In this talk we will talk about how to ensure the security and quality of the software we deploy on Kubernetes using open-source tools like Sigstore, Kyverno and Syft/Grype.
We will explain what a secure supply chain is, why it is important and how to implement it with these tools. We will also show you how to generate and verify SBOMs (Software Bill of Materials) of your OCI (Open Container Initiative) artifacts. And finally, we will show you some practical examples of how to use these technologies in action.
We hope you enjoy it and find it useful!
2. Who we are
Paolo Mainardi
@paolomainardi
➔ Co-founder and CTO @ Sparkfabrik
➔ Linux Foundation Europe Advisory Member
➔ Blog: paolomainardi.com
➔ linkedin.com/in/paolomainardi
continuousdelivery.social/@paolomainardi
➔ Co-host of Continuous Delivery podcast
3. Who we are
Andrea Panisson
@andypanix
➔ Platform Engineer @ Sparkfabrik
➔ GitHub: https://github.com/andypanix
➔ Linkedin: https://www.linkedin.com/in/andreapanisson
4. The session
● What is a (Software) Supply Chain
● OCI Containers and threats
● Digital signatures, attestations and SBOM
● DEMO
(a prayer to the Demo Gods )
5. “A supply chain is a network of individuals and companies who
are involved in creating a product and delivering it to the
consumer”
7. About 18,000 customers of SolarWinds installed the infected updates,
including firms like Microsoft (Cisco, Intel, Deloitte) and top government
US agencies like Pentagon, Homeland security, National Nuclear Security
etc.
2020
14. OCI stands for Open Container Initiative.
OCI defines the specifications and standards
for container technologies
(Runtime, Image and Distribution spec).
They can be also used to store
other kind of artifacts (like Helm charts)
or just any arbitrary files (like oras.land).
15. What is the trusting model behind a Container Image,
or in general, a digital artifact ?
How can i be sure that what i’m running is coming
from a trusted source ?
16. Secure software supply chain checklist
● Who built it, when and how (Signatures and Provenance
Attestations)
● The list of things who made the artifact (SBOM)
17. Digital signatures 101
Integrity
Ensure the data
signed was not
altered.
Authenticity
Attest that the data
was sent by the
signer.
Non-repudiation
Ensure that the
signer cannot deny
signing the content.
19. Digital signatures - Sigstore
● Sigstore is an OSS project under the umbrella of OpenSSF
foundation.
● Fast growing community and mainstream adopted
● Used in Kubernetes and many other big vendors (Github,
Rubygems, Arch Linux etc..)
20. Digital signatures - Sigstore
● Signatures are stored alongside images in OCI registry
● It can sign any software artifact (Cosign) and signs are
stored in a public tamper-resistant public log (Rekor)
● Keyless signing
21. Secure software supply chain checklist
● Who built it, when and how (Signatures and Provenance
Attestations)
● The list of things who made the artifact (SBOM)
23. SBOM - Software Bill of Materials
● A list of “ingredients” for a
software artifact
● Can be used for:
○ Vulnerability scanning
(supply chain security)
○ Software transparency
○ License policy
○ Find abandoned
dependencies
24. SBOM - For containers
Creating a SBOM for a Container is a complex problem, dependencies live at
different levels:
● Operating system (Debian, Alpine etc…)
● Operating system dependencies (RPM, DEB, APK, PKG…)
● Manually installed dependencies (curl)
● Application dependencies (NPM, Rubygems, Pypi, Composer etc…)
● Static binaries and their dependencies (Go, Rust etc…)
Some tools can also measure the SBOM “quality”: SBOM Scorecard and NTIA
Conformance Checker.
29. What can we do?
● Sign your artifacts - Sigstore is easy and nice!
● Generate SBOM and scan for vulnerabilities
30. THANKS
https://slsa.dev
It’s a security framework, a check-list of
standards and controls to prevent tampering,
improve integrity, and secure packages and
infrastructure in your projects, businesses or
enterprises. It’s how you get from safe enough
to being as resilient as possible, at any link
in the chain.
https://openssf.or
g
The OpenSSF is a cross-industry organization
that brings together the industry’s most
important open source security initiatives and
the individuals and companies that support them.
The OpenSSF is committed to collaboration and
working both upstream and with existing
communities to advance open source security for
all