 Once upon a time, not so long ago, there was a little code base. She was a happy little code base. Her developers had written her with care. Her dependencies were all up to date. All she wanted was to grow up to be a real software artifact. All she had to do was travel through the pipeline to the magical registry on the other side. But here there be dragons, grooves and revils and mirrors. And no one was quite sure how to safely get past them all. She was stuck. No one would ever believe she was a real software artifact with all these monsters lurking in the mysterious pipeline or stalking around the edge of the registry. How could she ever accomplish her dream? Then one day, the lovely people from CNCF published some advice. A sort of survival guide. It said all kinds of things. Her developers should sign their commits. The build pipeline should be reproducible, whatever that meant. She should carry with her an S-bomb. A few days later, the most powerful man in the land said some things. S-bombs for sure. And then the great big Googles said she should eat more salsa. No, that's not it. Something about provenance and getting to level 4 in the maze. And people kept talking about taking along some guy named Toto. He was supposed to keep her safe in the pipeline or something. And she should get all her documents signed by a notary or something like that. There was a lot of advice, but it was still confusing. What she needed was a map. And so she turned to the map makers. Could they do it? Only time will tell. Hi everyone, my name is Priya. I'm a software engineer at Google and welcome to our talk on supply chain security reference architecture. And I am Alex. I am a security engineer at RAFT and it's really good to be with all of you. Awesome, let's just jump right into it. So you might be wondering what the reference architecture is. So I think Alex is going to give us a quick overview. Yeah, so as we alluded to in the video, the CNCF published a document titled Software Supply Chain Best Practices Back in May and that included over 50 recommendations for how to protect your software supply chain. So the reference architecture we're working on now is meant to be a roadmap for implementing at least part of that set of recommendations. It defines what the components in a secure software supply chain are. It explains and illustrates how those components interact with one another and it maps those components to some real world tools that you can use today. And we hope it's going to also include some sample code tutorials that are going to help you get started on implementing tools. Supply chains have a lot of pieces to them. So in the next slide, we have this high level diagram that we've been using internally to guide our work and it shows some of those pieces and breaks them down basically into three phases. A pre-build phase that is focused on the development and handling of source code and the identification and collection of dependencies. A build phase that's basically a CI CD pipeline that results in a final artifact. And the post build phase that's focused on the actual delivery and deployment of those artifacts. So Priya, of everything that's in this diagram, what is the reference architecture going to actually cover? So the reference architecture is focused primarily on the build pipeline phase, which is the middle section of the diagram that Alex was just going over. We're also going to provide some guidance on best practices regarding inputs and outputs of your secure software factory. And right now we really are focusing on just the build pipeline itself, but future work is going to expand to cover additional pieces of the supply chain. So what are some of the specific things that you can learn about in the paper? So the paper is pretty comprehensive, but we'll cover a variety of different pieces that you might need to fully secure your supply chain. So this will be things like integrating S-bombs or out of stations into your pipeline so you can verify where artifacts are coming from, things like managing signing keys and public keys so that you can make sure your keys are both secure but also available to your users for verification later down the road. And also generally the paper will cover all of the recommended security practices from the best practices white paper that the CNCF released a few months ago, and also how to actually apply those best practices to your current supply chain. So we'll have some examples for how to also secure your supply chain with common tools that you might be using in your supply chain already. So things like Kubernetes for orchestrating your pipelines, Tecton in Toto for generating provenance, and Spiffy for workload at a station. So we'll be covering a lot of other different tools and services in the CNCF and open source landscape as well and kind of provide guidance on how you can make each part of your supply chain more secure. So if you're wondering if this is something that you can just download and run, it definitely is not. One of the things that we realize pretty quickly is that there's a lot of variables that are distinct from environment to environment. So your company may be working with particular languages and libraries and tools and somebody else may have a totally different stack that they're working on. And since our goal is not to build a product here, trying to account for all those variables is just not practical. So instead, what we're doing is giving a theoretical description of the components, mapping those to some real world tools that you can use, including some alternatives if you don't like our tools of choice, and then providing some inspiration for how you can implement those tools yourselves. But you're going to have to figure out how to fill in some of the blanks for your particular environment and its specific needs. We do want to emphasize that we're trying to ground this in reality and how to do this in the real world. And I think that the people who are working on this reference architecture lend credibility to that. So the project is being chaired by Andres Vega from VMware Tanzu and our chief architect is Michael Lieberman from Citi who has a lot of real world practical experience doing this with actual and fairly complex supply chains. And then supporting them, we have a lot of people from all across the industry including folks from IBM, Google, BoxBoat, Raft, Cystig, NYU, and a bunch of other places. So it's a wide spectrum of input with people who are actively working on secure software supply chains in real life, actively contributing to the tools that we're recommending or doing both of those things. So Priya, with all those great minds at work, when are we going to expect to see something? Great question. So hopefully the first draft of our paper is out for the public to read and to comment on and to provide feedback on. We're actually pre-recording this talk about a month in advance of KUKON itself. And so though the paper is not out right now, we're hoping that by the time this airs at KUKON, the draft will be available for people to see. So if it is, hopefully it is, please go ahead and read it. Please feel free to share your feedback. It really is for you, so any feedback would be greatly welcome. And what else can you look for from the stag? So we recently published a cloud-native security lexicon, which is basically a document describing different terms that you might have heard when discussing supply chain security and kind of what they mean, especially in the context of the papers that we're writing. There's also a cloud-native security map and landscape, which will cover different security tools and services that you can use. And we also just want to clarify that the reference architecture, as we're writing it, we definitely see it being a living document. Right now, we're definitely suggesting certain tools that kind of fit into our idea of a secure supply chain. But we fully expect that more tools will pop up, the supply chains will involve based on what people need and require from their builds. And so we plan on continuing to modify this document so that it is as up-to-date as possible and continues to reflect the needs of the people who are actually building secure supply chains. So right now, we have kind of left certain things out of scope. But in future versions of the document, we definitely plan to integrate them. So things like hermetic builds and reproducible builds are definitely on the top of our mind. And we hope to discuss those in future versions of the document. If you're interested in getting involved or taking part in this, and especially if you're interested in being part of the community review of this reference architecture, jump into the Slack channel in the CNCF Slack. It's the Tag Security Supply Chain Working Group channel. And then you can also feel free to connect with either of us. We're both on the CNCF Slack. We're on GitHub. We're on Twitter, so on and so forth. You can find us out there on the web. Once again, I'm Alex Floyd Marshall. I'm a security engineer at RAFT. And I'm Priya, I'm a software engineer at Google. Thank you so much for coming. We hope to hear from you.