- 快召唤伙伴们来围观吧
- 微博 QQ QQ空间 贴吧
- 文档嵌入链接
- 复制
- 微信扫一扫分享
- 已成功复制到剪贴板
您的供应链状态
展开查看详情
1 .The State of Your Supply Chain Andrew Martin, Control Plane Maya Kaczorowski, Google Cloud Nov 15 2018
2 . Hi! Maya Kaczorowski Security PM, Google @MayaKaczorowski Andy Martin Founder, Control Plane Dev-like, sec-ish, ops-y @sublimino
3 .
4 .What is a supply chain? Anything that we depend upon ○ e.g., the military need to know where all their hardware and software comes from and who builds them, to protect against state attacks ○ e.g., pharmaceutical companies likewise need to know the provenance of their ingredients
5 .
6 .
7 .What is a software supply chain? VM VM Analysis Build Scan Test QA Pod Pod Microservice VM Pod Developer CI/CD pipeline Production environment Any code that ends up running in production
8 .Software supply chains can be exploited ● Vulnerabilities in dependencies, e.g., open-source packages ● Deliberate backdoors ● Compromised downloads, e.g., typosquatting
9 .Software supply chains can be exploited ● Vulnerabilities in Apache Struts vulnerability dependencies, e.g., open-source packages ● Deliberate backdoors ● Compromised downloads, Malicious e.g., typosquatting signed binary Compromised software update server
10 .What's different about supply chains with containers Debug Patch Update VM VM Restart Monolithic application VM Production environment Manual adjustment VM based Hard
11 .What's different about supply chains with containers Debug Build & deploy Patch Analysis Build Scan Test QA Update VM VM Monolithic Re-build & CI/CD pipeline Restart re-deploy application VM VM VM Production environment Pod Pod Microservice VM Pod Manual adjustment Production environment VM based Container based Hard Easy
12 .Stages of the CDLC (Container Delivery Lifecycle) Base Application Code Build Deploy image image VM VM Analysis Build Scan Test QA Pod Pod Microservice VM Pod Developer CI/CD pipeline Production environment
13 .https://www.slideshare.net/FranklinMosley/devsecops-a-new-hope-for-security-in-cicd
14 .Base Image ● Controlled base images: official external images, copied into the organisation and promoted through dedicated pipelines ○ e.g. Docker Hub official images ● Hash based addressing: image has a verifiable “identity” ○ Hashes help ensure we have immutable images ○ Hashes are static - whereas tags are transitory and a possible risk
15 .Code ● Static analysis: of code in-IDE (style, AST-analysis, atoms of confusion) ● Dependency analysis: Immediate and transitive (pom.xml, package.json, requirements.txt and pals)
16 .Build ● Hermetic builds: Isolated build environment ○ No inter-build data or artefact leakage ● Reproducible builds: Repeatable build from source to binary ○ Build dependencies cached within an organisation's estate ○ Pinned versions for deterministic builds ○ Only helps security if you actually do reproduce it - not great for incremental builds ● The future: rootless builds: Build without privileged access ○ Tools like umoci, img, buildah, kaniko are moving towards a safer build environment ○ The class of build-time attacks this is mitigating against are aspirational rather than in-the-wild right now
17 .Application Image scans ● Vulnerability scanning: CVE scans (operating system components, installed binaries/JARs/tarballs) ○ Patching ○ Removing packages ○ Smaller distribution ● Configuration scanning: Make it easy to do the right thing ○ Secrets in code ○ Images running as root ○ Misconfigurations ● Policy: filesystem configuration and Discretionary Access Controls, xattrs SUID/GUID, runtimes and debug tools, etc.
18 .Deploy ● Admission control: Gated admission to production based on policy, compliance, and other metadata from previous build stages ● Runtime configurations: Adherence to PodSecurityPolicy and Kubesec.io risk based on runtime configuration of the images that comprise a pod
19 .Enforced Governance Containers are short Containers are immutable, lived and frequently you can control what re-deployed, you can is deployed in constantly be patching. your environment.
20 . Ideal, security-hardened container supply chain Application Base image Code Build Deploy image Controlled base Hermetic Vulnerability Admission Static analysis images scanning control Reproducible Dependency Hash based Configuration Runtime analysis addressing Rootless scanning configurations
21 .State of the Ecosystem
22 .Open-source supply chain today Application Base image Code Build Deploy image Images: Docker Updates: TUF, Pipeline Vulnerability Admission Hub Notary metadata: scanning: Clair, control: K8s Grafeas, in-toto Micro Scanner, admission Anchore Open controllers, Kritis, Source Engine Portieris
23 .Images
24 .Docker Hub ● Offers hundreds of ‘official’ images, including base images ○ Alpine ○ Debian ○ Ubuntu ● Best practices ○ Pull latest ○ Don’t trust blindly: check when last patched, scan for vulnerabilities
25 .Updates
26 .TUF vs Notary The Update Framework (TUF) is a Notary is an implementation of secure distribution mechanism, for TUF for container images signing software package updates specifically Both CNCF projects
27 .The Update Framework (TUF) ● Software package signing ● Secure key distribution mechanism ○ Update keys delegated by root key ○ Offline rotation ○ Temporal expiration ○ Resistant to replay attacks
28 .Notary ● Implementation of TUF for image distribution ○ Server + database ○ Signer + database ● Signs and validates images ○ Signed collections ○ Key delegation ● Best practices ○ Store the master root key offline ○ Key rotation
29 .Pipeline metadata