Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Australia 2023 - Building Trust Brick b...

apidays
October 24, 2023

apidays Australia 2023 - Building Trust Brick by Brick, Dasith Wijesiriwardena, Juan Burckhardt, Jason Goodsell, Microsoft

apidays Australia 2023 - Platforms, Products, and People: The Power of APIs
October 11 & 12, 2023
https://www.apidays.global/australia/

Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools
Dasith Wijesiriwardena, Senior Software Engineer at Microsoft
Juan Burckhardt, Senior Software Engineer at Microsoft
Jason Goodsell, Senior Software Engineer at Microsoft

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

October 24, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. Building Trust Brick by Brick Exploring the Landscape of Modern

    Secure Supply Chain Tools 11-12 OCT 2023 Dasith Wijesiriwardena Juan Burckhardt Jason Goodsell
  2. Container Registries as artefact stores Introduction to supply chain threats

    Agenda Consumer focused tools Producer focused tools Questions
  3. Software Supply Chain What is it? Software supply chain is

    composed of the components, libraries, tools, and processes used to develop, build, and publish a software artefact.
  4. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B)
  5. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B) 4. Build any custom images that have the base as the image we ingested. • Go to step (2)…
  6. Example Scenario Continuous vulnerability scanning of container images in internal

    repositories. • Every X hours • Scan for vulnerabilities using the SBOM • Store report • Create alerts & quarantine
  7. Example Scenario Continuous vulnerability scanning of container images in internal

    repositories. Microsoft Defender For Cloud And More…
  8. Example Scenario Protecting the last mile using “admission control” Allows

    you to enforce policy like… • Only packages from “trusted” sources can be run. • Check if pulled image has vulnerability report with high severity items, etc.
  9. Wrapping Up ▪ Generate SBOMs + Provenance ▪ Sign and

    Attest ▪ OCI Registry As Storage ▪ Verify Signature ▪ Continuous Vulnerability Scanning ▪ Admission Control
  10. Links • https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/ • https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/ • SLSA Supply Chain Threats:

    https://slsa.dev/spec/v1.0/threats-overview • https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom • Tern: https://github.com/tern-tools/tern • BOM: https://github.com/kubernetes-sigs/bom • SYFT: https://github.com/anchore/syft • MS-SBOM-Tool: https://github.com/microsoft/sbom-tool • SLSA Provenance: https://slsa.dev/spec/v1.0/provenance • Notary Project/Notation CLI: https://notaryproject.dev/ • Cosign: https://github.com/sigstore/cosign • In-toto attestation framework: https://github.com/in-toto/attestation • ORAS: https://oras.land/ • Trivy: https://github.com/aquasecurity/trivy • Grype: https://github.com/anchore/grype • OPA Gatekeeper: https://github.com/open-policy-agent/gatekeeper • Ratify: https://ratify.dev/ • Kyverno: https://kyverno.io/ https://speakerdeck.com/dasiths/building- trust-brick-by-brick-exploring-the- landscape-of-modern-secure-supply-chain- tools Slides:
  11. Presentation template designed by powerpointify.com Special thanks to all people

    who made and shared these awesome resources for free: CREDITS Photographs by unsplash.com Free Fonts used: https://www.fontsquirrel.com/fonts/oswald @dasiths