 All right, so I'm Mike Lieberman and we're going to talk about tag securities software supply chain working group here All right Little bit about myself I'm Mike Lieberman. I am a co-founder of a supply chain security startup called Kusari I am also a salsa steering committee member for folks who are familiar with sort of the salsa supply chain security standard I am a CNCF tag security lead and I helped co-lead the CNCF secure software factory reference architecture Which we'll talk a little bit later Here and so for about you know the next half hour or so I'll rant to you about how great tag securities software supply chain working group is and you know, hopefully convince some of you who aren't already contributing to help contribute so first off for those who don't know and What what is tag security? Well, I mean you're at a cloud native security con Hopefully you know but if you don't it's what it says on the Tim It's the security technical advisory group for the cloud native computing foundation It's made up of motivated volunteers interest interested in and contributing to cloud native security So just to be clear. It's not purely Security experts myself. I started joining tag security when I was at an end user Company, I was at a giant bank just sort of interested in security and now hey, I'm up here talking about it So for folks who are you know, not sure No, feel free to join. We're interested in everybody joining We're also tag security is also the largest CNCF technical advisory group and We also have the best mascot okay, so What is the Secure sorry the software supply chain security working group in the in-tag security. Well, it's a subgroup With tag security being so large we have a lot of different work streams one of them being Software supply chain security. We also have a controls working group. We have a zero trust working group as along with a few others So because software supply chain security is so nascent. It's such a new thing We're not just you know helping out with You know fixing supply chain security. We're helping to find it in the larger space And we have contributors who sort of you know across the spectrum We have you know folks from end user organizations folks from giant banks folks from insurance companies And all that as well as you know folks like myself who are now at a startup And we have folks from like larger institutions like IBM Google and so on across multiple industries so let's talk a little bit what we've done in the past and We'll kind of I'll be switching back and forth between the presentation here just to kind of show off some of what we've done So going through right we have we have an ongoing supply chain compromise list so this is just sort of a list of Known supply chain incidents and we have write-ups on the supply chain incidents and and interesting facts about them We've have it we wrote up a software supply chain security best practices guide Which is you know once again focused on that cloud-native? Security you know aspect right like it's not just purely open source. It's about how can we secure the supply chains working inside of Applications like kubernetes or application platforms like kubernetes We've also built out a secure software factory reference architecture, which I help co-lead Which is based around you know trying to figure out how do we you know securely build and and you know Protect against attacks that we've seen with stuff like you know the solar winds style attack We've also created a CNCF project supply chain security survey, which is focused around Trying to see within the CNCF. What are some of the big challenges that some of the Various CNCF projects are running into from supply chain security and Then we've also collaborated with a lot of other CNCF groups Including stuff like the tag security controls working group to try and take some of those best practices and turn them into controls And then in addition that we also could collaborate across the LF With other organizations like the CD foundation and open SSF on projects like Some of their supply chain security stuff like at the CD foundation as well as projects like salsa Which is a supply chain security standard? So let's go a little actually before doing this. Let me show off a little bit of One of the other things here. Give me one second right Sorry so many tabs Here we go. So here is the catalog of supply chain compromises coming from Our group and so there's a whole bunch of stuff here. It's an open sort of Things so we we are accept PRs and and we actually if you have for example here If you look at the issues, there's lots of folks who have opened up issues here to sort of say Hey, here's another compromise we found and That ends up in this Catalog and in addition to here we actually have a bunch of you know if we click on one of these Let's just say the VS code one There's a bunch of write-ups on the sort of the impact and what type of compromise additional references And those sorts of things that we found that it's very useful for folks who are interested in understanding more about What types of supply chain attacks are there and then what's happened in the past and we're also looking to sort of Collaborate with other groups like the open SSF to make this more than just cloud native Focused supply chain compromises, but just general open source supply chain compromises We are also very interested in Also pulling in additional data from other researchers as well on that and Before I show off the software supply chain security best practices if folks are interested the link is in that qr code There and I'll leave it up for for a minute, but just while we kind of go through that I'll talk a little bit about software supply chain the the the security best practices here, but I'll give that a minute All right, and let me just move on to the next slide just to kind of show this So So what is the supply chain software supply chain security best practices guide? It is a you know as a set of best practices for the supply chain security Spans the entire stlc, and I'll show that off in a second It is both a Set of specific best practices that often can be turned into stuff like controls as well as just sort of general guidance around How to approach certain things? Interestingly enough it's actually been cited in the NIST secure software development framework So some of the stuff that you know the government has said hey Here's what we think we should do is actually they cite this guide as a reference and Just some examples here right like some of it is this is stuff like you know requiring sign commits to person code review those sorts of things But I will switch over to the guide here real quickly Sorry, that's the Sorry my tabs all got messed up here There we go So so this is like the supply chain. This is just an example of what we've worked on here in the the The software security working group Sorry software supply chain security working group, and so this is an example this came out I believe it was 2021 and I contributed a little bit to it, which is The the It is a set of best practices it includes a bunch of information about like what is supply chain security? You know what you know, it's mostly focused at a broader level This was you know before a lot of the tools have come out today But it talks a lot about like you know stuff like shared responsibility It talks about stuff like you know how to secure software I'm sorry how to secure your source code and how your source code You know a compromise to your source code could potentially lead to larger impacts down the way It followed by then you know how to secure the build itself and what are the impacts of a of a of an insecure build and You know things like you know Using branch protection rules and and all these different things to sort of make sure that you're securing both your software or sorry securing your software Dependencies securing your source code is securing All the things throughout the SDLC until production. I Won't go too deep into it. You're more than welcome to sort of read this and then if folks have questions after I'm more than welcome to more than welcome to ask them All right So the software supply chain security best practices after that was released There was a desire by the group to then say okay What can we do to start building an architecture around this to start to say hey? What sorts of things can we then do from those best practices and then turn it into something that's actually An architecture and that's where the secure software factory came into play and that's something that I co-led with a few other folks like Andres Vega for control plane and The link to that is also up there in the QR code And I'll leave that up for for a minute or two and So just as an exit, you know to provide some you know background The secure software factory rate like you had these best practices. What do we actually do about it? and so You know we can what's what's kind of that critical piece and the critical piece here is is that build Because when you think about a lot of things like dependencies and source code and and Artifacts that you eventually run into production. Well, what's the kind of? What's that key funnel and the key funnel here is the build pipeline itself? It's where you're taking Source code is where you're taking dependencies is where you're taking all this external stuff. That's often unprivileged You're then compiling it building it running tests, etc And then packaging it all up and you are trying to turn it into something that's privileged to then run in an environment like production right or being distributed to customers and so The approach we took with this was you know, we feel like there's three core tenants to sort of securing the build First is you want to secure the pipeline itself You want to make sure that only approved things are allowed to run and in fact Certain things must be run so as an example if you are you need to generate a nest bomb You need to run a security scan if you're a dev you should not be allowed to disable that right so that's one key piece And so that's kind of securing orchestration But then what about the actual workloads that are running especially in a cloud native context, right? You know in a cloud native context one of the problems is well It doesn't matter what I'm running an admin to the Kubernetes cluster can just Swap out a container image in a pod, right? Well, that's where you know stuff like workload identity Comes into play and where you want to actually secure the workload From being tampered with and so that's stuff like spiffy spire from an implement implementation standpoint And then finally you actually want to secure obviously what the workload itself is actually doing So if you have a build, I don't know you're running go build or whatever You want to make sure that you know using stuff like ebpf or other sorts of introspection techniques You want to make sure that the build itself is not doing something nefarious It's not trying to reach out to the internet and download something from malware comm or whatever, right? And so another thing also is that you know as part of Collaboration right there is a demonstrative implementation of this secure software factory that's maintained by the open SSF called fresco and I will show a little bit more of what the secure software factory Looks like here, so I'll just you know see if I can find a good diagram here, let's just kind of Just sort of show off Here we go. I know it's maybe not the easiest thing to read here. So let me try and But here is an example of what that secure software factory looks like here's some diagrams. It's about I don't know Yeah, it's about like 20 pages worth of write up diagrams and so on and Yeah, there's a bunch of stuff in here about how we you know approaches to take to sort of you know Secure the build on how to sign things, you know using things like sigstore and so on And if folks have questions about this also at the end feel free to to bring it up. All right so those are the two main pieces of a big sort of Deliverables over the past few years from the supply chain security working group And so what are we currently doing? right, so one of the big ones is Supply chain security tool mappings So that's something that one of the one of our core contributors marina more is is working on and just kind of To show a little bit of that is We have This is just a spreadsheet But you know the idea here is we're looking to sort of look at those supply chain security best practices Stuff that's referenced in the secure software factory and be able to sort of map those controls and map those best practices and various other Requirements into what tools in generally in the space Do we see kind of hitting those things and we're definitely you know anybody who's a contributor? We'd love to kind of see you know if you think your tool kind of hits these things Yeah, like please come and tell us about your tool You know obviously as long as it's open source And we'd love to have that included and we'd love to kind of you know no more more about this You know no more about what what folks are working on So that's one key piece another key piece is which is just starting now and John John from VMware is working on this is the real world supply chain a Security policy which is the goal of this is going to be trying to kind of build out like a couple like white papers And those sorts of things around. Hey, how will people actually you know How do people actually approach supply chain security at an organization and what sorts of things are they worried about and how? Do they take those best practices and understand those best practices and things like the secure software factory and understand How do they prioritize different elements of it and what are the things that should be important to them? And what are the things that they should be concerned about all right? Okay, and then What do we plan to do right so there's a bunch of stuff that we want to do in the future but two of the big ones are We want to build a supply chain security improvement program for the scenes for CNCF projects themselves And those that's where you know we actually want to go out and build out Like almost like a journey for for CNCF projects to kind of say hey, you know similar to how do you have incubation you have? You have you can keep beating projects you have projects that have past security review and so on We want to have a set of requirements for CNCF projects as well because as you can imagine right like if a lot of folks are relying on Kubernetes and if Kubernetes's supply chain is broken then your supply and its chain is broken if you rely on Kubernetes So that's kind of one of the things that we're looking to do and we know that like a lot of projects already like Kubernetes are You know implementing things like salsa. They're implementing a lot of the supply chain security best practices But we want to extend that across The CNCF projects right because there are a lot of you know as you might be If you take a look right like there's a lot of tools in the CNCF that are Security tools and we want to make sure that those security tools themselves have a secure supply chain And then in addition that we want to partner with more groups across the Linux foundation and across the broader community on Some of these sorts of initiatives right and and many of the members who are you know volunteers in In tech security supply chain security working group also Contribute to open SSF contribute to the CD foundation As well as many other sort of open source groups Like you know, there's folks we have folks who contribute to OWASP who contribute to us and vice versa And so we are very interested in kind of continuing to collaborate there And then how can you get evolved right? Well, we meet every Thursday at 11 a.m. Eastern You know, you can find the invite on this the normal CNCF calendar The meeting is open to everyone who follows the code of conduct and also consents to recording All of our meetings are recorded and they end up on YouTube Afterwards so if also if folks who are interested who just want to understand like hey What what what sorts of things we're working on you could go to the CNCF? YouTube channel and just kind of look through and you can see some of our recorded meetings And then if you just kind of are interested in other things just sort of on the day-to-day What sorts of things are going on in the CNCF security? Sorry in the CNCF supply chain security working group You should take a look at the tag security issues and there's a bunch of different things in there Yeah, and so that's kind of It for the main piece and then I'm just gonna kind of just go through a few things here And I know sorry to pick on Marina that I had just actually talked about your your your mapping spreadsheet Just as right before you walked in so yeah, there's the there is a tools mapping Spreadsheet that we you know once again that working on and that if folks are interested You know Marina's is is leading that up and then You know for folks who are interested in controls right there is the tag There's there is the controls working group which sort of built out a spreadsheet For controls and then somewhere down here at the bottom. I believe and let me see if I can increase the size These are like you know supply chain security best practices rewritten as Controls and also there are some mappings to you know What what sort of NIST requirement do they potentially map to not everyone does map directly to a NIST requirement? but there's some stuff there and And There is potentially some work there just so you know to sort of maybe map integrate that with Ozcal if folks are Interested in Ozcal Which is and if you're not interested in Ozcal you're or you're not familiar Ozcal is just a potentially a way to It's an open Security controls assessment language. I think it's something like that anyway The basic idea is it's a way to sort of take stuff like security controls and security control assessments and codify it Into a structured language like JSON XML etc. And then be able to say great You know now you can just sort of automate control assessments and and so on and so that's kind of tied in here There is a lot of collaboration with salsa, which is an open SSF standard You know, there's a lot of folks who you know myself included who contribute to salsa as well as this and there's a lot of Sort of collaboration back and forth around stuff like definitions or definitions in salsa site stuff in CNCF and stuff that CNCF is doing is is looking back at stuff that that salsa is doing To to help out there as well Yeah, and then just for folks who are interested if you if you look at the NIST SSDF You know, some of the controls are not I don't think they call them controls I think that yeah, they call them practices and tasks, but some of the practices and tasks actually cite the CNCF Secure supply chain best practices here as well Yeah, I believe that is it Yeah, so all I all I have for now and if folks have questions or you know, want to know more Whatever feel free to to to ask Let's see. I just as a having contributed to a bunch of these things. I just have links to them I can add them into the the slides and make sure that the slides are in sked. Oh Yeah, yeah, they are in the github issues, but sometimes that's not the easiest to oh That the tag security issues so if I go back to here and I believe So for example for Marina's thing there is a CNCF supply chain security tool mappings one Which sites that and then oh it looks like yeah, there is a controls catalog The organization could be a bit better, but Yeah, but there is some stuff here in Whoops It's somewhere in there. Sorry Any other questions all right cool. Well, yeah, if there's a Nothing else, you know, feel free to tap me on the shoulder if you have any questions about You know tag security the supply chain security working group Or any of the other sort of projects we have worked on or we're planning to work on or some of the things that we're doing with the open SSF like salsa and fresco and all that good stuff