您的供应链状态

容器安全性通常侧重于运行时最佳实践,而同时忽略了供应链中附带的软件。应用程序或库漏洞是数据可能泄露的途径,容器为减轻这种风险提供了新机会。 将容器视为不可变,使我们能够通过重建和传送整个容器镜像来“升级”镜像,避免配置偏差和状态不一致。这使得不断修补程序软件并轻松执行部署到我们环境中的程序成为可能。 在本次会议中,我们将详细介绍理想的软件供应链,描述生态系统的当前状态,并深入研究具体的工具。我们将讨论 Grafeas、Kritis、in-toto、Clair、Micro Scanner、TUF 及 Notary,并演示如何识别易受攻击的图像,然后自动重建和重新部署它。
展开查看详情

1.The State of Your Supply Chain Andrew Martin, Control Plane Maya Kaczorowski, Google Cloud Nov 15 2018

2. Hi! Maya Kaczorowski Security PM, Google @MayaKaczorowski Andy Martin Founder, Control Plane Dev-like, sec-ish, ops-y @sublimino

3.

4.What is a supply chain? Anything that we depend upon ○ e.g., the military need to know where all their hardware and software comes from and who builds them, to protect against state attacks ○ e.g., pharmaceutical companies likewise need to know the provenance of their ingredients

5.

6.

7.What is a software supply chain? VM VM Analysis Build Scan Test QA Pod Pod Microservice VM Pod Developer CI/CD pipeline Production environment Any code that ends up running in production

8.Software supply chains can be exploited ● Vulnerabilities in dependencies, e.g., open-source packages ● Deliberate backdoors ● Compromised downloads, e.g., typosquatting

9.Software supply chains can be exploited ● Vulnerabilities in Apache Struts vulnerability dependencies, e.g., open-source packages ● Deliberate backdoors ● Compromised downloads, Malicious e.g., typosquatting signed binary Compromised software update server

10.What's different about supply chains with containers Debug Patch Update VM VM Restart Monolithic application VM Production environment Manual adjustment VM based Hard

11.What's different about supply chains with containers Debug Build & deploy Patch Analysis Build Scan Test QA Update VM VM Monolithic Re-build & CI/CD pipeline Restart re-deploy application VM VM VM Production environment Pod Pod Microservice VM Pod Manual adjustment Production environment VM based Container based Hard Easy

12.Stages of the CDLC (Container Delivery Lifecycle) Base Application Code Build Deploy image image VM VM Analysis Build Scan Test QA Pod Pod Microservice VM Pod Developer CI/CD pipeline Production environment

13.https://www.slideshare.net/FranklinMosley/devsecops-a-new-hope-for-security-in-cicd

14.Base Image ● Controlled base images: official external images, copied into the organisation and promoted through dedicated pipelines ○ e.g. Docker Hub official images ● Hash based addressing: image has a verifiable “identity” ○ Hashes help ensure we have immutable images ○ Hashes are static - whereas tags are transitory and a possible risk

15.Code ● Static analysis: of code in-IDE (style, AST-analysis, atoms of confusion) ● Dependency analysis: Immediate and transitive (pom.xml, package.json, requirements.txt and pals)

16.Build ● Hermetic builds: Isolated build environment ○ No inter-build data or artefact leakage ● Reproducible builds: Repeatable build from source to binary ○ Build dependencies cached within an organisation's estate ○ Pinned versions for deterministic builds ○ Only helps security if you actually do reproduce it - not great for incremental builds ● The future: rootless builds: Build without privileged access ○ Tools like umoci, img, buildah, kaniko are moving towards a safer build environment ○ The class of build-time attacks this is mitigating against are aspirational rather than in-the-wild right now

17.Application Image scans ● Vulnerability scanning: CVE scans (operating system components, installed binaries/JARs/tarballs) ○ Patching ○ Removing packages ○ Smaller distribution ● Configuration scanning: Make it easy to do the right thing ○ Secrets in code ○ Images running as root ○ Misconfigurations ● Policy: filesystem configuration and Discretionary Access Controls, xattrs SUID/GUID, runtimes and debug tools, etc.

18.Deploy ● Admission control: Gated admission to production based on policy, compliance, and other metadata from previous build stages ● Runtime configurations: Adherence to PodSecurityPolicy and Kubesec.io risk based on runtime configuration of the images that comprise a pod

19.Enforced Governance Containers are short Containers are immutable, lived and frequently you can control what re-deployed, you can is deployed in constantly be patching. your environment.

20. Ideal, security-hardened container supply chain Application Base image Code Build Deploy image Controlled base Hermetic Vulnerability Admission Static analysis images scanning control Reproducible Dependency Hash based Configuration Runtime analysis addressing Rootless scanning configurations

21.State of the Ecosystem

22.Open-source supply chain today Application Base image Code Build Deploy image Images: Docker Updates: TUF, Pipeline Vulnerability Admission Hub Notary metadata: scanning: Clair, control: K8s Grafeas, in-toto Micro Scanner, admission Anchore Open controllers, Kritis, Source Engine Portieris

23.Images

24.Docker Hub ● Offers hundreds of ‘official’ images, including base images ○ Alpine ○ Debian ○ Ubuntu ● Best practices ○ Pull latest ○ Don’t trust blindly: check when last patched, scan for vulnerabilities

25.Updates

26.TUF vs Notary The Update Framework (TUF) is a Notary is an implementation of secure distribution mechanism, for TUF for container images signing software package updates specifically Both CNCF projects

27.The Update Framework (TUF) ● Software package signing ● Secure key distribution mechanism ○ Update keys delegated by root key ○ Offline rotation ○ Temporal expiration ○ Resistant to replay attacks

28.Notary ● Implementation of TUF for image distribution ○ Server + database ○ Signer + database ● Signs and validates images ○ Signed collections ○ Key delegation ● Best practices ○ Store the master root key offline ○ Key rotation

29.Pipeline metadata