Supply Chain Security for Infrastructure Engineers

Transcript

1. Supply Chain Security (for Infrastructure Engineers)

2. Sr. Developer Advocate at HashiCorp for Infrastructure and Orchestration @ksatirli

   Kerim Satirli

3. developer's environment and remote experiences develop developer's environment and build

   environments build build environments and artifact registries store orchestration platforms (Nomad, Kubernetes etc) run Software Delivery Lifecycle (SDLC)

4. trust trust trust trust developer's environment and remote experiences developer's

   environment and build environments build environments and artifact registries orchestration platforms (Nomad, Kubernetes etc) Software Delivery Lifecycle (SDLC)

5. Using unverified code is like doing a trust fall with

   people you don't know.

6. Using unverified code is like doing a trust fall with

   people you don't know.

7. Assume hostile intent for any unverified code.

8. 01 Secure Development

9. ! dscl . -read /Groups/admin GroupMembership GroupMembership: root Terminal "

10. ! dscl . -read /Groups/admin GroupMembership GroupMembership: root kerim #

    Terminal $

11. Protecting endpoints is critically important.

12. Level 2 ▪ automated linting and testing after git push

    ▪ cryptographically signed and verified commits Level 3 ▪ branch protection and required trust levels ▪ no unaudited bypassing of security functionality Level 1 ▪ clear guidelines on what is acceptable and what isn’t ▪ locally available tooling to verify code meets rulesets Secure Development

13. 02 Protect the Build

14. Level 3 ▪ all builds have a validated software bill

    of materials ▪ all builds are hermetic, all dependencies packaged Level 1 ▪ no builds using unsigned or unverified commits ▪ build server configuration is codified and tested Level 2 ▪ actively create and store tamper-proof build logs ▪ build server configuration uses strong addressing Protect the Build

15. 03 Safeguard Artifacts

16. Level 1 ▪ artifacts must be fully cryptographically signed ▪

    monitor for outliers in artifact attributes Level 2 ▪ isolate artifact servers by application environment ▪ limit admin access and regularly audit access Level 3 ▪ all dependencies must be explicitly allowed for use ▪ artifacts must pass regular scans while "live" Safeguard Artifacts

17. 04 Secure Orchestrators

18. Level 3 ▪ right-size hardware and monitor for zombie usage

    ▪ build patterns to fail securely instead of safely Secure Orchestrators Level 1 ▪ consider the shared responsibility model ▪ lock down ingress and egress of service interface Level 2 ▪ only allow codified workloads to be executed ▪ define clear secrets management strategy

19. 05 Putting this into Practice

20. Define the Pipeline pipeline.yml

21. !!" # when to run this pipeline <trigger> # all

    the stuff it needs to do <steps> # handle errors other people introduced <more steps> pipeline.yml Define the Pipeline

22. terraform.yml Define the Pipeline !!" # when to run this

    pipeline on: push: jobs: # all the stuff it needs to do happy_path: steps: - uses: "hashicorp/setup-terraform" - run: terraform fmt -check -recursive !# terraform validate with: version: "1.7.5"

23. Ship it.

24. % from the Security Team

25. terraform.yml !!" # when to run this pipeline on: push:

    jobs: # all the stuff it needs to do happy_path: steps: - uses: "hashicorp/[email protected]" - run: terraform fmt -check -recursive !# terraform validate with: version: "1.7.5" My Pipeline Definition

26. terraform.yml !!" # when to run this pipeline on: push:

    jobs: # all the stuff it needs to do happy_path: steps: - uses: "hashicorp/setup-terraform@633b725c73b2cacd13a8fdd1" - run: terraform fmt -check -recursive !# terraform validate with: version: "1.7.5" Their Pipeline Definition

27. terraform.tftpl.yml !!$ jobs: workflow: name: Terraform runs-on: ubuntu-latest steps: #

    github.com/${owner}/${repo}/releases/tag/${version} - name: Set up Terraform uses: "${owner}/${repo}@${sha}" # ref: `${ref}` with: terraform_version: "1.7.5" !!$ Prepare the Template

28. https://docs.github.com/en/rest/releases/releases Getting Release Information

29. terraform.yml Render the Template !!$ jobs: workflow: name: Terraform runs-on:

    ubuntu-latest steps: # github.com/hashicorp/setup-terraform/releases/tag/v3.0.0 - name: Set up Terraform uses: "hashicorp/setup-terraform@633!!$dd1" # ref: `tags/v3.0.0` with: terraform_version: "1.7.5" !!$

30. Update Allow List for Actions https:!%github.com/workloads/workspaces/blob/main/.github/workflows/terraform.yml

31. Update Allow List for Actions https:!%github.com/workloads/workspaces/blob/main/.github/workflows/terraform.yml

32. Defense requires Layers.

33. Layers require People.

34. Security is a Team Sport.

35. Demo Code

36. Thank you speakerdeck.com/ksatirli