In this talk I’ll explain what is the Software Supply Chain, common threats and mitigations and how they apply to IAC ecosystem too. I’ll show off security threats using Terraform and its ecosystem and finally i’ll talk about OCI images talking about digital signatures and SBOM using Sigstore and Syft. I’ll do a live coding session showing off how to deploy secure OCI images on K8S cluster with security policies built with Kyverno, the session includes also security scanning using the generated SBOM.
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cloud.pdf
1. Deep dive into the
secure software supply chain
on Infrastructure as Code (IaC)
2. Paolo Mainardi
➔ Co-founder and CTO @Sparkfabrik
➔ Linux Foundation Europe Advisory Member
➔ Blog: paolomainardi.com
➔ Podcast: Continuous Delivery
➔ linkedin.com/in/paolomainardi
➔ continuousdelivery.social/@paolomainardi
➔ paolo.mainardi@sparkfabrik.com
@paolomainardi
3. ➔ What is a Software Supply Chain
➔ IaC and OCI containers
➔ DEMO of Sigstore and Syft
THE
SESSION
4. “A supply chain is a network
of individuals and companies
who are involved in creating
a product and delivering it
to the consumer”
6. 2020
About 18,000 customers of SolarWinds installed the infected updates,
including firms like Microsoft (Cisco, Intel, Deloitte) and top government US agencies
like Pentagon, Homeland security, National Nuclear Security etc.
7. WHAT SOLARWINDS TAUGHT US
● Only install signed versions ❌
● Update your software to the latest version ❌
● Review source code ❌
● Closed source is more secure by design ❌
CONVENTIONAL SECURITY ADVICE
THAT DON’T APPLY HERE:
9. Timeline - Log4shell 2021 - CVE-2021-44228
➔ 24th November: Issue discovered by Chen Zhaojun of the Alibaba Cloud Security Team,
and reported to the Apache Software Foundation.
➔ 9th December: The RCE 0-day vulnerability was tweeted along with a POC posted on
GitHub - RCE can be fired just by passing a certain string
◆ Hours later hundreds of companies and governments confirmed to be
affected to Log4Shell attacks
➔ 10th December: Apache released an emergency security update and details on a critical
vulnerability in Log4j - assigning a CVSS score of 10.
➔ Patches introduced other critical vulnerabilities: CVE-2021–45046 - CVE-2021–45105 -
CVE-2021–4104
➔ All applications using directly or indirectly log4j are affected as a result of a supply
chain dependency
20. TERRAFORM: PROVIDERS AND MODULES
● Providers are API implementation (GCP, AWS, DO etc…) and Modules are
groups of resources.
● Terraform providers and modules used in your Terraform configuration
have full access to the variables and Terraform state within a workspace
21. ● Modules don’t have any form of signature or checksum (tampering risk)
● Anyone can publish a module on public Terraform Registry from a Github
repository (typosquatting risk)
● Modules versions are based on git tags (tampering risk)
TERRAFORM: ANATOMY OF A MODULE AND SECURITY RISKS
22. What can a module do,
other than create cloud
resources?
23. TERRAFORM: MODULE MALICIOUS CODE
● Can run any form of custom code (local-exec, external)
● Can interact with the network using the http provider
24. Hey team, we have an urgency for a big marketing campaign
just confirmed by the customer.
We need to deploy a new static website on GCP
and give access to an external team
to let them update it when needed, can you help us?
Please 🥺
BUSINESS REQUEST ON THURSDAY, DEADLINE IS FRIDAY
25. TERRAFORM: Find a module on Google: “gcp static website terraform”
Step 1 - Found the module we need
33. TERRAFORM: MODULE MALICIOUS CODE
Do not blindly trust community modules
Always use a static security scan tool like
Checkhov or TFscan or Trivy
Not enough alone, write your own policies.
35. OCI stands for Open Container Initiative.
OCI defines the specifications and standards
for container technologies
(Runtime, Image and Distribution spec).
Container registries can be also used to store
other kind of artifacts (like Helm charts)
or just any arbitrary files.
36. What is the trusting model behind a Container Image,
or in general, a digital artifact?
How can i be sure that what I’m running
is coming from a trusted source?
38. SECURE SOFTWARE SUPPLY CHAIN CHECKLIST
✅ Who built it, when and how
(Signatures and Provenance Attestations)
✅ The list of things who made the artifact
(SBOM - Software Bill of Material)
39. DIGITAL SIGNATURES 101
Integrity
Ensure the data signed was
not altered.
Authenticity
Attest that the data was
sent by the signer.
Non-repudiation
Ensure that the signer
cannot deny the authenticity
of the signature.
41. DIGITAL SIGNATURES - SIGSTORE
Sigstore is an OSS
project under the
umbrella of OpenSSF
foundation.
Fast growing
community and
mainstream adopted
Used in Kubernetes
and many other big
vendors
(Github, Rubygems, Arch Linux etc..)
42. DIGITAL SIGNATURES - SIGSTORE
Keyless signing of any
software artifact
Signatures metadata
are stored in a public
tamper-resistant log
Signatures are stored
alongside images in
OCI registry
43. SBOM:
SOFTWARE
BILL OF
MATERIALS
A list of “ingredients”
for a software artifact
Can be used for:
➔ Vulnerability scanning
➔ Software transparency
➔ License policy
➔ Find abandoned dependencies
44. SBOM
FOR
CONTAINERS
Creating a SBOM for an artifact is a
complex problem
Dependencies live at different levels:
➔ Operating system (Windows, Debian, Alpine
etc…)
➔ Operating system dependencies (RPM, DEB,
APK, PKG…)
➔ Application dependencies (Composer, NPM,
Rubygems, Pypi, etc…)
➔ Static binaries and their dependencies (Go,
Rust etc…)
47. Takeaways
➔ Software Supply Chain security must be taken
very seriously
➔ IaC suffers from the same issues of the software
projects
➔ Always use static analysis tools for like Checkov
| Trivy | TFSec
➔ Sign your artifacts, Sigstore is nice and easy!
➔ Generate SBOM and scan for vulnerabilities
Snyk | Grype | Trivy
➔ Automate your dependencies with DependaBot
or RenovateBot