Slide 1

Slide 1 text

Building Trust Brick by Brick Exploring the Landscape of Modern Secure Supply Chain Tools 11-12 OCT 2023 Dasith Wijesiriwardena Juan Burckhardt Jason Goodsell

Slide 2

Slide 2 text

HELLO! Jason Dasith Juan @dasiths https://dasith.me @jsburckhardt

Slide 3

Slide 3 text

Container Registries as artefact stores Introduction to supply chain threats Agenda Consumer focused tools Producer focused tools Questions

Slide 4

Slide 4 text

Software Supply Chain What is it? Software supply chain is composed of the components, libraries, tools, and processes used to develop, build, and publish a software artefact.

Slide 5

Slide 5 text

Introduction to Supply Chain Threats

Slide 6

Slide 6 text

Producer Threats https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/

Slide 7

Slide 7 text

Producer Threats https://slsa.dev/spec/v1.0/threats-overview

Slide 8

Slide 8 text

Consumer Threats https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/

Slide 9

Slide 9 text

Consumer Threats https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/

Slide 10

Slide 10 text

Example Scenario

Slide 11

Slide 11 text

Example Scenario

Slide 12

Slide 12 text

Producer Focused Tools & Workflows

Slide 13

Slide 13 text

Example Scenario

Slide 14

Slide 14 text

Example Scenario

Slide 15

Slide 15 text

Example Scenario

Slide 16

Slide 16 text

Example Scenario

Slide 17

Slide 17 text

Example Scenario 2 reviewers required to approve any PR = Reduce risk of insider threats

Slide 18

Slide 18 text

Example Scenario

Slide 19

Slide 19 text

Example Scenario https://www.ntia.gov/sites/default/files/publications/sbom_at_a_glance_apr2021_0.pdf Transparency Security Compliance

Slide 20

Slide 20 text

Example Scenario And More… https://anchore.com/sbom/how-to-generate-an-sbom-with-free-open-source-tools/

Slide 21

Slide 21 text

Example Scenario SBOM - filesystem > trivy fs --format cyclonedx > SBOM.cyclonedx.json SBOM – container > trivy image --format cyclonedx > SBOM.cyclonedx.json Container Image – Trivy https://aquasecurity.github.io/trivy/v0.47/docs/target/container_image/ Filesystem – Trivy https://aquasecurity.github.io/trivy/v0.47/docs/target/filesystem/

Slide 22

Slide 22 text

Example Scenario

Slide 23

Slide 23 text

Example Scenario

Slide 24

Slide 24 text

Example Scenario Provenance: Describe how an artifact or set of artifacts was produced.

Slide 25

Slide 25 text

Securely Storing And Sharing Supply Chain Artefacts

Slide 26

Slide 26 text

Example Scenario

Slide 27

Slide 27 text

Example Scenario

Slide 28

Slide 28 text

Example Scenario

Slide 29

Slide 29 text

Example Scenario

Slide 30

Slide 30 text

Example Scenario

Slide 31

Slide 31 text

Example Scenario

Slide 32

Slide 32 text

Example Scenario

Slide 33

Slide 33 text

Example Scenario

Slide 34

Slide 34 text

Example Scenario

Slide 35

Slide 35 text

Example Scenario https://notaryproject.dev/

Slide 36

Slide 36 text

Example Scenario > IMAGE=repo/net-monitor@sha256:073b..555a > notation sign --signature-format cose $IMAGE > notation ls $IMAGE repo/net-monitor@sha256:073b..555a └── application/vnd.cncf.notary.v2.signature └── sha256:ba3a..38b Signing View Signature

Slide 37

Slide 37 text

Example Scenario > notation policy import ./trustpolicy.json > notation verify $IMAGE Trust Policy Verify Signature https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust- policy.md#trust-policy

Slide 38

Slide 38 text

Example Scenario https://www.sigstore.dev/ https://github.com/in-toto/attestation

Slide 39

Slide 39 text

Example Scenario Signing – With Key > cosign sign --key cosign.key Verify – With Key > cosign verify --key cosign.pub https://github.com/sigstore/cosign/blob/main/doc/cosign_verify.md https://github.com/sigstore/cosign/blob/main/doc/cosign_sign.md

Slide 40

Slide 40 text

Example Scenario Attest – With Key > cosign attest --predicate --type --key cosign.key Verify Attestation – With Key > cosign verify-attestation --key cosign.pub --type https://github.com/sigstore/cosign/blob/main/doc/cosign_verify- attestation.md https://github.com/sigstore/cosign/blob/main/doc/cosign_attest.md

Slide 41

Slide 41 text

Example Scenario Signing - Keyless > cosign sign $IMAGE Generating ephemeral keys... Retrieving signed certificate... Note that there may be personally identifiable information associated with this signed artifact. This may include the email address associated with the account with which you authenticate. This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later. By typing 'y', you attest that you grant (or have permission to grant) and agree to have this information stored permanently in transparency logs. Are you sure you would like to continue? [y/N] y Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore... Successfully verified SCT... tlog entry created with index: 12086900 Pushing signature to: $IMAGE

Slide 42

Slide 42 text

Signing - Keyless

Slide 43

Slide 43 text

Example Scenario Verify - Keyless > cosign verify $IMAGE --certificate-identity=$IDENTITY --certificate-oidc-issuer=$OIDC_ISSUER

Slide 44

Slide 44 text

Example Scenario Storage

Slide 45

Slide 45 text

Example Scenario Artefact? You mean container image?

Slide 46

Slide 46 text

Example Scenario https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md Content other than OCI container images MAY be packaged using the image manifest. Artefact? You mean container image?

Slide 47

Slide 47 text

Example Scenario https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md Content other than OCI container images MAY be packaged using the image manifest. { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0", "size": 32654 }

Slide 48

Slide 48 text

Example Scenario https://github.com/opencontainers/image-spec/blob/main/manifest.md Subject: This value, used by the referrers API, indicates a relationship to the specified manifest. { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0", "size": 32654 }

Slide 49

Slide 49 text

Example Scenario Image, SBOM, Signatures, etc = Artefacts

Slide 50

Slide 50 text

Example Scenario OCI Registry As Storage - https://oras.land/ Image, SBOM, Signatures, etc = Artefacts

Slide 51

Slide 51 text

Example Scenario > IMAGE=repo/net-monitor@sha256:073b..555a > oras attach --artifact-type example.sbom.v0 $IMAGE sbom.spdx.json ORAS Attach

Slide 52

Slide 52 text

Example Scenario Image, SBOM, Signatures, etc = Artefacts

Slide 53

Slide 53 text

Tools & Workflows Consumer Focused

Slide 54

Slide 54 text

Example Scenario

Slide 55

Slide 55 text

Example Scenario Check For… ❑Signature ❑Provenance ❑SBOM ❑Other

Slide 56

Slide 56 text

Example Scenario Example Workflow 1. Copy to internal artefact store (A) 2. Deploy to UAT 3. Does it pass UAT?

Slide 57

Slide 57 text

Example Scenario Example Workflow 1. Copy to internal artefact store (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B)

Slide 58

Slide 58 text

Example Scenario Example Workflow 1. Copy to internal artefact store (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B) 4. Build any custom images that have the base as the image we ingested. • Go to step (2)…

Slide 59

Slide 59 text

Example Scenario Continuous vulnerability scanning of container images in internal repositories. • Every X hours • Scan for vulnerabilities using the SBOM • Store report • Create alerts & quarantine

Slide 60

Slide 60 text

Example Scenario Continuous vulnerability scanning of container images in internal repositories. Microsoft Defender For Cloud And More…

Slide 61

Slide 61 text

Example Scenario Scan SBOM > trivy sbom sbom.spdx.json > cat sbom.spdx.json | grype

Slide 62

Slide 62 text

Example Scenario

Slide 63

Slide 63 text

Example Scenario Protecting the last mile using “admission control” Allows you to enforce policy like… • Only packages from “trusted” sources can be run. • Check if pulled image has vulnerability report with high severity items, etc.

Slide 64

Slide 64 text

Example Scenario Protecting the last mile using “admission control” Ratify

Slide 65

Slide 65 text

Example Scenario

Slide 66

Slide 66 text

Example Scenario

Slide 67

Slide 67 text

Wrapping Up ▪ Generate SBOMs + Provenance ▪ Sign and Attest ▪ OCI Registry As Storage ▪ Verify Signature ▪ Continuous Vulnerability Scanning ▪ Admission Control

Slide 68

Slide 68 text

Any questions? THANKS! @dasiths dasith.me https://www.nationalgeographic.com/travel/destinations/asia/sri-lanka/ @jsburckhardt burckman.com

Slide 69

Slide 69 text

Links • https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/ • https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/ • SLSA Supply Chain Threats: https://slsa.dev/spec/v1.0/threats-overview • https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom • Tern: https://github.com/tern-tools/tern • BOM: https://github.com/kubernetes-sigs/bom • SYFT: https://github.com/anchore/syft • MS-SBOM-Tool: https://github.com/microsoft/sbom-tool • SLSA Provenance: https://slsa.dev/spec/v1.0/provenance • Notary Project/Notation CLI: https://notaryproject.dev/ • Cosign: https://github.com/sigstore/cosign • In-toto attestation framework: https://github.com/in-toto/attestation • ORAS: https://oras.land/ • Trivy: https://github.com/aquasecurity/trivy • Grype: https://github.com/anchore/grype • OPA Gatekeeper: https://github.com/open-policy-agent/gatekeeper • Ratify: https://ratify.dev/ • Kyverno: https://kyverno.io/ https://speakerdeck.com/dasiths/building- trust-brick-by-brick-exploring-the- landscape-of-modern-secure-supply-chain- tools Slides:

Slide 70

Slide 70 text

Presentation template designed by powerpointify.com Special thanks to all people who made and shared these awesome resources for free: CREDITS Photographs by unsplash.com Free Fonts used: https://www.fontsquirrel.com/fonts/oswald @dasiths