Slide 1

Slide 1 text

Open Source Supply Chain Security in Action Francisco Raposo Senior Specialist Solution Architect Red Hat 1 Kevin Dubois Senior Principal Developer Advocate Red Hat @kevindubois

Slide 2

Slide 2 text

dn.dev/quarkusmaster Kevin Dubois ★ Sr. Principal Developer Advocate at Red Hat ★ Based in Belgium 󰎐 ★ 🗣 Speak English, Dutch, French, Italian ★ Open Source Contributor (Quarkus, Camel, Knative, ..) ★ Java Champion @[email protected] youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois @kevindubois.com

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

4

Slide 5

Slide 5 text

5 Increased regulations, frameworks, directives SEC Cybersecurity Rule 1 requires more governance and management regarding material cybersecurity risks, incidents. White House Cyber Executive Order 14028 European Union Cyber Resilience Act Government Cybersecurity Regulations NSA Cybersecurity Collaboration Center (CCC) National Institute of Standards and Technology (NIST) Cybersecurity and Infrastructure Security Agency (CISA) European Union Agency for Cybersecurity (ENISA) Cybersecurity Agency Frameworks and Directives [1] SEC Final Rule - Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Slide 6

Slide 6 text

6 The Supply Chain Security space is relatively young Recent activities have highlighted its importance Evolution of the DevOps movement which also includes a security component where there is increased involvement from security teams and methodologies DevSecOps Movement Recent actions by governments across the world have begun to mandate certain steps be implemented in order to utilize software produced or utilized from external sources Government Regulations Organizations are looking for additional methods for securing the content they produce and use Initiatives to Drive Increased Security

Slide 7

Slide 7 text

7 Security Begins With the Community Open Source Security is Built upon Thriving Open Source Communities

Slide 8

Slide 8 text

Open Source Projects and Communities 8 Enterprise Contract You Have the Opportunity to Influence the Future!

Slide 9

Slide 9 text

9 Software Security is a Journey

Slide 10

Slide 10 text

10 Domains Assessing the composition of software assets for potential vulnerabilities Applying cryptographic signature to software assets Signing Defining and enforcing conditions that a software asset may comply with in order for it to be used Policy Management/Enforcement Tools and processes to better understand the software being produced and its components/dependencies (SBOM’s) Software Composition Scanning

Slide 11

Slide 11 text

Safeguard build systems early 11 Secure the use of source code and transitive dependencies Software supply chain security considerations for the software development lifecycle Prevent & identify malicious code Continuously monitor security at runtime

Slide 12

Slide 12 text

Prevent and identify malicious code

Slide 13

Slide 13 text

13 Start with Trusted Content Code Build Monitor Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content * GUAC: Graph for Understanding Artifact Composition

Slide 14

Slide 14 text

14 Give your developers the right tools Code Build Monitor Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

Slide 15

Slide 15 text

Safeguard build systems early

Slide 16

Slide 16 text

16 Augment and secure your build process (CI) Code Build Monitor Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

Slide 17

Slide 17 text

17 Augment and secure your deployment process (CD) Code Build Monitor Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

Slide 18

Slide 18 text

Continuously monitor security at runtime

Slide 19

Slide 19 text

19 Manage your Security Posture and monitor your platform Code Build Monitor Deploy Profile Risk SBOM Images Clusters Network Software Composition Analysis Digitally Signed & Verified Kubernetes Native Security Image Building Image Scanning Artifact Signining SLSA Attestation SBOM Dependency Analysis Recommendations YAML Policy Image Policy Signature Checks Attestation Validation Universal Base Image Language Runtime Application Libraries Provenance, Attestation of Curated Content

Slide 20

Slide 20 text

Shift Security Left in the Software Supply Chain Protect the components, processes and practices early in your software factory Trust, transparency in code management with integrated templates, guardrails for security-focused pipelines *Note: Red Hat Trusted Application Pipeline is a single product SKU that includes RHDH, RHTAS, RHTPA. + + NEW! NEW! NEW! Roadmap items are subject to change without notice = 20

Slide 21

Slide 21 text

SLSA Levels Level 0 Level 1 Level 2 Level 3 Preventing Mistakes Automated Build Process Generated provenance about source, build process, artifact and dependencies Preventing tampering after the build Generated, signed and verifiable provenance Preventing tampering during the build Prevent runs from influencing one another, prevent secret material used to sign provenance from being accessible by the end-user’s defined steps 21 https://slsa.dev/spec/v1.0/levels

Slide 22

Slide 22 text

From Source to Production SCM Development QA Staging Production Router Users Shift Left Developer 22

Slide 23

Slide 23 text

Code Build Monitor Deploy A generic development process Dependencies git commit code repo git pull (maven) package Container build push to registry K8s deployment definition(s) deploy Base images pom.xml requirements.txt go.mod gitops repo Container registry Pipeline Pipeline 23

Slide 24

Slide 24 text

Code Build Monitor Deploy A security-augmented development process Dependencies git commit code repo git pull (maven) package Container build push to registry K8s deployment definition(s) deploy Base images pom.xml requirements.txt go.mod gitops repo Pipeline Pipeline Red Hat Dependency Analytics Red Hat Trusted Content gitsign verify Red Hat OpenShift cosign sign image generate SBOM Red Hat Trusted Profile Analyzer Generates and signs build pipeline provenance, attestation Verify SLSA compliance Continuous security scans of stored images Red Hat Advanced Cluster Security w/ gitsign Red Hat OpenShift GitOps 24

Slide 25

Slide 25 text

Developer Challenges 25 of enterprise technologists surveyed plan to modernize more than half of their legacy applications in the next 2 years. Source: The Newstack 80% 80% Application Modernization Rise of Generative AI of Enterprises will have deployed Generative AI-Enabled Applications by 2026 Source: Gartner 76% of organizations say the cognitive load is so high that it is a source of low productivity. Gartner predicts 75% of companies will establish platform teams for application delivery. Source: Salesforce Source: Gartner Developer Productivity Average annual increase in software supply chain attacks over the past three years. 45% of organizations will experience attacks. Is a matter of when, not if. Source: Sonatype 742% Software Supply Chain Security

Slide 26

Slide 26 text

76% of organizations say the cognitive load is so high that it is a source of low productivity. Gartner predicts 75% of companies will establish platform teams for application delivery. Source: Salesforce Source: Gartner

Slide 27

Slide 27 text

Developer Portals to relieve cognitive load

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

DEMO

Slide 30

Slide 30 text

The application Push to give energy windmill 1.Sends click Kafka Topic 2.Sends the interaction 3. Updates the UI Dashboard: Green Energy Nickname Team Push to generate energy Cars that needs energy Two teams competing (top 5 players) First wins

Slide 31

Slide 31 text

Quarkus Apache Kafka Infinispan OpenShift GitOps

Slide 32

Slide 32 text

V1 Scan to play!

Slide 33

Slide 33 text

Get started Sign up at developers.redhat.com Find out more about Red Hat’s project and products, and what it offers developers

Slide 34

Slide 34 text

Start exploring in the OpenShift Sandbox. Learn containers, Kubernetes, and OpenShift in your browser. developers.redhat.com/developer-sandb ox Try Red Hat's products and technologies without setup or configuration.

Slide 35

Slide 35 text

@kevindubois muchas gracias! youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois @kevindubois slides

Slide 36

Slide 36 text

linkedin.com/showcase/red-hat-developer youtube.com/RedHatDevelopers facebook.com/RedHatDeveloper twitter.com/rhdevelopers 36 Red Hat is the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you Optional section marker or title