advocate at HashiCorp
    he / him
    @ksatirli
    Kerim
    Satirli

    View full-size slide

  3. OSS has won.

    View full-size slide

  4. 98% of applications
    have OSS dependencies
    and they're in your repos.

    View full-size slide

  5. Software Lifecycle
    developer's machine
    or remote / hosted IDE
    build
    developer's machine
    or build server
    compile
    build server or
    artifact storage
    store
    orchestration platform
    (Kubernetes, Nomad etc)
    run

    View full-size slide

  6. This is about Trust.

    View full-size slide

  7. Software Lifecycle
    developer's machine
    or remote / hosted IDE
    trust
    developer's machine
    or build server
    trust
    build server or
    artifact storage
    trust
    orchestration platform
    (Kubernetes, Nomad etc)
    trust

    View full-size slide

  8. 01
    Trusting the
    Build Process

    View full-size slide

  9. ! > dscl . -read /Groups/admin GroupMembership
    GroupMembership: root kerim #

    View full-size slide

  10. Endpoint Protection
    is important.

    View full-size slide

  11. Assume Hostile Intent
    for Unverified Code.

    View full-size slide

  12. 02
    Trusting the
    Compilation Process

    View full-size slide

  13. Always Verify your Code.
    Automatically.

    View full-size slide

  14. SLSA
    Level -1

    View full-size slide

  15. Shared Responsibility

    View full-size slide

  16. variable "actions_config" {
    description = "Object of GitHub Actions Configuration."
    default = {
    # see github.com/reviewdog/action-actionlint/releases
    actionlint = {
    owner = "reviewdog"
    repository = "action-actionlint"
    version = "v1.37.0"
    }
    # see github.com/actions/checkout/releases
    checkout = {
    owner = "actions"
    Building Trust into the Pipeline

    View full-size slide

  17. # get GH Release Tag Ids by polling the Releases Data Source
    data "github_release" "actions" {
    for_each = {
    for id, action in var.actions_config : id => action
    }
    repository = each.value.repository
    owner = each.value.owner
    retrieve_by = "tag"
    release_tag = each.value.version
    }
    Building Trust into the Pipeline

    View full-size slide

  18. # get Commitish by polling Ref data source using Tag Name
    data "github_ref" "actions" {
    for_each = data.github_release.actions
    repository = each.value.repository
    owner = each.value.owner
    ref = "tags/${each.value.release_tag}"
    }
    Building Trust into the Pipeline

    View full-size slide

  19. resource "github_actions_organization_permissions" "main" {
    allowed_actions = "selected"
    # require all repositories to abide by this policy
    enabled_repositories = "all"
    allowed_actions_config {
    github_owned_allowed = true
    verified_allowed = true
    patterns_allowed = [
    for action in local.actions_config :
    "${action.owner}/${action.repository}@${action.sha}"
    ]
    }
    }
    Building Trust into the Pipeline

    View full-size slide

  20. github.com/organizations/workloads/settings/actions
    Building Trust into the Pipeline

    View full-size slide

  21. 03
    Trusting the
    Artifact Storing Process

    View full-size slide

  22. Security is a product
    of consistent behavior.

    View full-size slide

  23. Sign Everything.

    View full-size slide

  24. Create and Store
    Verifiable Build Logs

    View full-size slide

  25. Artifact Security

    View full-size slide

  26. 04
    Trusting the
    Orchestration Process

    View full-size slide

  27. Hermetic Builds

    View full-size slide

  28. Running Trustable Workloads

    View full-size slide

  29. task "preflight_check" {
    lifecycle {
    hook = "prestart"
    sidecar = false
    }
    driver = "docker"
    config {
    image = "workloads/preflight:sha256:7bd...171" # v0.9.0
    }
    template {
    destination = "config/preflight.hcl"
    data = ...
    }
    }
    Preflight Checking

    View full-size slide

  30. We shifted
    Security Left.

    View full-size slide

  31. Security is
    a Team Sport.

    View full-size slide

  32. Co-op Learning
    https://github.com/workloads

    View full-size slide

  33. Thank you
    speakerdeck.com/ksatirli

    View full-size slide