Más contenido relacionado

Similar a Tracy Miranda_DevOps Loop, May 2022.pdf(20)

Más de VMware Tanzu(20)


Tracy Miranda_DevOps Loop, May 2022.pdf

  1. Blueprint for Secure OSS Supply Chains Tracy Miranda, Chainguard
  2. About Me 2 ● Head of Open Source at Chainguard Previously: ● Executive director at the Continuous Delivery Foundation ● Director of Open Source Community at CloudBees, working with Jenkins & Jenkins X ● Governing board of Eclipse Foundation ● 20+ years in open source! ● Grew up in Kenya, became a citizen of UK and now living in Ottawa, Canada.
  3. 3 Keeping Jenkins Users Safe
  4. 4 Software supply chain attacks increased 650% in 2021.
  5. 5 Open source has become a critical part of global infrastructure
  6. There is no single fix, each link is an attack vector. Today’s solutions, where they exist, are very fragmented and often bolted on. Existing solutions are not comprehensive let alone developer friendly. 6 How are companies tackling this today?
  7. Check out our blog post series on NIST’s SSDF: ● Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework? ● I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For ● How Sigstore Can Help You and Your Team Follow the NIST SSDF Recommendations 7 Regulation is on the way
  8. It gets worse ● No automated tooling for policies required by NIST’s SSDF. ● Organizations don’t know what code they’re running, where it came from, or how it got there. ● There’s no central place to do this - it requires integration between CI/CD and production tooling, and cooperation between Compliance, Security, DevOps, and engineering teams. ● Shortage of cybersecurity professionals. 8
  9. 9 Blueprint for Secure OSS Supply Chains
  10. A comprehensive solution that integrates with existing tooling where possible. Secure-by-default; security baked in, not bolted on. Seamless security that does not slow down developers. Open source must not be an afterthought. 10 The easy way must be the secure way Photo by David Clode
  11. Supply chain Levels for Software Artifacts, or SLSA (salsa). 11 The industry road map for software supply chain integrity.
  12. SLSA Levels ● Supply chain is documented ● Infrastructure to generate provenance ● Systems are prepared for higher SLSA levels ● Requires version control and a hosted build service ● Build systems generate authenticated provenance ● Signatures are used to prevent tampering with provenance ● The system’s builds meet specific standards to guarantee auditability of the source and integrity of the provenance ● The system has more hardened CI ● Requires 2-person review to catch mistakes & deter bad behavior ● Dependencies are tracked in provenance ● Optional reproducible builds can add additional auditability and reliability benefits
  13. SLSA Roadmap “If your build pipeline is the meal, SLSA is what gets poured over, to complete it.” – Michael Lieberman, Senior Software Supply Chain Security Engineer at Citi
  14. 14 Kubernetes SLSA Compliance Assessment
  15. 15 Software Bill of Materials
  16. sigstore Making sure your software’s what it claims to be 16 A new standard for signing, verifying and protecting software. Modern ‘keyless’ signing removes painful key management. Developer adoption by Kubernetes, Python, Maven, Ruby and more! Enterprise adoption by HPE, Bloomberg, Citi, US Department of Defense.
  17. sigstore Sign code Automate authentication and cryptography in the background so you can focus on code Verify signatures A transparency log stores data on who created something and how, so you can ensure no changes have been made Monitor activity Logged data is auditable for future monitors and integrations to build into your security workflow
  18. 18
  19. 19 ve-adoption-of-sigstore-for-protecting-open-source- ecosystem-73a6757da73
  20. 20
  21. Conclusion ● Evaluate your OSS project using SLSA ● Take incremental steps to improve ● Implement code signing with Sigstore ● Implement SBOM support ● Get help from the OSS community ● Rinse & repeat
  22. The End 22