Open Source Secure Software Supply Chain in Action

Transcript

1. CONFIDENTIAL designator V0000000 WeAreDevelopers Berlin Open Source Supply Chain Security

   in Action Natale Vinto Lead, Red Hat Developer Advocates [email protected] @natalevinto 1

2. CONFIDENTIAL designator V0000000

3. Resilience to vulnerabilitie s

4. None
5. None
6. None

7. CONFIDENTIAL designator 7

8. CONFIDENTIAL designator 8

9. CONFIDENTIAL designator 9

10. CONFIDENTIAL designator 10

11. CONFIDENTIAL designator 11

12. CONFIDENTIAL designator 12

13. CONFIDENTIAL designator 13 DEV OPS SEC

14. CONFIDENTIAL designator V0000000 14 Standardize, share and store Manage SBOM

    Inventory/ Risk Profile Management App Developer Security/Ops/SRE Platform Engineer Verify Tests Enterprise Contract SLSA Verifier Dependency Analytics roxctl Ship Progressive Delivery Release Management Monitor ACS: Risk, Compliance, Images, Containers, Clusters, Network DORA Build Artifact packager Container builder Artifact signer SBOM generator Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content Create Software Composition Analysis Digitally Signed & Verified Curate

15. CONFIDENTIAL designator Platform-as-a-Product

16. CONFIDENTIAL designator What is a Platform?

17. CONFIDENTIAL designator "A digital platform is a foundation of self-service

    APIs, tools, services, knowledge and support which are arranged as a compelling internal product. " Evan Bottcher - 2018

18. CONFIDENTIAL designator "A digital platform is a foundation of self-service

    APIs, tools, services, knowledge and support which are arranged as a compelling internal product. " Evan Bottcher - 2018

19. CONFIDENTIAL designator 19 19

20. CONFIDENTIAL designator AuthN/AuthZ/RBAC Compute/Network/Storage, Namespace-as-a-Service/Cluster-as-a-Service, Configuration Management Source Control Artifact

    Builder, Image Builder Continuous Integration Engine & Task Runners Artifact Storage Observability (Ops/SRE view, Dev view, AppOps view, PE view) Continuous Delivery Security: Runtime scanning, build-time scanners CLI (kubectl, helm, git, oc), API DBaaS, Kafka-as-a-Service, Cache-as-a-Service, SSO-as-a-Service, etc Developer Environments DevX: Collaboration, Tutorials, Videos, Slack Golden Path Templates Portal (Backstage)

21. CONFIDENTIAL designator "A digital platform is a foundation of self-service

    APIs, tools, services, knowledge and support which are arranged as a compelling internal product. " Evan Bottcher - 2018

22. CONFIDENTIAL designator Compelling for whom?

23. CONFIDENTIAL designator Customer Challenges 23 of enterprise technologists surveyed plan

    to modernize more than half of their legacy applications in the next 2 years. Source: The Newstack 80% 80% Application Modernization Rise of Generative AI of Enterprises will have deployed Generative AI-Enabled Applications by 2026 Source: Gartner 76% of organizations say the cognitive load is so high that it is a source of low productivity. Gartner predicts 75% of companies will establish platform teams for application delivery. Source: Salesforce Source: Gartner Developer Productivity Average annual increase in software supply chain attacks over the past three years. 45% of organizations will experience attacks. Is a matter of when, not if. Source: Sonatype 742% Software Supply Chain Security

24. COBOL JCL/WFL --- Batch Centralized C/C++ 4GLs RDBMS/ SQL Unix

    --- Interactive Distributed HTML HTTP CGI GET/POST Cookies Java Servlet EJB Solaris/AIX --- Request/Response MVC-Struts DI-Spring ORM-Hibernate XML WS-* JSF Agile Automated Testing CI SVN Linux --- AJAX Java EE 6 HTML5 (JavaScript) iOS/Android Phonegap/Cordova Cucumber REST Maven/Gradle git MongoDB/Redis Hadoop DevOps CD Microservices --- Asynch, Functional Reactive Java EE 8-12, NodeJS, Go Serverless Flutter, Typescript Kafka gRPC, Avro Vue, React, Next.js Serverless, Wasm Terraform, Vault CRI-O, Podman ArgoCD, Tekton, CircleCI Backstage, Helm Kustomize AWS, Azure, GCP Istio/ServiceMesh --- Cloud, Kubernetes 60's-70's 1985-1995 1993-1999 1995-2003 2003-2011 2010-2016 2018-2022 Overloaded Mouse PushButton Click DropDown List Windows --- GUI/Event-Driven

25. COBOL JCL/WFL --- Batch Centralized C/C++ 4GLs RDBMS/ SQL Unix

    --- Interactive Distributed HTML HTTP CGI GET/POST Cookies Java Servlet EJB Solaris/AIX --- Request/Response MVC-Struts DI-Spring ORM-Hibernate XML WS-* JSF Agile Automated Testing CI SVN Linux --- AJAX Java EE 6 HTML5 (JavaScript) iOS/Android Phonegap/Cordova Cucumber REST Maven/Gradle git MongoDB/Redis Hadoop DevOps CD Microservices --- Asynch, Functional Reactive Java EE 8-12, NodeJS, Go Serverless Flutter, Typescript Kafka gRPC, Avro Vue, React, Next.js Serverless, Wasm Terraform, Vault CRI-O, Podman ArgoCD, Tekton, CircleCI Backstage, Helm Kustomize AWS, Azure, GCP Istio/ServiceMesh --- Cloud, Kubernetes 60's-70's 1985-1995 1993-1999 1995-2003 2003-2011 2010-2016 2018-2022 Overloaded Mouse PushButton Click DropDown List Windows --- GUI/Event-Driven

26. GENAI

27. CONFIDENTIAL designator V0000000 27 The Supply Chain Security space is

    relatively young Recent activities have highlighted its importance Evolution of the DevOps movement which also includes a security component where there is increased involvement from security teams and methodologies DevSecOps Movement Recent actions by governments across the world have began to mandate certain steps be implemented in order to utilize software produced or utilized from external sources Government Regulations Organizations are looking for additional methods for securing the content they produce and use Initiatives to Drive Increased Security

28. CONFIDENTIAL designator V0000000 28 Software Security is a Journey

29. CONFIDENTIAL designator V0000000 29 Domains Assessing the composition of software

    assets for potential vulnerabilities Applying cryptographic signature to software assets Signing Defining and enforcing conditions that a software asset my comply with in order for it to be used Policy Management/Enforcement Tools and processes to better understand the software being produced and its components/dependencies (SBOM’s) Software Composition Scanning

30. Safeguard build systems early 30 Secure the use of source

    code and transitive dependencies Software supply chain security considerations for the software development lifecycle Prevent & identify malicious code Continuously monitor security at runtime

31. Prevent and identify malicious code

32. 32 Start with Trusted Content Code Build Monitor Deploy Profile

    Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

33. 33 Give to your developers the right tools Code Build

    Monitor Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

34. Safeguard build systems early

35. 35 Augment and secure your build process (CI) Code Build

    Monitor Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

36. 36 Augment and secure your deployment process (CD) Code Build

    Monitor Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

37. Continuously monitor security at runtime

38. 38 Manage your Security Posture and monitor your platform Code

    Build Monitor Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

39. CONFIDENTIAL designator V0000000 39 Security Begins With the Community Open

    source security is Built Upon Thriving Open Source Communities

40. CONFIDENTIAL designator V0000000 40 So, What Are Customers Interested In?

    Applying digital signatures to container images and other software artifacts Content Signing Policy Enforcement Forbidding the use of software that does not meet defined compliance levels Image Vulnerabilities Understanding the composition of software content and any vulnerabilities that may be present Patterns have emerged that illustrate which aspects of the supply chain security space customers express the greatest interest

41. CONFIDENTIAL designator V0000000 Terminology Term Definition SLSA Supply Chain Levels

    for Software Artifacts SLSA is a set of standards and technical controls you can adopt to improve artifact integrity, and build SAST Static Application Security Testing Executed at build time as part of the CI DAST Dynamic Application Security Testing Often executed on staging clusters CVE Common Vulnerability and Exposures Provenance Recording of origin, history and who made the changes Attestation Authenticated statement (metadata) about a software artifact or collection of software artifacts Sigstore Sigstore empowers software developers to securely sign software artifacts such as release files, container images, binaries, bill of material manifests and more. Signing materials are then stored in a tamper-resistant public log. SBOM Software Bill of Materials

42. CONFIDENTIAL designator V0000000 SLSA Levels (https://slsa.dev/spec/v1.0/levels) Level 0 Level 1

    Level 2 Level 3 Preventing Mistakes Automated Build Process Generated provenance about source, build process, artifact and dependencies Preventing tampering after the build Generated, signed and verifiable provenance Preventing tampering during the build Prevent runs from influencing one another, prevent secret material used to sign provenance from being accessible by the end-user’s defined steps

43. CONFIDENTIAL designator V0000000 From Source to Production SCM Development QA

    Staging Production Router Users Shift Left Developer

44. CONFIDENTIAL designator V0000000 From git push to production

45. CONFIDENTIAL designator V0000000 Open Source Projects and Communities 45 Enterprise

    Contract You Have the Opportunity to Influence the Future!

46. CONFIDENTIAL designator V0000000 46 Define the Software Delivery Process •

    GitHub Actions • GitLab CI/CD • Azure DevOps • Jenkins • Tekton • And more It all starts with the Pipeline. Tekton would be great…. but customers already have invested in their pipeline tools What does it take to develop and deliver software successfully and securely

47. CONFIDENTIAL designator V0000000 47 Signing Content Most popular concept from

    Red Hat’s Trusted Software Supply Chain tools Key Considerations • What to sign? • How to sign? • When to sign?

48. CONFIDENTIAL designator V0000000 48 What to Sign? Any type of

    binary (blob) data. Popular examples include build artifacts, like Java Archives (.jar) and Helm Charts. cosign sign-blob <content> Additional TSSC assets (SBOMs) cosign sign <imageref> Supplementary Artifacts Most popular type of content to sign cosign sign <imageref> Container Images Binaries

49. CONFIDENTIAL designator V0000000 49 Sigstore Key Types Sourced from a

    Key Management System, like HashiCorp Vault or from a Public Cloud Provider (Azure Key Vault) KMS Hardware Tokens Physical device for signing and key management Self Managed Generated by cosign CLI or other encryption utilities There are multiple ways a private key can be provided to sign content using Sigstore

50. CONFIDENTIAL designator V0000000 50 While popular in the community, most

    enterprise customers are more comfortable with traditional keyfull based approaches. Keyless Signing Service provided by RHTAS that generates a short lived keypair against an identity using OIDC

51. CONFIDENTIAL designator V0000000 51 Pipeline Support • Images • TaskRuns/PipelineRuns

    Similar processes can be implemented in other CI/CD tools. It may require additional upfront work For those using Tekton as the CI/CD tool, Tekton Chains automates how content produced within the pipeline are signed

52. CONFIDENTIAL designator V0000000 Code Build Monitor Deploy A generic development

    process <Your code/> Dependencies git commit code repo git pull (maven) package Container build push to registry K8s deployment definition(s) deploy Base images pom.xml requirements.txt go.mod gitops repo Container registry Pipeline Pipeline

53. CONFIDENTIAL designator V0000000 Code Build Monitor Deploy A security-augmented development

    process <Your code/> Dependencies git commit code repo git pull (maven) package Container build push to registry K8s deployment definition(s) deploy Base images pom.xml requirements.txt go.mod gitops repo Pipeline Pipeline Red Hat Dependency Analytics Red Hat Trusted Content gitsign verify Red Hat OpenShift cosign sign image generate SBOM Red Hat Trusted Profile Analyzer Generates and signs build pipeline provenance, attestation Verify SLSA compliance Continuous security scans of stored images Red Hat Advanced Cluster Security w/ gitsign Red Hat OpenShift GitOps

54. CONFIDENTIAL designator V0000000 DEMO

55. CONFIDENTIAL designator V0000000 Get started Sign up at developers.redhat.com Find

    out more about Red Hat’s project and products, and what it offers developers

56. CONFIDENTIAL designator V0000000 Start exploring in the OpenShift Sandbox. Learn

    containers, Kubernetes, and OpenShift in your browser. developers.redhat.com/developer-sand box Try Red Hat's products and technologies without setup or configuration.

57. CONFIDENTIAL designator V0000000 Q&A Red Hat Developer Hub

58. CONFIDENTIAL designator V0000000 linkedin.com/showcase/red-hat-developer youtube.com/RedHatDevelopers facebook.com/RedHatDeveloper twitter.com/rhdevelopers 58 Red Hat

    is the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you Optional section marker or title