Building Trust Brick by Brick Exploring the Landscape of Modern Secure Supply Chain Tools 11-12 OCT 2023 Dasith Wijesiriwardena Juan Burckhardt Jason Goodsell

HELLO! Jason Dasith Juan @dasiths https://dasith.me @jsburckhardt

Container Registries as artefact stores Introduction to supply chain threats Agenda Consumer focused tools Producer focused tools Questions

Software Supply Chain What is it? Software supply chain is composed of the components, libraries, tools, and processes used to develop, build, and publish a software artefact.

Introduction to Supply Chain Threats

Producer Threats https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/

Producer Threats https://slsa.dev/spec/v1.0/threats-overview

Consumer Threats https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/

Consumer Threats https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/

Example Scenario

Example Scenario

Producer Focused Tools & Workflows

Example Scenario

Example Scenario

Example Scenario

Example Scenario

Example Scenario 2 reviewers required to approve any PR = Reduce risk of insider threats

Example Scenario

Example Scenario https://www.ntia.gov/sites/default/files/publications/sbom_at_a_glance_apr2021_0.pdf Transparency Security Compliance

Example Scenario And More… https://anchore.com/sbom/how-to-generate-an-sbom-with-free-open-source-tools/

Example Scenario SBOM - filesystem > trivy fs --format cyclonedx > SBOM.cyclonedx.json SBOM – container > trivy image --format cyclonedx > SBOM.cyclonedx.json Container Image – Trivy https://aquasecurity.github.io/trivy/v0.47/docs/target/container_image/ Filesystem – Trivy https://aquasecurity.github.io/trivy/v0.47/docs/target/filesystem/

Example Scenario

Example Scenario

Example Scenario Provenance: Describe how an artifact or set of artifacts was produced.

Securely Storing And Sharing Supply Chain Artefacts

Example Scenario

Example Scenario

Example Scenario

Example Scenario

Example Scenario

Example Scenario

Example Scenario

Example Scenario

Example Scenario

Example Scenario https://notaryproject.dev/

Example Scenario > IMAGE=repo/net-monitor@sha256:073b..555a > notation sign --signature-format cose $IMAGE > notation ls $IMAGE repo/net-monitor@sha256:073b..555a └── application/vnd.cncf.notary.v2.signature └── sha256:ba3a..38b Signing View Signature

Example Scenario > notation policy import ./trustpolicy.json > notation verify $IMAGE Trust Policy Verify Signature https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust- policy.md#trust-policy

Example Scenario https://www.sigstore.dev/ https://github.com/in-toto/attestation

Example Scenario Signing – With Key > cosign sign --key cosign.key Verify – With Key > cosign verify --key cosign.pub https://github.com/sigstore/cosign/blob/main/doc/cosign_verify.md https://github.com/sigstore/cosign/blob/main/doc/cosign_sign.md

Example Scenario Attest – With Key > cosign attest --predicate --type --key cosign.key Verify Attestation – With Key > cosign verify-attestation --key cosign.pub --type https://github.com/sigstore/cosign/blob/main/doc/cosign_verify- attestation.md https://github.com/sigstore/cosign/blob/main/doc/cosign_attest.md

Example Scenario Signing - Keyless > cosign sign $IMAGE Generating ephemeral keys... Retrieving signed certificate... Note that there may be personally identifiable information associated with this signed artifact. This may include the email address associated with the account with which you authenticate. This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later. By typing 'y', you attest that you grant (or have permission to grant) and agree to have this information stored permanently in transparency logs. Are you sure you would like to continue? [y/N] y Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore... Successfully verified SCT... tlog entry created with index: 12086900 Pushing signature to: $IMAGE

Signing - Keyless

Example Scenario Verify - Keyless > cosign verify $IMAGE --certificate-identity=$IDENTITY --certificate-oidc-issuer=$OIDC_ISSUER

Example Scenario Storage

Example Scenario Artefact? You mean container image?

Example Scenario https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md Content other than OCI container images MAY be packaged using the image manifest. Artefact? You mean container image?

Example Scenario https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md Content other than OCI container images MAY be packaged using the image manifest. { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0", "size": 32654 }

Example Scenario https://github.com/opencontainers/image-spec/blob/main/manifest.md Subject: This value, used by the referrers API, indicates a relationship to the specified manifest. { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0", "size": 32654 }

Example Scenario Image, SBOM, Signatures, etc = Artefacts

Example Scenario OCI Registry As Storage - https://oras.land/ Image, SBOM, Signatures, etc = Artefacts

Example Scenario > IMAGE=repo/net-monitor@sha256:073b..555a > oras attach --artifact-type example.sbom.v0 $IMAGE sbom.spdx.json ORAS Attach

Example Scenario Image, SBOM, Signatures, etc = Artefacts

Tools & Workflows Consumer Focused

Example Scenario

Example Scenario Check For… ❑Signature ❑Provenance ❑SBOM ❑Other

Example Scenario Example Workflow 1. Copy to internal artefact store (A) 2. Deploy to UAT 3. Does it pass UAT?

Example Scenario Example Workflow 1. Copy to internal artefact store (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B)

Example Scenario Example Workflow 1. Copy to internal artefact store (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B) 4. Build any custom images that have the base as the image we ingested. • Go to step (2)…

Example Scenario Continuous vulnerability scanning of container images in internal repositories. • Every X hours • Scan for vulnerabilities using the SBOM • Store report • Create alerts & quarantine

Example Scenario Continuous vulnerability scanning of container images in internal repositories. Microsoft Defender For Cloud And More…

Example Scenario Scan SBOM > trivy sbom sbom.spdx.json > cat sbom.spdx.json | grype

Example Scenario

Example Scenario Protecting the last mile using “admission control” Allows you to enforce policy like… • Only packages from “trusted” sources can be run. • Check if pulled image has vulnerability report with high severity items, etc.

Example Scenario Protecting the last mile using “admission control” Ratify

Example Scenario

Example Scenario

Wrapping Up ▪ Generate SBOMs + Provenance ▪ Sign and Attest ▪ OCI Registry As Storage ▪ Verify Signature ▪ Continuous Vulnerability Scanning ▪ Admission Control

Any questions? THANKS! @dasiths dasith.me https://www.nationalgeographic.com/travel/destinations/asia/sri-lanka/ @jsburckhardt burckman.com

Links • https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/ • https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/ • SLSA Supply Chain Threats: https://slsa.dev/spec/v1.0/threats-overview • https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom • Tern: https://github.com/tern-tools/tern • BOM: https://github.com/kubernetes-sigs/bom • SYFT: https://github.com/anchore/syft • MS-SBOM-Tool: https://github.com/microsoft/sbom-tool • SLSA Provenance: https://slsa.dev/spec/v1.0/provenance • Notary Project/Notation CLI: https://notaryproject.dev/ • Cosign: https://github.com/sigstore/cosign • In-toto attestation framework: https://github.com/in-toto/attestation • ORAS: https://oras.land/ • Trivy: https://github.com/aquasecurity/trivy • Grype: https://github.com/anchore/grype • OPA Gatekeeper: https://github.com/open-policy-agent/gatekeeper • Ratify: https://ratify.dev/ • Kyverno: https://kyverno.io/ https://speakerdeck.com/dasiths/building- trust-brick-by-brick-exploring-the- landscape-of-modern-secure-supply-chain- tools Slides:

Presentation template designed by powerpointify.com Special thanks to all people who made and shared these awesome resources for free: CREDITS Photographs by unsplash.com Free Fonts used: https://www.fontsquirrel.com/fonts/oswald @dasiths