$30 off During Our Annual Pro Sale. View Details »

APAC Hybrid Cloud KOPI Hour (E8) - Securing The Software Supply Chain

Red Hat Livestreaming
September 27, 2023
Technology
0
46

APAC Hybrid Cloud KOPI Hour (E8) - Securing The Software Supply Chain

This week we’re again joined by the Red Hat Demo Gurus! Stop by for a chat with Prakhar and Tyrell to take us on a journey into the exciting world of Software Supply Chain Security. Following up from their excellent blog at https://www.redhat.com/en/blog/improving-containerization-security the team will discuss the why and how of this important topic and give us a real world demonstration of some of the cool products and tools Red Hat has to offer in this space.

Red Hat Livestreaming

September 27, 2023
Tweet

More Decks by Red Hat Livestreaming

See All by Red Hat Livestreaming
What's New in OpenShift 4.14
redhatlivestreaming
3
4.9k
APAC Hybrid Cloud KOPI Hour (E6) - AI
redhatlivestreaming
0
39
APAC Hybrid Cloud Kopi Hours (E7) - Automation!
redhatlivestreaming
0
34
Instant multi-cloud: The art of the possible
redhatlivestreaming
0
51
Ask an OpenShift Admin (Ep 107) Red Hat OpenShift Data Science
redhatlivestreaming
2
100
Ask an OpenShift Admin (Ep 103) OpenShift Multi-Arch Support
redhatlivestreaming
2
120
What's Next in OpenShift (Q2 CY2023)
redhatlivestreaming
0
8k
What's New in OpenShift 4.13
redhatlivestreaming
6
11k
Ask an OpenShift Admin episode 93: OpenShift Logging and Observability
redhatlivestreaming
1
320

Other Decks in Technology

See All in Technology
LINE WORKS 最新メジャーアップデート(v3.8)勉強会
lwug
0
150
visionOSについてGlobeeが取り組んでいること
toshi0383
0
240
AWS re:Invent 2023の期間中に出たコンテナアップデート集
yoshiitaka
3
210
Java in containers and serverless
takesection
0
120
LangChainやるならPythonよりTypeScriptの方がいんじゃね?
optimisuke
0
230
SRE推進における失敗と成功 〜く"し"け"な"い"〜 - NIFTY Tech Day 2023
niftycorp
0
110
ROSCon 2023参加報告:Real-Time Workshop & Zenoh's Current Status and Forecast
takasehideki
1
210
Kaggle Tokyo Meetup2023 CommonLit Solutionの紹介と考え方 - Fulltrain戦略と(Seed/Model)Ensembleの可視化 -
chumajin
2
1.1k
「極意本」サンプルコードをクラウド上で動かそう
upura
1
770
DMMオンラインサロン エンジニア採用資料/ for-software-engineers
onlinesalon
0
3.6k
⾃律的な開発チームを⽀えるためのSLO運⽤
sansantech
PRO
5
870
從心開始的純軟之路
line_developers_tw
PRO
0
1.2k

Featured

See All Featured
In The Pink: A Labor of Love
frogandcode
135
21k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Thoughts on Productivity
jonyablonski
55
3.5k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
51k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k
Three Pipe Problems
jasonvnalue
89
9.3k
The Mythical Team-Month
searls
214
41k
A designer walks into a library…
pauljervisheath
199
22k
Building Adaptive Systems
keathley
29
1.6k
Automating Front-end Workflow
addyosmani
1354
200k
Six Lessons from altMBA
skipperchong
18
2.7k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k

Transcript

  1. Demo
    Securing The Software Supply Chain

    View Slide

  2. Introduction
    - What is SW Supply chain Security?
    - Why SW Supply chain security is critical?
    - Executive Order (EO) 14028
    - Developer Flow
    - Shift Left
    - Code > Built > Monitor
    - High-Level Architecture
    - Demonstration

    View Slide

  3. What is SW
    Supply Chain
    Security ?

    View Slide

  4. 4
    DevSecOps vs SW Supply Chain Security
    ▸ Both concepts address security in the software development process (SDLC).
    They are closely related but have a different focus area.
    ▸ DevSecOps combines the principles of DevOps—which emphasizes collaboration and
    automation between development and operations teams—with security practices to create a
    culture of security within the software development life cycle.
    ▸ SW Supply Chain Security is to identify and mitigate risks associated with the software
    supply chain, including the potential for malicious or compromised components. This
    involves ensuring the integrity, authenticity, and confidentiality of software components, as
    well as monitoring and managing the dependencies and third-party libraries used in software
    development.

    View Slide

  5. Why software
    supply chain
    security is critical
    ?

    View Slide

  6. Software supply chain attacks:
    a matter of when, not if
    Ransom paid but a mere fraction to the overall
    downtime and recovery costs of a data breach
    742% 20%
    78%
    average annual increase in
    software supply chain attacks
    over the past 3 years1
    data breaches are due to a
    compromised software
    supply chain2
    have initiatives to
    increase collaboration
    between DevOps and
    Security teams3
    92%
    say enterprise open source
    solutions are important as
    their business accelerates to
    the open hybrid cloud4
    [1] State of the Software Supply Chain | [2] Cost of a Data Breach 2022 - IBM Report | [3]State of Kubernetes Security Report 2022 - Red Hat Report | [4]State of Enterprise Open Source 2022 - Red Hat Report
    6

    View Slide

  7. Growing attack surfaces with
    new, emerging threats daily
    Software supply chain security a critical component to
    securing data, IP and source code
    7
    ● Stolen Certificates
    ● Typosquatting Attack
    ● Dependency Confusion
    ● Compromised Build Environment
    ● Malware preinstalled on devices
    ● Malicious code in firmware

    View Slide

  8. Governments around the world are raising the bar
    ● establishes baseline security standards for development of
    software sold to the government.
    ● charges multiple agencies – including NIST [National Institute
    of Standards and Technology] with enhancing cybersecurity
    ● Section 4 directs NIST to "develop guidelines...which are
    ultimately aimed at U.S. federal agencies but which also are
    available for industry and others to use
    …doing business with U.S. federal agencies will require SSDF
    [secure software development framework] compliance.
    Executive Order (EO) 14028
    Improving the Nation's Cybersecurity
    8

    View Slide

  9. Red Hat Trusted
    Software Supply
    Chain

    View Slide

  10. 10
    ▸ All code is cloned in internal repositories.
    ▸ Strong distribution mechanisms with signed packages.
    ▸ Strong safeguards against tampering.
    ▸ Minimal modifications over product lifetimes protects
    from unwanted and potentially risky upstream code
    changes.
    Red Hat: Providing trusted enterprise open source software for 30+ years

    View Slide

  11. Developer Flow
    Outer
    loop
    Inner
    loop
    Pull/Merge Request
    Production
    Build /
    Package
    Code
    Push
    Debug
    Code
    Review Build
    Deploy
    Security
    Tests
    Compliance
    Inner loop Outer loop
    Developer
    Test

    View Slide

  12. From Source to Production
    SCM
    Development QA Staging Production Router Users
    Shift Left
    Developer

    View Slide

  13. 13
    Code with integrated application security checks
    ▸ Trusted curated content
    ▸ Automated software composition analysis and
    dependency analytics
    ▸ Aggregated view with drill down on security health
    ▸ Cryptographic signing and verification
    Red Hat Trusted Software Supply Chain
    Code
    New
    Universal Base Image
    Language Runtime
    Application Libraries
    Software
    Composition
    Analysis
    Digitally
    Signed &
    Verified
    New
    Provenance,
    Attestation of
    Curated Content
    Catch security issues early to
    keep and grow user trust

    View Slide

  14. 14
    Build with security focused CI/CD workflows
    Red Hat Trusted Software Supply Chain
    Code Build
    Image
    Scanning
    Deployment
    Gates
    Software
    Composition
    Analysis
    Digitally
    Signed &
    Certified
    Artifact
    Building
    Image
    Building
    New New
    Meet industry compliance while
    increasing productivity, efficiency
    ▸ Integrated security guardrails across pipelines
    ▸ Auto-generated Software-Bill-of-Materials (SBOM)
    ▸ Attestations and provenance checks
    ▸ Deployment based on policies to a declared state
    ▸ Continuous image vulnerability scanning

    View Slide

  15. Flexibility and choice
    of any environment
    Standardize, share and store
    with centralized access controls
    Continuous security monitoring at runtime
    Cut down alert noise, fatigue to eliminate production downtimes
    15
    Code
    New
    Virtual
    Physical Hybrid
    Universal Base Image
    Language Runtime
    Application Libraries
    Build Monitor
    OSS
    Risk
    Profiles
    Images
    Containers
    Clusters
    Network
    Integrated
    application
    security checks
    Security
    focused CI/CD
    workflows
    Security-enhance,
    enterprise open
    source foundation
    New

    View Slide

  16. Flexibility and choice
    of any environment
    Standardize, share and store
    with centralized access controls
    Layered security throughout the stack and lifecycle
    Achieve business agility while meeting security requirements
    16
    Code
    New
    Virtual
    Physical Hybrid
    Universal Base Image
    Language Runtime
    Application Libraries
    Build Monitor
    Integrated
    application
    security checks
    Security
    focused CI/CD
    workflows
    Security-enhance,
    enterprise open
    source foundation
    New
    New
    Continuous
    runtime security
    monitoring
    New

    View Slide

  17. High Level Architecture

    View Slide

  18. High Level Deployment
    Architecture

    View Slide

  19. linkedin.com/company/red-hat
    youtube.com/user/RedHatVideos
    facebook.com/redhatinc
    twitter.com/RedHat
    Digital transformation
    19
    Red Hat is the world’s leading provider of enterprise
    open source software solutions. Award-winning
    support, training, and consulting services make Red
    Hat a trusted adviser to the Fortune 500.
    Thank you

    View Slide