Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JAWS Pankration 2024 - Achieve software supply ...
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Richard Fan
August 25, 2024
Technology
0
51
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
Presented at JAWS Pankration 2024
Richard Fan
August 25, 2024
Tweet
Share
More Decks by Richard Fan
See All by Richard Fan
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
52
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
150
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
57
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
70
Create your first AWS Nitro Enclaves application
richardfan1126
0
63
Building Security Data Lake
richardfan1126
0
19
Other Decks in Technology
See All in Technology
Datadog で実現するセキュリティ対策 ~オブザーバビリティとセキュリティを 一緒にやると何がいいのか~
a2ush
0
170
脳が溶けた話 / Melted Brain
keisuke69
1
1.1k
「お金で解決」が全てではない!大規模WebアプリのCI高速化 #phperkaigi
stefafafan
5
2.4k
Zephyr(RTOS)でOpenPLCを実装してみた
iotengineer22
0
150
JEDAI認定プログラム JEDAI Order 2026 受賞者一覧 / JEDAI Order 2026 Winners
databricksjapan
0
400
イベントで大活躍する電子ペーパー名札を作る(その2) 〜 M5PaperとM5PaperS3 〜 / IoTLT @ JLCPCB オープンハードカンファレンス
you
PRO
0
210
「通るまでRe-run」から卒業!落ちないテストを書く勘所
asumikam
3
850
ブラックボックス化したMLシステムのVertex AI移行 / mlops_community_62
visional_engineering_and_design
1
230
Why we keep our community?
kawaguti
PRO
0
330
GitHub Advanced Security × Defender for Cloudで開発とSecOpsのサイロを超える: コードとクラウドをつなぐ、開発プラットフォームのセキュリティ
yuriemori
1
110
開発チームとQAエンジニアの新しい協業モデル -年末調整開発チームで実践する【QAリード施策】-
qa
0
400
OpenClawでPM業務を自動化
knishioka
1
320
Featured
See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.1k
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
inesmontani
PRO
3
2.1k
Prompt Engineering for Job Search
mfonobong
0
240
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4.2k
New Earth Scene 8
popppiees
2
1.9k
Build your cross-platform service in a week with App Engine
jlugia
234
18k
Stewardship and Sustainability of Urban and Community Forests
pwiseman
0
160
Into the Great Unknown - MozCon
thekraken
40
2.3k
[SF Ruby Conf 2025] Rails X
palkan
2
870
VelocityConf: Rendering Performance Case Studies
addyosmani
333
24k
The B2B funnel & how to create a winning content strategy
katarinadahlin
PRO
1
310
It's Worth the Effort
3n
188
29k
Transcript
Achieve software supply chain security using AWS Nitro Enclaves and
GitHub Actions Richard Fan AWS Security Hero
Where does the software come from? Source Developers Build Package
Consumers Dependencies
How can things go wrong? Source Developers Build Package Consumers
Dependencies Unauthorized code change Compromised repository Build from compromised source code Compromised build process Using compromised dependency Modified package Compromised package store Downloading compromised package
What is SLSA • Supply-chain Levels for Software Artifacts •
Framework for software integrity • Build trust between software producer and consumer • Different levels of security assurance
SLSA Provenance Birth certificate of the software Software
Achieving SLSA on GitHub Actions
What is GitHub Actions • CI/CD platform • Workflow defined
within code repo • Run on GitHub- / self-hosted runner
GitHub Actions workflow • name: Build and sign EIF •
on: [push] • permissions: • contents: read • packages: write • id-token: write • attestations: write • jobs: • build_and_sign_artifact: • runs-on: ubuntu-latest • steps: # ... Build and push artifact • - name: GitHub attest • uses: actions/
[email protected]
Generate and sign provenance
GitHub Actions workflow
SLSA provenance Built by GitHub Actions Source code version Software
build
Where does the software come from? Source Developers Build Package
Consumers Dependencies SLSA
The software need to run somewhere Package Server End-users Deployment
Downloading compromised package Compromised deployment process Unauthorized deployment Unauthorized access Accessing compromised API endpoint
AWS Nitro Enclaves • Isolated virtual machine • Run on
EC2 instances • No admin access • No persistent storage • No external networking
Attestation document 1. Generate by Nitro Enclave at runtime 2.
Present attestation document to client app 3. Client validates the document 4. Client validates enclave fingerprint (PCRs)
Where does the software come from? Source Build Package Fingerprint
(PCRs) Enclave application Attest Enclave End-users Attestation document Verify with attested artifact Verify source code and build process
Demo … by yourself
Demo - How high (or low) is my salary? •
This is a difficult question • I want to know how much you earn • But I don’t want you to know how much I earn
Demo - How high is my salary enclave app •
Only tell you where is your salary ranked • Source code is open • Build process is open • Run on AWS Nitro Enclave • Proved by attestation document • Data encrypted between you and the enclave
Demo - How high is my salary enclave app •
https://github.com/richardfan1126/how-high-is-my-salary-enclave-app • Easy setup (Terraform)
How to find me Richard Fan
[email protected]
20 richardfan1126
SiteGround - Reliable hosting with speed, security, and support you can count on.
richardfan1126
a2ush
keisuke69
stefafafan
iotengineer22
databricksjapan
you
asumikam
visional_engineering_and_design
kawaguti
yuriemori
qa
knishioka
maggiecrowley
inesmontani
mfonobong
kastner
popppiees
jlugia
pwiseman
thekraken
palkan
addyosmani
katarinadahlin
3n
![How to find me Richard Fan [email protected] 20 richardfan1126](https://files.speakerdeck.com/presentations/e200c341294247ffabd66288129a973a/slide_19.jpg){kind=link}