Blueprint for Secure OSS
Supply Chains
Tracy Miranda, Chainguard

About Me
2
● Head of Open Source at Chainguard
Previously:
● Executive director at the Continuous
Delivery Foundation
● Director of Open Source Community at
CloudBees, working with Jenkins & Jenkins
X
● Governing board of Eclipse Foundation
● 20+ years in open source!
● Grew up in Kenya, became a citizen of UK
and now living in Ottawa, Canada.

3
Keeping Jenkins Users Safe
https://www.csoonline.com/article/3256314/hackers-exploit-jenkins-servers-make-3-million-by-mining-monero.html

4
Software supply chain attacks increased 650% in 2021.
https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021

5
Open source has become a critical part of global infrastructure
https://www.cncf.io/blog/2021/12/20/new-slashdata-report-5-6-million-developers-use-kubernetes-an-increase-of-67-over-one-year/

There is no single fix, each link is an attack vector.
Today’s solutions, where they exist, are very fragmented and often bolted on.
Existing solutions are not comprehensive let alone developer friendly.
6
How are companies tackling this today?

Check out our blog post series on NIST’s SSDF:
● Goodbye SDLC, Hello SSDF! What is the Secure
Software Development Framework?
● I Read NIST 800-218 So You Don’t Have To - Here’s
What to Watch Out For
● How Sigstore Can Help You and Your Team Follow the
NIST SSDF Recommendations
7
Regulation is on the way

It gets worse
● No automated tooling for policies required by NIST’s SSDF.
● Organizations don’t know what code they’re running, where it
came from, or how it got there.
● There’s no central place to do this - it requires integration between
CI/CD and production tooling, and cooperation between
Compliance, Security, DevOps, and engineering teams.
● Shortage of cybersecurity professionals.
8

9
Blueprint for Secure
OSS Supply Chains

A comprehensive solution that integrates with existing
tooling where possible.
Secure-by-default; security baked in, not bolted on.
Seamless security that does not slow down developers.
Open source must not be an afterthought.
10
The easy way must be the secure way
Photo by David Clode

Supply chain Levels for
Software Artifacts, or SLSA
(salsa).
11
The industry road map for
software supply chain integrity.
slsa.dev

SLSA Levels
● Supply chain is documented
● Infrastructure to generate provenance
● Systems are prepared for higher SLSA levels
● Requires version control and a hosted build service
● Build systems generate authenticated provenance
● Signatures are used to prevent tampering with provenance
● The system’s builds meet specific standards to guarantee
auditability of the source and integrity of the provenance
● The system has more hardened CI
● Requires 2-person review to catch mistakes & deter bad behavior
● Dependencies are tracked in provenance
● Optional reproducible builds can add additional auditability and
reliability benefits

SLSA Roadmap
“If your build pipeline is the meal, SLSA is what
gets poured over, to complete it.”
– Michael Lieberman, Senior Software Supply Chain Security Engineer at Citi

14
Kubernetes SLSA Compliance Assessment
https://github.com/kubernetes/release/issues/2227

15
Software Bill of Materials

sigstore
Making sure your software’s what it
claims to be
16
A new standard for signing, verifying and
protecting software.
Modern ‘keyless’ signing removes painful
key management.
Developer adoption by Kubernetes,
Python, Maven, Ruby and more!
Enterprise adoption by HPE, Bloomberg,
Citi, US Department of Defense.

sigstore
Sign code
Automate authentication
and cryptography in the
background so you can
focus on code
Verify signatures
A transparency log stores
data on who created
something and how, so
you can ensure no
changes have been made
Monitor activity
Logged data is auditable
for future monitors and
integrations to build into
your security workflow

18

19
https://blog.sigstore.dev/kubernetes-signals-massi
ve-adoption-of-sigstore-for-protecting-open-source-
ecosystem-73a6757da73

20

Conclusion
● Evaluate your OSS project using SLSA
● Take incremental steps to improve
● Implement code signing with Sigstore
● Implement SBOM support
● Get help from the OSS community
● Rinse & repeat

The End
22