Fortify & Forget Minder’s Approach to Simplifying Supply Chain Security 

2 ©Stacklok, Inc 2024 Thank you! 

Who am I? Juan Antonio “Ozz” Osorio Staff Security Beard 3 ©Stacklok, Inc 2024 Mexican living in Finland Talk to me about: ● Supply chain security ● Vulnerability management ● Cloud security ● Craft beer ● Running ● Heavy metal 

Who are we? Stacklok est. May 2023 4 ©Stacklok, Inc 2024 We're passionate about making open source software safer. We help you ● Build safer software ● Make safer dependency choices ● Keep your software pipelines secure We aim to simplify supply chain security 

How? Trusty Package trust scoring Minder Today’s talk 5 ©Stacklok, Inc 2024 

Agenda ● Why? ● What? ● How? ● Huh?... Demo time! ● What’s next? ● How you can help! 6 ©Stacklok, Inc 2024 Minder 

This is f*cking hard! Anybody dealing with supply chain security… probably… 7 ©Stacklok, Inc 2024 

Supply chain security buzzwords ● Dependency management ● Repository (VCS) security ● SBOMs ● Attestations ● Image signatures 8 ©Stacklok, Inc 2024 Why? 

Supply chain security puzzle ● Scorecards ● Sigstore ● in-toto ● CycloneDX ● SLSA ● VEX 9 ©Stacklok, Inc 2024 Why? 

Minder to the rescue! 10 ©Stacklok, Inc 2024 ● Automate repository security settings ● Enforce best-practices ● Track packages from your repositories ● Protect against vulnerable dependencies ● Automatic remediations/fixes ● Multi-tenant 

Minder to the rescue! 11 ©Stacklok, Inc 2024 ● Automate repository security settings ● Enforce best-practices ● Track packages from your repositories ● Protect against vulnerable dependencies ● Automatic remediations/fixes ● Multi-tenant ● It’s open source! 

Minder to the rescue! 12 ©Stacklok, Inc 2024 ● Automate repository security settings ● Enforce best-practices ● Track packages from your repositories ● Protect against vulnerable dependencies ● Automatic remediations/fixes ● Multi-tenant ● It’s open source! ● Available as a service! 

Concepts 13 ©Stacklok, Inc 2024 What? Providers Repositories Pull requests Artifacts 

Policies --- version: v1 type: profile name: stacklok-github-profile context: provider: github alert: "off" remediate: "off" repository: - type: secret_scanning def: enabled: true skip_private_repos : true artifact: ... pull_request : ... 14 ©Stacklok, Inc 2024 What? 

Policies --- version: v1 type: profile name: stacklok-github-profile context: provider: github alert: "off" remediate: "off" repository: ... artifact: - type: artifact_signature params: tags: [latest] name: minder/server def: is_signed: true is_verified : true is_bundle_verified : true pull_request : ... 15 ©Stacklok, Inc 2024 What? 

Minder ● Rules are pluggable and extensible. ○ You can write your own! ● We aim to track and map the different aspects of the supply chain, not just repositories. 16 ©Stacklok, Inc 2024 What? 

How? 17 ©Stacklok, Inc 2024 

Internals speedrun ● Learning from k8s: Level vs edge triggering ○ Events and reconciliations ● Deploy on k8s but keep state out of it ● State is tracked in Postgres not etcd ● Identity is kept outside entirely ○ OIDC via Keycloak ● Package verifications and attestations handled via Sigstore 18 ©Stacklok, Inc 2024 How? 

Demo time! 19 ©Stacklok, Inc 2024 

Roadmap ● Way more rules! ● A shiny UI ● Build environment attestations ● Workload mapping ● Hierarchical multi-tenancy ● Re-vamped authorization engine (OpenFGA-based) 20 ©Stacklok, Inc 2024 What’s next? 

Minder is OSS ● Try it out! ○ We have a running production instance ● Check it out! ○ https://github.com/stacklok/minder ● Give us feedback! ○ You can issue a GitHub issue or even talk to us on Discord ● Document or code! ○ We’re happy to review 21 ©Stacklok, Inc 2024 How you can help! 

Thank you! Minder in GitHub Join us in Discord! Try out Trusty! We’re hiring! 22 ©Stacklok, Inc 2024