Building Trust Brick by Brick Exploring the Landscape of Modern Secure Supply Chain Tools 11-12 OCT 2023 Dasith Wijesiriwardena Juan Burckhardt Jason Goodsell 

HELLO! Jason Dasith Juan @dasiths https://dasith.me @jsburckhardt 

Container Registries as artefact stores Introduction to supply chain threats Agenda Consumer focused tools Producer focused tools Questions 

Software Supply Chain What is it? Software supply chain is composed of the components, libraries, tools, and processes used to develop, build, and publish a software artefact. 

Introduction to Supply Chain Threats 

Producer Threats https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/ 

Producer Threats https://slsa.dev/spec/v1.0/threats-overview 

Consumer Threats https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/ 

Consumer Threats https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/ 

Example Scenario 

Example Scenario 

Producer Focused Tools & Workflows 

Example Scenario 

Example Scenario 

Example Scenario 

Example Scenario 

Example Scenario 2 reviewers required to approve any PR = Reduce risk of insider threats 

Example Scenario 

Example Scenario https://www.ntia.gov/sites/default/files/publications/sbom_at_a_glance_apr2021_0.pdf Transparency Security Compliance 

Example Scenario And More… https://anchore.com/sbom/how-to-generate-an-sbom-with-free-open-source-tools/ 

Example Scenario SBOM - filesystem > trivy fs --format cyclonedx > SBOM.cyclonedx.json SBOM – container > trivy image --format cyclonedx > SBOM.cyclonedx.json Container Image – Trivy https://aquasecurity.github.io/trivy/v0.47/docs/target/container_image/ Filesystem – Trivy https://aquasecurity.github.io/trivy/v0.47/docs/target/filesystem/ 

Example Scenario 

Example Scenario 

Example Scenario Provenance: Describe how an artifact or set of artifacts was produced. 

Securely Storing And Sharing Supply Chain Artefacts 

Example Scenario 

Example Scenario 

Example Scenario 

Example Scenario 

Example Scenario 

Example Scenario 

Example Scenario 

Example Scenario 

Example Scenario 

Example Scenario https://notaryproject.dev/ 

Example Scenario > IMAGE=repo/net-monitor@sha256:073b..555a > notation sign --signature-format cose $IMAGE > notation ls $IMAGE repo/net-monitor@sha256:073b..555a └── application/vnd.cncf.notary.v2.signature └── sha256:ba3a..38b Signing View Signature 

Example Scenario > notation policy import ./trustpolicy.json > notation verify $IMAGE Trust Policy Verify Signature https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust- policy.md#trust-policy 

Example Scenario https://www.sigstore.dev/ https://github.com/in-toto/attestation 

Example Scenario Signing – With Key > cosign sign --key cosign.key Verify – With Key > cosign verify --key cosign.pub https://github.com/sigstore/cosign/blob/main/doc/cosign_verify.md https://github.com/sigstore/cosign/blob/main/doc/cosign_sign.md 

Example Scenario Attest – With Key > cosign attest --predicate --type --key cosign.key Verify Attestation – With Key > cosign verify-attestation --key cosign.pub --type https://github.com/sigstore/cosign/blob/main/doc/cosign_verify- attestation.md https://github.com/sigstore/cosign/blob/main/doc/cosign_attest.md 

Example Scenario Signing - Keyless > cosign sign $IMAGE Generating ephemeral keys... Retrieving signed certificate... Note that there may be personally identifiable information associated with this signed artifact. This may include the email address associated with the account with which you authenticate. This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later. By typing 'y', you attest that you grant (or have permission to grant) and agree to have this information stored permanently in transparency logs. Are you sure you would like to continue? [y/N] y Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore... Successfully verified SCT... tlog entry created with index: 12086900 Pushing signature to: $IMAGE 

Signing - Keyless 

Example Scenario Verify - Keyless > cosign verify $IMAGE --certificate-identity=$IDENTITY --certificate-oidc-issuer=$OIDC_ISSUER 

Example Scenario Storage 

Example Scenario Artefact? You mean container image? 

Example Scenario https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md Content other than OCI container images MAY be packaged using the image manifest. Artefact? You mean container image? 

Example Scenario https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md Content other than OCI container images MAY be packaged using the image manifest. { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0", "size": 32654 } 

Example Scenario https://github.com/opencontainers/image-spec/blob/main/manifest.md Subject: This value, used by the referrers API, indicates a relationship to the specified manifest. { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0", "size": 32654 } 

Example Scenario Image, SBOM, Signatures, etc = Artefacts 

Example Scenario OCI Registry As Storage - https://oras.land/ Image, SBOM, Signatures, etc = Artefacts 

Example Scenario > IMAGE=repo/net-monitor@sha256:073b..555a > oras attach --artifact-type example.sbom.v0 $IMAGE sbom.spdx.json ORAS Attach 

Example Scenario Image, SBOM, Signatures, etc = Artefacts 

Tools & Workflows Consumer Focused 

Example Scenario 

Example Scenario Check For… ❑Signature ❑Provenance ❑SBOM ❑Other 

Example Scenario Example Workflow 1. Copy to internal artefact store (A) 2. Deploy to UAT 3. Does it pass UAT? 

Example Scenario Example Workflow 1. Copy to internal artefact store (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B) 

Example Scenario Example Workflow 1. Copy to internal artefact store (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B) 4. Build any custom images that have the base as the image we ingested. • Go to step (2)… 

Example Scenario Continuous vulnerability scanning of container images in internal repositories. • Every X hours • Scan for vulnerabilities using the SBOM • Store report • Create alerts & quarantine 

Example Scenario Continuous vulnerability scanning of container images in internal repositories. Microsoft Defender For Cloud And More… 

Example Scenario Scan SBOM > trivy sbom sbom.spdx.json > cat sbom.spdx.json | grype 

Example Scenario 

Example Scenario Protecting the last mile using “admission control” Allows you to enforce policy like… • Only packages from “trusted” sources can be run. • Check if pulled image has vulnerability report with high severity items, etc. 

Example Scenario Protecting the last mile using “admission control” Ratify 

Example Scenario 

Example Scenario 

Wrapping Up ▪ Generate SBOMs + Provenance ▪ Sign and Attest ▪ OCI Registry As Storage ▪ Verify Signature ▪ Continuous Vulnerability Scanning ▪ Admission Control 

Any questions? THANKS! @dasiths dasith.me https://www.nationalgeographic.com/travel/destinations/asia/sri-lanka/ @jsburckhardt burckman.com 

Links • https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/ • https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/ • SLSA Supply Chain Threats: https://slsa.dev/spec/v1.0/threats-overview • https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom • Tern: https://github.com/tern-tools/tern • BOM: https://github.com/kubernetes-sigs/bom • SYFT: https://github.com/anchore/syft • MS-SBOM-Tool: https://github.com/microsoft/sbom-tool • SLSA Provenance: https://slsa.dev/spec/v1.0/provenance • Notary Project/Notation CLI: https://notaryproject.dev/ • Cosign: https://github.com/sigstore/cosign • In-toto attestation framework: https://github.com/in-toto/attestation • ORAS: https://oras.land/ • Trivy: https://github.com/aquasecurity/trivy • Grype: https://github.com/anchore/grype • OPA Gatekeeper: https://github.com/open-policy-agent/gatekeeper • Ratify: https://ratify.dev/ • Kyverno: https://kyverno.io/ https://speakerdeck.com/dasiths/building- trust-brick-by-brick-exploring-the- landscape-of-modern-secure-supply-chain- tools Slides: 

Presentation template designed by powerpointify.com Special thanks to all people who made and shared these awesome resources for free: CREDITS Photographs by unsplash.com Free Fonts used: https://www.fontsquirrel.com/fonts/oswald @dasiths