SlideShare a Scribd company logo

ISACA SV Chapter: Securing Software Supply Chains

Jim Bugwadia
Jim Bugwadia

Software supply chain attacks increased 650% in 2021. Learn why software supply chains are vulnerable, the types of attacks, and how to prevent them using OSS tools like Sigstore cosign and CNCF Kyverno!

1 of 29
Downloaded 28 times
Securing Software Supply Chains Jim Bugwadia March 3rd, 2022
2 Topics • A modern software supply chain • Software supply chain attacks • Supply Chain Levels for Software Artifacts (SLSA) • Signing and verification with sigstore • Provenance and in-toto attestations • Policy checks with Kyverno • Summary and Q&A
3 About me • Co-founder and CEO, Nirmata • Kyverno Maintainer • Co-chair, Kubernetes Policy WG • Lead, Kubernetes Multi-tenancy WG @JimBugwadia
Software has changed! • Monoliths in VMs • Release every 3-6 months • Manual installation • Containers in Kubernetes • Released several times a day • Continuous delivery across hundreds of installations
Modern applications are composed • Applications can use 100s of OSS and commercial packages • Each package has its own set of dependencies • Managed Services and SaaS are also widely used
Continuous delivery pipelines push to prod • CI/CD environments are highly automated and use declarative principles like IaC and GitOps • CI/CD environments often have access to production systems • CI/CD environments may not be as secure as production
Software Supply Chain Attacks Tripled in 2021 Three types of attacks: 1. Exploit vulnerabilities in dependencies 2. Compromised CI/CD systems and tools 3. Code/artifact integrity Source: Argon
Supply chain threats Source: https://slsa.dev/ 8 threats across three categories
What is SLSA? Source: https://slsa.dev/
SLSA Levels Source: https://slsa.dev/
SLSA Level 1 The build process must be fully scripted/automated and generate provenance. • Provenance is metadata about how an artifact was built, including the build process, top-level source, and dependencies. • Knowing the provenance allows software consumers to make risk- based security decisions. • Provenance at SLSA 1 does not protect against tampering, but it offers a basic level of code source identification and can aid in vulnerability management.
SLSA Level 2 Requires using version control and a hosted build service that generates authenticated provenance. • These additional requirements give the software consumer greater confidence in the origin of the software. • At this level, the provenance prevents tampering to the extent that the build service is trusted. • SLSA 2 also provides an easy upgrade path to SLSA 3. Source: https://slsa.dev/
SLSA Level 3 The source and build platforms meet specific standards to guarantee the auditability of the source and the integrity of the provenance respectively. • We envision an accreditation process whereby auditors certify that platforms meet the requirements, which consumers can then rely on. • SLSA 3 provides much stronger protections against tampering than earlier levels by preventing specific classes of threats, such as cross- build contamination. Source: https://slsa.dev/
SLSA Level 4 Requires two-person review of all changes and a hermetic, reproducible build process. • Two-person review is an industry best practice for catching mistakes and deterring bad behavior. • Hermetic builds guarantee that the provenance’s list of dependencies is complete. Reproducible builds, though not strictly required, provide many auditability and reliability benefits. • Overall, SLSA 4 gives the consumer a high degree of confidence that the software has not been tampered with. Source: https://slsa.dev/
SLSA Requirements – Source Code Source: https://slsa.dev/
SLSA Requirements – Build System Source: https://slsa.dev/
SLSA Requirements – Provenance Source: https://slsa.dev/
SLSA Requirements – Common Source: https://slsa.dev/
Signing and Verification with sigstore sigstore is a Linux Foundation project that provides: • cosign: signing and verification • rekor: tamper proof transparency log • fulcio: OIDC based key automation
Provenance and in-toto attestations • Attestations are signed metadata for software artifacts • Produced by a build system • Consumed by policy engines • The in-toto attestation format provides a flexible standard • Attestations can be used to capture: • Provenance data • Vulnerability scan reports • SBOMs • Scorecards • Some attestations (scans) should be generated periodically
Attestations and policies
Kyverno • Kyverno is a Kubernetes native policy engine with integrations for sigstore and in-toto • Kyverno policies are used to verify signatures and attestations • Policies are applied at: • Admission controls • Runtime scans
What policies can verify Verify that the container image: 1. Is signed by the expected approvers 2. Was built using the expected service or machine (provenance) 3. Has a signed SBOM in the expected format 4. Has a signed vulnerability scan report that: • was updated in the last 24 hours • has no vulnerability > 8.0 • has no vulnerabilities other than the expected set 5. Has other required metadata such as code reviews, etc.
Image signing and verification PEP* OCI Registry Policy Administration Point [PAP] Attestations  Provenance data  Vulnerability scan  SBOM  Image CI/CD Pipeline *PEP: Policy Enforcement Point Kubernetes Clusters 1. Admin sets up policies for clusters 2. Developers trigger a build 3. Image and attestations are pushed to the OCI registry 4. Image data is verified at admission controls 5. Image data is verified via runtime scans
Sample pipeline with GitHub Actions
Kyverno policy example 1. Check for provenance data 2. Check for SBOM in CycloneDX format 3. Check for vulnerability scan: a) Created by Trivy b) Up to 24 hours old c) No critical or high vulnerabilities
Nirmata Kubernetes Policy Management any infrastructure or cloud Kubernetes Clusters Build Deploy Run Confidential 27 Containerized Workloads SecOps DevOps FinOps
28 Summary 1. Software supply chain security is critical 2. OSS tools like sigstore, in-toto, and Kyverno are leading the way 3. Nirmata (creators of Kyverno) provides a multi-cluster Kubernetes policy management for supply chain security
Thanks! https://try.nirmata.io
Ad

Recommended

Introduction to DevOps slides.pdf
Introduction to DevOps slides.pdfIntroduction to DevOps slides.pdf
Introduction to DevOps slides.pdf
BoreVishnusai
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Gap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsGap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOps
Marc Hornbeek
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
CyberArk
CyberArkCyberArk
CyberArk
Jimmy Sze
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
SlideTeam
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Microsoft Windows Server 2022 Overview
Microsoft Windows Server 2022 OverviewMicrosoft Windows Server 2022 Overview
Microsoft Windows Server 2022 Overview
David J Rosenthal
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Aks pimarox from zero to hero
Aks pimarox from zero to heroAks pimarox from zero to hero
Aks pimarox from zero to hero
Johan Biere
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaSite Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Keet Sugathadasa
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
ICS
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in Azure
Fidelis Cybersecurity
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
Shikha Srivastava
 
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
Ad

More Related Content

What's hot (20)

DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
CyberArk
CyberArkCyberArk
CyberArk
Jimmy Sze
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
SlideTeam
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Microsoft Windows Server 2022 Overview
Microsoft Windows Server 2022 OverviewMicrosoft Windows Server 2022 Overview
Microsoft Windows Server 2022 Overview
David J Rosenthal
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Aks pimarox from zero to hero
Aks pimarox from zero to heroAks pimarox from zero to hero
Aks pimarox from zero to hero
Johan Biere
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaSite Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Keet Sugathadasa
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
ICS
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in Azure
Fidelis Cybersecurity
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
CyberArk
CyberArkCyberArk
CyberArk
Jimmy Sze
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
SlideTeam
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Microsoft Windows Server 2022 Overview
Microsoft Windows Server 2022 OverviewMicrosoft Windows Server 2022 Overview
Microsoft Windows Server 2022 Overview
David J Rosenthal
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Aks pimarox from zero to hero
Aks pimarox from zero to heroAks pimarox from zero to hero
Aks pimarox from zero to hero
Johan Biere
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet SugathadasaSite Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Site Reliability Engineering (SRE) - Tech Talk by Keet Sugathadasa
Keet Sugathadasa
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
ICS
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in Azure
Fidelis Cybersecurity
 

Similar to ISACA SV Chapter: Securing Software Supply Chains (20)

From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
Shikha Srivastava
 
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
sangam biradar
 
Continuous Delivery of Cloud Applications: Blue/Green and Canary Deployments
Continuous Delivery of Cloud Applications: Blue/Green and Canary DeploymentsContinuous Delivery of Cloud Applications: Blue/Green and Canary Deployments
Continuous Delivery of Cloud Applications: Blue/Green and Canary Deployments
Praveen Yalagandula
 
AWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Chicago
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6
Venkat Janardhanam, MS, MBA
 
Introducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesIntroducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Jim Gilsinn
 
GitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with KubernetesGitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with Kubernetes
Volodymyr Shynkar
 
Network Security ffffffffffffffffffffffffff
Network Security ffffffffffffffffffffffffffNetwork Security ffffffffffffffffffffffffff
Network Security ffffffffffffffffffffffffff
simonlaurette1
 
Securing Kubernetes Workloads
Securing Kubernetes WorkloadsSecuring Kubernetes Workloads
Securing Kubernetes Workloads
Jim Bugwadia
 
Freedom and Responsibility
Freedom and ResponsibilityFreedom and Responsibility
Freedom and Responsibility
Mike Ruangutai
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
Dr. Anish Cheriyan (PhD)
 
Web Application Scanning Flow and features.pptx
Web Application Scanning Flow and features.pptxWeb Application Scanning Flow and features.pptx
Web Application Scanning Flow and features.pptx
alphaa2test
 
Agile testing for embedded software development
Agile testing for embedded software developmentAgile testing for embedded software development
Agile testing for embedded software development
Tom Stiehm
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
Performance testing material
Performance testing materialPerformance testing material
Performance testing material
Keylabstraining Bangalore
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
Ncerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssmNcerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssm
ssmarar
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
Shikha Srivastava
 
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
sangam biradar
 
Continuous Delivery of Cloud Applications: Blue/Green and Canary Deployments
Continuous Delivery of Cloud Applications: Blue/Green and Canary DeploymentsContinuous Delivery of Cloud Applications: Blue/Green and Canary Deployments
Continuous Delivery of Cloud Applications: Blue/Green and Canary Deployments
Praveen Yalagandula
 
AWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Chicago
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6
Venkat Janardhanam, MS, MBA
 
Introducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesIntroducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Jim Gilsinn
 
GitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with KubernetesGitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with Kubernetes
Volodymyr Shynkar
 
Network Security ffffffffffffffffffffffffff
Network Security ffffffffffffffffffffffffffNetwork Security ffffffffffffffffffffffffff
Network Security ffffffffffffffffffffffffff
simonlaurette1
 
Securing Kubernetes Workloads
Securing Kubernetes WorkloadsSecuring Kubernetes Workloads
Securing Kubernetes Workloads
Jim Bugwadia
 
Freedom and Responsibility
Freedom and ResponsibilityFreedom and Responsibility
Freedom and Responsibility
Mike Ruangutai
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
Dr. Anish Cheriyan (PhD)
 
Web Application Scanning Flow and features.pptx
Web Application Scanning Flow and features.pptxWeb Application Scanning Flow and features.pptx
Web Application Scanning Flow and features.pptx
alphaa2test
 
Agile testing for embedded software development
Agile testing for embedded software developmentAgile testing for embedded software development
Agile testing for embedded software development
Tom Stiehm
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
Performance testing material
Performance testing materialPerformance testing material
Performance testing material
Keylabstraining Bangalore
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
Ncerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssmNcerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssm
ssmarar
 
Ad

More from Jim Bugwadia (12)

Cloud Native DevOps
Cloud Native DevOpsCloud Native DevOps
Cloud Native DevOps
Jim Bugwadia
 
Virtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSVirtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKS
Jim Bugwadia
 
Operationalizing Amazon EKS
Operationalizing Amazon EKSOperationalizing Amazon EKS
Operationalizing Amazon EKS
Jim Bugwadia
 
Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018
Jim Bugwadia
 
Kubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsKubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOps
Jim Bugwadia
 
Demystifying Kubernetes for Enterprise DevOps
Demystifying Kubernetes for Enterprise DevOpsDemystifying Kubernetes for Enterprise DevOps
Demystifying Kubernetes for Enterprise DevOps
Jim Bugwadia
 
Multi-cloud Container Management for vRealize Automation
Multi-cloud Container Management for vRealize AutomationMulti-cloud Container Management for vRealize Automation
Multi-cloud Container Management for vRealize Automation
Jim Bugwadia
 
Cloud Native Applications Maturity Model
Cloud Native Applications Maturity ModelCloud Native Applications Maturity Model
Cloud Native Applications Maturity Model
Jim Bugwadia
 
Containerizing Traditional Applications
Containerizing Traditional ApplicationsContainerizing Traditional Applications
Containerizing Traditional Applications
Jim Bugwadia
 
Accelerating DevOps
Accelerating DevOpsAccelerating DevOps
Accelerating DevOps
Jim Bugwadia
 
Microservices on AWS Spot instances
Microservices on AWS Spot instancesMicroservices on AWS Spot instances
Microservices on AWS Spot instances
Jim Bugwadia
 
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
Jim Bugwadia
 
Cloud Native DevOps
Cloud Native DevOpsCloud Native DevOps
Cloud Native DevOps
Jim Bugwadia
 
Virtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSVirtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKS
Jim Bugwadia
 
Operationalizing Amazon EKS
Operationalizing Amazon EKSOperationalizing Amazon EKS
Operationalizing Amazon EKS
Jim Bugwadia
 
Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018
Jim Bugwadia
 
Kubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsKubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOps
Jim Bugwadia
 
Demystifying Kubernetes for Enterprise DevOps
Demystifying Kubernetes for Enterprise DevOpsDemystifying Kubernetes for Enterprise DevOps
Demystifying Kubernetes for Enterprise DevOps
Jim Bugwadia
 
Multi-cloud Container Management for vRealize Automation
Multi-cloud Container Management for vRealize AutomationMulti-cloud Container Management for vRealize Automation
Multi-cloud Container Management for vRealize Automation
Jim Bugwadia
 
Cloud Native Applications Maturity Model
Cloud Native Applications Maturity ModelCloud Native Applications Maturity Model
Cloud Native Applications Maturity Model
Jim Bugwadia
 
Containerizing Traditional Applications
Containerizing Traditional ApplicationsContainerizing Traditional Applications
Containerizing Traditional Applications
Jim Bugwadia
 
Accelerating DevOps
Accelerating DevOpsAccelerating DevOps
Accelerating DevOps
Jim Bugwadia
 
Microservices on AWS Spot instances
Microservices on AWS Spot instancesMicroservices on AWS Spot instances
Microservices on AWS Spot instances
Jim Bugwadia
 
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
Jim Bugwadia
 
Ad

Recently uploaded (20)

Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 

ISACA SV Chapter: Securing Software Supply Chains

  • 1. Securing Software Supply Chains Jim Bugwadia March 3rd, 2022
  • 2. 2 Topics • A modern software supply chain • Software supply chain attacks • Supply Chain Levels for Software Artifacts (SLSA) • Signing and verification with sigstore • Provenance and in-toto attestations • Policy checks with Kyverno • Summary and Q&A
  • 3. 3 About me • Co-founder and CEO, Nirmata • Kyverno Maintainer • Co-chair, Kubernetes Policy WG • Lead, Kubernetes Multi-tenancy WG @JimBugwadia
  • 4. Software has changed! • Monoliths in VMs • Release every 3-6 months • Manual installation • Containers in Kubernetes • Released several times a day • Continuous delivery across hundreds of installations
  • 5. Modern applications are composed • Applications can use 100s of OSS and commercial packages • Each package has its own set of dependencies • Managed Services and SaaS are also widely used
  • 6. Continuous delivery pipelines push to prod • CI/CD environments are highly automated and use declarative principles like IaC and GitOps • CI/CD environments often have access to production systems • CI/CD environments may not be as secure as production
  • 7. Software Supply Chain Attacks Tripled in 2021 Three types of attacks: 1. Exploit vulnerabilities in dependencies 2. Compromised CI/CD systems and tools 3. Code/artifact integrity Source: Argon
  • 8. Supply chain threats Source: https://slsa.dev/ 8 threats across three categories
  • 9. What is SLSA? Source: https://slsa.dev/
  • 11. SLSA Level 1 The build process must be fully scripted/automated and generate provenance. • Provenance is metadata about how an artifact was built, including the build process, top-level source, and dependencies. • Knowing the provenance allows software consumers to make risk- based security decisions. • Provenance at SLSA 1 does not protect against tampering, but it offers a basic level of code source identification and can aid in vulnerability management.
  • 12. SLSA Level 2 Requires using version control and a hosted build service that generates authenticated provenance. • These additional requirements give the software consumer greater confidence in the origin of the software. • At this level, the provenance prevents tampering to the extent that the build service is trusted. • SLSA 2 also provides an easy upgrade path to SLSA 3. Source: https://slsa.dev/
  • 13. SLSA Level 3 The source and build platforms meet specific standards to guarantee the auditability of the source and the integrity of the provenance respectively. • We envision an accreditation process whereby auditors certify that platforms meet the requirements, which consumers can then rely on. • SLSA 3 provides much stronger protections against tampering than earlier levels by preventing specific classes of threats, such as cross- build contamination. Source: https://slsa.dev/
  • 14. SLSA Level 4 Requires two-person review of all changes and a hermetic, reproducible build process. • Two-person review is an industry best practice for catching mistakes and deterring bad behavior. • Hermetic builds guarantee that the provenance’s list of dependencies is complete. Reproducible builds, though not strictly required, provide many auditability and reliability benefits. • Overall, SLSA 4 gives the consumer a high degree of confidence that the software has not been tampered with. Source: https://slsa.dev/
  • 15. SLSA Requirements – Source Code Source: https://slsa.dev/
  • 16. SLSA Requirements – Build System Source: https://slsa.dev/
  • 17. SLSA Requirements – Provenance Source: https://slsa.dev/
  • 18. SLSA Requirements – Common Source: https://slsa.dev/
  • 19. Signing and Verification with sigstore sigstore is a Linux Foundation project that provides: • cosign: signing and verification • rekor: tamper proof transparency log • fulcio: OIDC based key automation
  • 20. Provenance and in-toto attestations • Attestations are signed metadata for software artifacts • Produced by a build system • Consumed by policy engines • The in-toto attestation format provides a flexible standard • Attestations can be used to capture: • Provenance data • Vulnerability scan reports • SBOMs • Scorecards • Some attestations (scans) should be generated periodically
  • 22. Kyverno • Kyverno is a Kubernetes native policy engine with integrations for sigstore and in-toto • Kyverno policies are used to verify signatures and attestations • Policies are applied at: • Admission controls • Runtime scans
  • 23. What policies can verify Verify that the container image: 1. Is signed by the expected approvers 2. Was built using the expected service or machine (provenance) 3. Has a signed SBOM in the expected format 4. Has a signed vulnerability scan report that: • was updated in the last 24 hours • has no vulnerability > 8.0 • has no vulnerabilities other than the expected set 5. Has other required metadata such as code reviews, etc.
  • 24. Image signing and verification PEP* OCI Registry Policy Administration Point [PAP] Attestations  Provenance data  Vulnerability scan  SBOM  Image CI/CD Pipeline *PEP: Policy Enforcement Point Kubernetes Clusters 1. Admin sets up policies for clusters 2. Developers trigger a build 3. Image and attestations are pushed to the OCI registry 4. Image data is verified at admission controls 5. Image data is verified via runtime scans
  • 25. Sample pipeline with GitHub Actions
  • 26. Kyverno policy example 1. Check for provenance data 2. Check for SBOM in CycloneDX format 3. Check for vulnerability scan: a) Created by Trivy b) Up to 24 hours old c) No critical or high vulnerabilities
  • 27. Nirmata Kubernetes Policy Management any infrastructure or cloud Kubernetes Clusters Build Deploy Run Confidential 27 Containerized Workloads SecOps DevOps FinOps
  • 28. 28 Summary 1. Software supply chain security is critical 2. OSS tools like sigstore, in-toto, and Kyverno are leading the way 3. Nirmata (creators of Kyverno) provides a multi-cluster Kubernetes policy management for supply chain security