SlideShare une entreprise Scribd logo

Tracy Miranda_DevOps Loop, May 2022.pdf

VMware Tanzu
VMware Tanzu

Blueprint for Secure OSS Supply Chains - Tracy Miranda

Logiciels
1  sur  22
Télécharger pour lire hors ligne
Blueprint for Secure OSS Supply Chains Tracy Miranda, Chainguard
About Me 2 ● Head of Open Source at Chainguard Previously: ● Executive director at the Continuous Delivery Foundation ● Director of Open Source Community at CloudBees, working with Jenkins & Jenkins X ● Governing board of Eclipse Foundation ● 20+ years in open source! ● Grew up in Kenya, became a citizen of UK and now living in Ottawa, Canada.
3 Keeping Jenkins Users Safe https://www.csoonline.com/article/3256314/hackers-exploit-jenkins-servers-make-3-million-by-mining-monero.html
4 Software supply chain attacks increased 650% in 2021. https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021
5 Open source has become a critical part of global infrastructure https://www.cncf.io/blog/2021/12/20/new-slashdata-report-5-6-million-developers-use-kubernetes-an-increase-of-67-over-one-year/
There is no single fix, each link is an attack vector. Today’s solutions, where they exist, are very fragmented and often bolted on. Existing solutions are not comprehensive let alone developer friendly. 6 How are companies tackling this today?
Check out our blog post series on NIST’s SSDF: ● Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework? ● I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For ● How Sigstore Can Help You and Your Team Follow the NIST SSDF Recommendations 7 Regulation is on the way
It gets worse ● No automated tooling for policies required by NIST’s SSDF. ● Organizations don’t know what code they’re running, where it came from, or how it got there. ● There’s no central place to do this - it requires integration between CI/CD and production tooling, and cooperation between Compliance, Security, DevOps, and engineering teams. ● Shortage of cybersecurity professionals. 8
9 Blueprint for Secure OSS Supply Chains
A comprehensive solution that integrates with existing tooling where possible. Secure-by-default; security baked in, not bolted on. Seamless security that does not slow down developers. Open source must not be an afterthought. 10 The easy way must be the secure way Photo by David Clode
Supply chain Levels for Software Artifacts, or SLSA (salsa). 11 The industry road map for software supply chain integrity. slsa.dev
SLSA Levels ● Supply chain is documented ● Infrastructure to generate provenance ● Systems are prepared for higher SLSA levels ● Requires version control and a hosted build service ● Build systems generate authenticated provenance ● Signatures are used to prevent tampering with provenance ● The system’s builds meet specific standards to guarantee auditability of the source and integrity of the provenance ● The system has more hardened CI ● Requires 2-person review to catch mistakes & deter bad behavior ● Dependencies are tracked in provenance ● Optional reproducible builds can add additional auditability and reliability benefits
SLSA Roadmap “If your build pipeline is the meal, SLSA is what gets poured over, to complete it.” – Michael Lieberman, Senior Software Supply Chain Security Engineer at Citi
14 Kubernetes SLSA Compliance Assessment https://github.com/kubernetes/release/issues/2227
15 Software Bill of Materials
sigstore Making sure your software’s what it claims to be 16 A new standard for signing, verifying and protecting software. Modern ‘keyless’ signing removes painful key management. Developer adoption by Kubernetes, Python, Maven, Ruby and more! Enterprise adoption by HPE, Bloomberg, Citi, US Department of Defense.
sigstore Sign code Automate authentication and cryptography in the background so you can focus on code Verify signatures A transparency log stores data on who created something and how, so you can ensure no changes have been made Monitor activity Logged data is auditable for future monitors and integrations to build into your security workflow
18
19 https://blog.sigstore.dev/kubernetes-signals-massi ve-adoption-of-sigstore-for-protecting-open-source- ecosystem-73a6757da73
20
Conclusion ● Evaluate your OSS project using SLSA ● Take incremental steps to improve ● Implement code signing with Sigstore ● Implement SBOM support ● Get help from the OSS community ● Rinse & repeat
The End 22

Recommandé

Sdn primer pdf
Sdn primer pdfSdn primer pdf
Sdn primer pdf
Pooja Patel
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
Mirantis
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tips
Kaspersky
 
Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s
QAware GmbH
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Araf Karsh Hamid
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native Apps
Araf Karsh Hamid
 
2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice
devopsdaysaustin
 
Software Defined Environment - In one click get the Dev/QA/Staging Environment
Software Defined Environment - In one click get the Dev/QA/Staging EnvironmentSoftware Defined Environment - In one click get the Dev/QA/Staging Environment
Software Defined Environment - In one click get the Dev/QA/Staging Environment
Venu Murthy
 

Recommandé

Sdn primer pdf
Sdn primer pdfSdn primer pdf
Sdn primer pdf
Pooja Patel
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
Mirantis
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tips
Kaspersky
 
Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s
QAware GmbH
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Araf Karsh Hamid
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native Apps
Araf Karsh Hamid
 
2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice
devopsdaysaustin
 
Software Defined Environment - In one click get the Dev/QA/Staging Environment
Software Defined Environment - In one click get the Dev/QA/Staging EnvironmentSoftware Defined Environment - In one click get the Dev/QA/Staging Environment
Software Defined Environment - In one click get the Dev/QA/Staging Environment
Venu Murthy
 
O Outro Lado BSidesSP Ed. 5 - As Nove Principais Ameaças na Computação em Nuvem
O Outro Lado BSidesSP Ed. 5 - As Nove Principais Ameaças na Computação em NuvemO Outro Lado BSidesSP Ed. 5 - As Nove Principais Ameaças na Computação em Nuvem
O Outro Lado BSidesSP Ed. 5 - As Nove Principais Ameaças na Computação em Nuvem
Andre Serralheiro
 
The Reality of Managing Microservices in Your CD Pipeline
The Reality of Managing Microservices in Your CD PipelineThe Reality of Managing Microservices in Your CD Pipeline
The Reality of Managing Microservices in Your CD Pipeline
DevOps.com
 
Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1
Dr. Anish Cheriyan (PhD)
 
CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018
Krishna-Kumar
 
Executive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersExecutive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of Containers
NVISIA
 
Birds Eye View on Big Data by STKI
Birds Eye View on Big Data by STKIBirds Eye View on Big Data by STKI
Birds Eye View on Big Data by STKI
Idan Tohami
 
Driving Success In The Cloud With NGINX
Driving Success In The Cloud With NGINXDriving Success In The Cloud With NGINX
Driving Success In The Cloud With NGINX
NGINX, Inc.
 
SDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinSDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same Coin
Zivaro Inc
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
Jacopo Nardiello
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!
Ken Owens
 
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overviewEnabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
Cisco DevNet
 
Cisco APIC-EM – реализация концепции SDN в корпоративных сетях
Cisco APIC-EM – реализация концепции SDN в корпоративных сетяхCisco APIC-EM – реализация концепции SDN в корпоративных сетях
Cisco APIC-EM – реализация концепции SDN в корпоративных сетях
Cisco Russia
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Shannon Williams
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...
Docker, Inc.
 
Move fast and make things with microservices
Move fast and make things with microservicesMove fast and make things with microservices
Move fast and make things with microservices
Mithun Arunan
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
JAXLondon_Conference
 
Delivering Network Innovation with SDN - Tom Nadeau
Delivering Network Innovation with SDN - Tom Nadeau Delivering Network Innovation with SDN - Tom Nadeau
Delivering Network Innovation with SDN - Tom Nadeau
scoopnewsgroup
 
What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu
 

Contenu connexe

Similaire à Tracy Miranda_DevOps Loop, May 2022.pdf

Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1
Dr. Anish Cheriyan (PhD)
 
Driving Success In The Cloud With NGINX
Driving Success In The Cloud With NGINXDriving Success In The Cloud With NGINX
Driving Success In The Cloud With NGINX
NGINX, Inc.
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
Jacopo Nardiello
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...
Docker, Inc.
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
JAXLondon_Conference
 

Similaire à Tracy Miranda_DevOps Loop, May 2022.pdf (20)

O Outro Lado BSidesSP Ed. 5 - As Nove Principais Ameaças na Computação em Nuvem
O Outro Lado BSidesSP Ed. 5 - As Nove Principais Ameaças na Computação em NuvemO Outro Lado BSidesSP Ed. 5 - As Nove Principais Ameaças na Computação em Nuvem
O Outro Lado BSidesSP Ed. 5 - As Nove Principais Ameaças na Computação em Nuvem
 
The Reality of Managing Microservices in Your CD Pipeline
The Reality of Managing Microservices in Your CD PipelineThe Reality of Managing Microservices in Your CD Pipeline
The Reality of Managing Microservices in Your CD Pipeline
 
Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1
 
CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018
 
Executive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersExecutive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of Containers
 
Birds Eye View on Big Data by STKI
Birds Eye View on Big Data by STKIBirds Eye View on Big Data by STKI
Birds Eye View on Big Data by STKI
 
Driving Success In The Cloud With NGINX
Driving Success In The Cloud With NGINXDriving Success In The Cloud With NGINX
Driving Success In The Cloud With NGINX
 
SDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinSDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same Coin
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!
 
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overviewEnabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
 
Cisco APIC-EM – реализация концепции SDN в корпоративных сетях
Cisco APIC-EM – реализация концепции SDN в корпоративных сетяхCisco APIC-EM – реализация концепции SDN в корпоративных сетях
Cisco APIC-EM – реализация концепции SDN в корпоративных сетях
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...
 
Move fast and make things with microservices
Move fast and make things with microservicesMove fast and make things with microservices
Move fast and make things with microservices
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
 
Delivering Network Innovation with SDN - Tom Nadeau
Delivering Network Innovation with SDN - Tom Nadeau Delivering Network Innovation with SDN - Tom Nadeau
Delivering Network Innovation with SDN - Tom Nadeau
 

Plus de VMware Tanzu

Plus de VMware Tanzu (20)

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
 

Dernier

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

Dernier (20)

%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 

Tracy Miranda_DevOps Loop, May 2022.pdf

  • 1. Blueprint for Secure OSS Supply Chains Tracy Miranda, Chainguard
  • 2. About Me 2 ● Head of Open Source at Chainguard Previously: ● Executive director at the Continuous Delivery Foundation ● Director of Open Source Community at CloudBees, working with Jenkins & Jenkins X ● Governing board of Eclipse Foundation ● 20+ years in open source! ● Grew up in Kenya, became a citizen of UK and now living in Ottawa, Canada.
  • 3. 3 Keeping Jenkins Users Safe https://www.csoonline.com/article/3256314/hackers-exploit-jenkins-servers-make-3-million-by-mining-monero.html
  • 4. 4 Software supply chain attacks increased 650% in 2021. https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021
  • 5. 5 Open source has become a critical part of global infrastructure https://www.cncf.io/blog/2021/12/20/new-slashdata-report-5-6-million-developers-use-kubernetes-an-increase-of-67-over-one-year/
  • 6. There is no single fix, each link is an attack vector. Today’s solutions, where they exist, are very fragmented and often bolted on. Existing solutions are not comprehensive let alone developer friendly. 6 How are companies tackling this today?
  • 7. Check out our blog post series on NIST’s SSDF: ● Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework? ● I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For ● How Sigstore Can Help You and Your Team Follow the NIST SSDF Recommendations 7 Regulation is on the way
  • 8. It gets worse ● No automated tooling for policies required by NIST’s SSDF. ● Organizations don’t know what code they’re running, where it came from, or how it got there. ● There’s no central place to do this - it requires integration between CI/CD and production tooling, and cooperation between Compliance, Security, DevOps, and engineering teams. ● Shortage of cybersecurity professionals. 8
  • 10. A comprehensive solution that integrates with existing tooling where possible. Secure-by-default; security baked in, not bolted on. Seamless security that does not slow down developers. Open source must not be an afterthought. 10 The easy way must be the secure way Photo by David Clode
  • 11. Supply chain Levels for Software Artifacts, or SLSA (salsa). 11 The industry road map for software supply chain integrity. slsa.dev
  • 12. SLSA Levels ● Supply chain is documented ● Infrastructure to generate provenance ● Systems are prepared for higher SLSA levels ● Requires version control and a hosted build service ● Build systems generate authenticated provenance ● Signatures are used to prevent tampering with provenance ● The system’s builds meet specific standards to guarantee auditability of the source and integrity of the provenance ● The system has more hardened CI ● Requires 2-person review to catch mistakes & deter bad behavior ● Dependencies are tracked in provenance ● Optional reproducible builds can add additional auditability and reliability benefits
  • 13. SLSA Roadmap “If your build pipeline is the meal, SLSA is what gets poured over, to complete it.” – Michael Lieberman, Senior Software Supply Chain Security Engineer at Citi
  • 14. 14 Kubernetes SLSA Compliance Assessment https://github.com/kubernetes/release/issues/2227
  • 15. 15 Software Bill of Materials
  • 16. sigstore Making sure your software’s what it claims to be 16 A new standard for signing, verifying and protecting software. Modern ‘keyless’ signing removes painful key management. Developer adoption by Kubernetes, Python, Maven, Ruby and more! Enterprise adoption by HPE, Bloomberg, Citi, US Department of Defense.
  • 17. sigstore Sign code Automate authentication and cryptography in the background so you can focus on code Verify signatures A transparency log stores data on who created something and how, so you can ensure no changes have been made Monitor activity Logged data is auditable for future monitors and integrations to build into your security workflow
  • 18. 18
  • 20. 20
  • 21. Conclusion ● Evaluate your OSS project using SLSA ● Take incremental steps to improve ● Implement code signing with Sigstore ● Implement SBOM support ● Get help from the OSS community ● Rinse & repeat