Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Trust Brick by Brick: Exploring the La...

Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools

https://youtu.be/n7noS4pLb0U

In the rapidly evolving landscape of software development, open source dependencies have become the building blocks of modern applications, enabling rapid innovation and collaboration. However, this newfound efficiency comes with inherent risks, as the supply chain for software becomes increasingly complex and vulnerable to various threat vectors.

In "Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools," we embark on a captivating journey through the critical importance of secure supply chains in the software development lifecycle. Join us as we delve into the challenges posed by open source dependencies and the innovative tools that have emerged to address them.

We live in a Kubernetes world. As more and more workloads are run on Kubernetes, it becomes essential that every dependency that contributes to compiling, building, and running workloads need to come under the scanner. We will explore tools that allow you to build a chain of trust from source code to running container instances.

During this talk, we will explore how the convergence of software development and secure supply chains has become paramount in instilling confidence and mitigating risks. We will examine the threat vectors that jeopardize the integrity of the software supply chain and highlight the need for comprehensive security measures.

Dasith Wijesiriwardena

October 09, 2023
Tweet

More Decks by Dasith Wijesiriwardena

Other Decks in Technology

Transcript

  1. Building Trust Brick by Brick Exploring the Landscape of Modern

    Secure Supply Chain Tools 11-12 OCT 2023 Dasith Wijesiriwardena Juan Burckhardt Jason Goodsell
  2. Container Registries as artefact stores Introduction to supply chain threats

    Agenda Consumer focused tools Producer focused tools Questions
  3. Software Supply Chain What is it? Software supply chain is

    composed of the components, libraries, tools, and processes used to develop, build, and publish a software artefact.
  4. Example Scenario SBOM - filesystem > trivy fs --format cyclonedx

    <path> > SBOM.cyclonedx.json SBOM – container > trivy image --format cyclonedx <image> > SBOM.cyclonedx.json Container Image – Trivy https://aquasecurity.github.io/trivy/v0.47/docs/target/container_image/ Filesystem – Trivy https://aquasecurity.github.io/trivy/v0.47/docs/target/filesystem/
  5. Example Scenario > IMAGE=repo/net-monitor@sha256:073b..555a > notation sign --signature-format cose $IMAGE

    > notation ls $IMAGE repo/net-monitor@sha256:073b..555a └── application/vnd.cncf.notary.v2.signature └── sha256:ba3a..38b Signing View Signature
  6. Example Scenario > notation policy import ./trustpolicy.json > notation verify

    $IMAGE Trust Policy Verify Signature https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust- policy.md#trust-policy
  7. Example Scenario Signing – With Key > cosign sign --key

    cosign.key <IMAGE> Verify – With Key > cosign verify --key cosign.pub <IMAGE> https://github.com/sigstore/cosign/blob/main/doc/cosign_verify.md https://github.com/sigstore/cosign/blob/main/doc/cosign_sign.md
  8. Example Scenario Attest – With Key > cosign attest --predicate

    <FILE> --type <TYPE> --key cosign.key <IMAGE> Verify Attestation – With Key > cosign verify-attestation --key cosign.pub --type <PREDICATE_TYPE> <IMAGE> https://github.com/sigstore/cosign/blob/main/doc/cosign_verify- attestation.md https://github.com/sigstore/cosign/blob/main/doc/cosign_attest.md
  9. Example Scenario Signing - Keyless > cosign sign $IMAGE Generating

    ephemeral keys... Retrieving signed certificate... Note that there may be personally identifiable information associated with this signed artifact. This may include the email address associated with the account with which you authenticate. This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later. By typing 'y', you attest that you grant (or have permission to grant) and agree to have this information stored permanently in transparency logs. Are you sure you would like to continue? [y/N] y Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore... Successfully verified SCT... tlog entry created with index: 12086900 Pushing signature to: $IMAGE
  10. Example Scenario https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md Content other than OCI container images MAY

    be packaged using the image manifest. { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0", "size": 32654 }
  11. Example Scenario https://github.com/opencontainers/image-spec/blob/main/manifest.md Subject: This value, used by the referrers

    API, indicates a relationship to the specified manifest. { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0", "size": 32654 }
  12. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B)
  13. Example Scenario Example Workflow 1. Copy to internal artefact store

    (A) 2. Deploy to UAT 3. Does it pass UAT? • If failed, do nothing • If it passes, push to artefact store (B) 4. Build any custom images that have the base as the image we ingested. • Go to step (2)…
  14. Example Scenario Continuous vulnerability scanning of container images in internal

    repositories. • Every X hours • Scan for vulnerabilities using the SBOM • Store report • Create alerts & quarantine
  15. Example Scenario Continuous vulnerability scanning of container images in internal

    repositories. Microsoft Defender For Cloud And More…
  16. Example Scenario Protecting the last mile using “admission control” Allows

    you to enforce policy like… • Only packages from “trusted” sources can be run. • Check if pulled image has vulnerability report with high severity items, etc.
  17. Wrapping Up ▪ Generate SBOMs + Provenance ▪ Sign and

    Attest ▪ OCI Registry As Storage ▪ Verify Signature ▪ Continuous Vulnerability Scanning ▪ Admission Control
  18. Links • https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/ • https://stevelasker.blog/2023/02/22/signed-sealed-and-distributed/ • SLSA Supply Chain Threats:

    https://slsa.dev/spec/v1.0/threats-overview • https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom • Tern: https://github.com/tern-tools/tern • BOM: https://github.com/kubernetes-sigs/bom • SYFT: https://github.com/anchore/syft • MS-SBOM-Tool: https://github.com/microsoft/sbom-tool • SLSA Provenance: https://slsa.dev/spec/v1.0/provenance • Notary Project/Notation CLI: https://notaryproject.dev/ • Cosign: https://github.com/sigstore/cosign • In-toto attestation framework: https://github.com/in-toto/attestation • ORAS: https://oras.land/ • Trivy: https://github.com/aquasecurity/trivy • Grype: https://github.com/anchore/grype • OPA Gatekeeper: https://github.com/open-policy-agent/gatekeeper • Ratify: https://ratify.dev/ • Kyverno: https://kyverno.io/ https://speakerdeck.com/dasiths/building- trust-brick-by-brick-exploring-the- landscape-of-modern-secure-supply-chain- tools Slides:
  19. Presentation template designed by powerpointify.com Special thanks to all people

    who made and shared these awesome resources for free: CREDITS Photographs by unsplash.com Free Fonts used: https://www.fontsquirrel.com/fonts/oswald @dasiths