Tweet
Tweet

Slide 1

Slide 1 text

Patterns that Protect Securing Workloads in Automated Deployments

Slide 2

Slide 2 text

Sr. Developer Advocate at HashiCorp he / him @ksatirli Kerim Satirli

Slide 3

Slide 3 text

OSS has won.

Slide 4

Slide 4 text

98% of applications have OSS dependencies and they're in your repos.

Slide 5

Slide 5 text

Software Lifecycle developer's machine or remote / hosted IDE build developer's machine or build server compile build server or artifact storage store orchestration platform (Kubernetes, Nomad etc) run

Slide 6

Slide 6 text

This is about Trust.

Slide 7

Slide 7 text

Software Lifecycle developer's machine or remote / hosted IDE trust developer's machine or build server trust build server or artifact storage trust orchestration platform (Kubernetes, Nomad etc) trust

Slide 8

Slide 8 text

01 Trusting the Build Process

Slide 9

Slide 9 text

! > dscl . -read /Groups/admin GroupMembership GroupMembership: root kerim #

Slide 10

Slide 10 text

Endpoint Protection is important.

Slide 11

Slide 11 text

Assume Hostile Intent for Unverified Code.

Slide 12

Slide 12 text

02 Trusting the Compilation Process

Slide 13

Slide 13 text

Always Verify your Code. Automatically.

Slide 14

Slide 14 text

SLSA Level -1

Slide 15

Slide 15 text

Shared Responsibility

Slide 16

Slide 16 text

variable "actions_config" { description = "Object of GitHub Actions Configuration." default = { # see github.com/reviewdog/action-actionlint/releases actionlint = { owner = "reviewdog" repository = "action-actionlint" version = "v1.37.0" } # see github.com/actions/checkout/releases checkout = { owner = "actions" Building Trust into the Pipeline

Slide 17

Slide 17 text

# get GH Release Tag Ids by polling the Releases Data Source data "github_release" "actions" { for_each = { for id, action in var.actions_config : id => action } repository = each.value.repository owner = each.value.owner retrieve_by = "tag" release_tag = each.value.version } Building Trust into the Pipeline

Slide 18

Slide 18 text

# get Commitish by polling Ref data source using Tag Name data "github_ref" "actions" { for_each = data.github_release.actions repository = each.value.repository owner = each.value.owner ref = "tags/${each.value.release_tag}" } Building Trust into the Pipeline

Slide 19

Slide 19 text

resource "github_actions_organization_permissions" "main" { allowed_actions = "selected" # require all repositories to abide by this policy enabled_repositories = "all" allowed_actions_config { github_owned_allowed = true verified_allowed = true patterns_allowed = [ for action in local.actions_config : "${action.owner}/${action.repository}@${action.sha}" ] } } Building Trust into the Pipeline

Slide 20

Slide 20 text

github.com/organizations/workloads/settings/actions Building Trust into the Pipeline

Slide 21

Slide 21 text

03 Trusting the Artifact Storing Process

Slide 22

Slide 22 text

Security is a product of consistent behavior.

Slide 23

Slide 23 text

Sign Everything.

Slide 24

Slide 24 text

Create and Store Verifiable Build Logs

Slide 25

Slide 25 text

Attestation

Slide 26

Slide 26 text

Artifact Security

Slide 27

Slide 27 text

04 Trusting the Orchestration Process

Slide 28

Slide 28 text

Hermetic Builds

Slide 29

Slide 29 text

Running Trustable Workloads

Slide 30

Slide 30 text

task "preflight_check" { lifecycle { hook = "prestart" sidecar = false } driver = "docker" config { image = "workloads/preflight:sha256:7bd...171" # v0.9.0 } template { destination = "config/preflight.hcl" data = ... } } Preflight Checking

Slide 31

Slide 31 text

We shifted Security Left.

Slide 32

Slide 32 text

Security is a Team Sport.

Slide 33

Slide 33 text

Co-op Learning https://github.com/workloads

Slide 34

Slide 34 text

Thank you speakerdeck.com/ksatirli