Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Supply Chain Security for Infrastructure Engineers

Supply Chain Security for Infrastructure Engineers

In this presentation, I explain how to increase supply chain security from an infrastructure engineer's perspective.

This version of the talk was given at ConFoo Montreal in February 2024.

Avatar for Kerim Satirli

Kerim Satirli

February 23, 2024
Tweet

More Decks by Kerim Satirli

Other Decks in Technology

Transcript

  1. developer's environment and remote experiences develop developer's environment and build

    environments build build environments and artifact registries store orchestration platforms (Nomad, Kubernetes etc) run Software Delivery Lifecycle (SDLC)
  2. trust trust trust trust developer's environment and remote experiences developer's

    environment and build environments build environments and artifact registries orchestration platforms (Nomad, Kubernetes etc) Software Delivery Lifecycle (SDLC)
  3. Level 2 ▪ automated linting and testing after git push

    ▪ cryptographically signed and verified commits Level 3 ▪ branch protection and required trust levels ▪ no unaudited bypassing of security functionality Level 1 ▪ clear guidelines on what is acceptable and what isn’t ▪ locally available tooling to verify code meets rulesets Secure Development
  4. Level 3 ▪ all builds have a validated software bill

    of materials ▪ all builds are hermetic, all dependencies packaged Level 1 ▪ no builds using unsigned or unverified commits ▪ build server configuration is codified and tested Level 2 ▪ actively create and store tamper-proof build logs ▪ build server configuration uses strong addressing Protect the Build
  5. Level 1 ▪ artifacts must be fully cryptographically signed ▪

    monitor for outliers in artifact attributes Level 2 ▪ isolate artifact servers by application environment ▪ limit admin access and regularly audit access Level 3 ▪ all dependencies must be explicitly allowed for use ▪ artifacts must pass regular scans while "live" Safeguard Artifacts
  6. Level 3 ▪ right-size hardware and monitor for zombie usage

    ▪ build patterns to fail securely instead of safely Secure Orchestrators Level 1 ▪ consider the shared responsibility model ▪ lock down ingress and egress of service interface Level 2 ▪ only allow codified workloads to be executed ▪ define clear secrets management strategy
  7. !!" # when to run this pipeline <trigger> # all

    the stuff it needs to do <steps> # handle errors other people introduced <more steps> pipeline.yml Define the Pipeline
  8. terraform.yml Define the Pipeline !!" # when to run this

    pipeline on: push: jobs: # all the stuff it needs to do happy_path: steps: - uses: "hashicorp/setup-terraform" - run: terraform fmt -check -recursive !# terraform validate with: version: "1.7.5"
  9. terraform.yml !!" # when to run this pipeline on: push:

    jobs: # all the stuff it needs to do happy_path: steps: - uses: "hashicorp/[email protected]" - run: terraform fmt -check -recursive !# terraform validate with: version: "1.7.5" My Pipeline Definition
  10. terraform.yml !!" # when to run this pipeline on: push:

    jobs: # all the stuff it needs to do happy_path: steps: - uses: "hashicorp/setup-terraform@633b725c73b2cacd13a8fdd1" - run: terraform fmt -check -recursive !# terraform validate with: version: "1.7.5" Their Pipeline Definition
  11. terraform.tftpl.yml !!$ jobs: workflow: name: Terraform runs-on: ubuntu-latest steps: #

    github.com/${owner}/${repo}/releases/tag/${version} - name: Set up Terraform uses: "${owner}/${repo}@${sha}" # ref: `${ref}` with: terraform_version: "1.7.5" !!$ Prepare the Template
  12. terraform.yml Render the Template !!$ jobs: workflow: name: Terraform runs-on:

    ubuntu-latest steps: # github.com/hashicorp/setup-terraform/releases/tag/v3.0.0 - name: Set up Terraform uses: "hashicorp/setup-terraform@633!!$dd1" # ref: `tags/v3.0.0` with: terraform_version: "1.7.5" !!$