Open Source Cloud Strategies and Solutions Towards Reliability and Compliance Security at Scale

Open Source is the default.

96% of applications have OSS dependencies and they're in your repos. 96% of applications have OSS dependencies and they're in your repos.

Sr. Developer Advocate at HashiCorp for Infrastructure and Orchestration @ksatirli he / him Kerim Satirli

developer's environment and remote experiences develop developer's environment and build environments build build environments and artifact registries store orchestration platforms (Nomad, Kubernetes etc) run Software Delivery Lifecycle

trust trust developer's environment and remote experiences developer's environment and build environments build environments and artifact registries orchestration platforms (Nomad, Kubernetes etc) trust trust Software Delivery Lifecycle

Using unverified code is like doing a trust fall with people you don't know.

Assume hostile intent for any unverified code.

01 Securing Development

! dscl . -read /Groups/admin GroupMembership GroupMembership: root Terminal "

! dscl . -read /Groups/admin GroupMembership GroupMembership: root kerim # Terminal $

Endpoint Protection is important.

Securing Development Level 1 ▪ clear guidelines on what is acceptable and what isn’t ▪ locally available tooling to verify code meets rulesets Level 2 ▪ automated linting and testing after git push ▪ cryptographically signed and verified commits Level 3 ▪ branch protection and required trust levels ▪ no unaudited bypassing of security functionality

02 Protecting Builds

Protecting Builds Level 1 ▪ no builds using unsigned or unverified commits ▪ build server configuration is codified and tested Level 3 ▪ all builds have a validated software bill of materials ▪ all builds are hermetic, all dependencies packaged Level 2 ▪ actively create and store tamper-proof build logs ▪ build server configuration uses strong addressing

03 Safeguarding Artifacts

Safeguarding Artifacts Level 1 ▪ artifacts must be fully cryptographically signed ▪ monitor for outliers in artifact attributes Level 2 ▪ isolate artifact servers by application environment ▪ limit admin access and regularly audit access Level 3 ▪ all dependencies must be explicitly allowed for use ▪ artifacts must pass regular scans while "live"

04 Securing Orchestrators

Securing Orchestrators Level 1 ▪ consider the shared responsibility model ▪ lock down ingress and egress of service interface Level 2 ▪ only allow codified workloads to be executed ▪ define a clear secrets management strategy Level 3 ▪ right-size hardware and monitor for zombie usage ▪ build patterns to fail securely instead of safely

Codified Patterns github.com/workloads/

Defense requires Layers.

Layers require People.

Security is a Team Sport.

Open Source Cloud Strategies and Solutions speakerdeck.com/ksatirli Thank you