Cloud Native SecurityCon North America 2022

While container scanning & security is becoming more widely adopted, it’s still not well-understood how these containers evolve over time from a security perspective. This includes understanding the long-term security posture of these containers, whether it is improving or declining as new vulnerabilities are discovered. 

 This talk will take a first-time look at why handling vulnerabilities in containers is a really sticky problem to begin with, with known vulnerabilities requiring patching, as new vulnerabilities arise constantly, and many other vulnerabilities simply falling into a catchall bucket of "won't fix" . We'll show data visualizations of how the attack surface of two mega-popular public container images (Python, NodeJS) have changed over the past year, highlighting the problem developers and DevSecOps teams are facing. We'll demonstrate how some of the most popular vulnerability scanners show different results, sometimes to extreme degrees. But stick around to the very end, because on the upside, we'll wrap up with practical steps developers can take to stay on top of vulnerabilities and prevent their dev process from grinding to a halt.

Security scans getting you down? Users complaining they can't verify your images? Have no idea if your systems are vulnerable to the latest exploit? Want to improve your SLSA level but don't know where to start? You're not alone -- all organisations face these issues. This talk will walk through techniques and tooling that you can use today to address these concerns. In particular it will cover: - The distroless philosophy; why minimal images can save you from scan report purgatory - The importance of updating images and dependencies - Using apko to build container images with SBOMs and complete reproducibility - Signing images with Sigstore The best bit? These tools and techniques will make your systems simpler and faster. Adding security doesn't have to mean hurting usability or productivity.

OSS libraries can be used by anyone, but how does an enterprise secure what should, or more importantly, should not be used? The package/artifact managers are at best simple proxies, so security checking is mostly beyond them. Moreover, within enterprises, these tasks end up being manual. This talk will outline the additional checks that should/could be performed at ingestion and subsequently; continuous automated grooming of OSS artifacts. James will demonstrate the Continuous Secure Software Ingestion (CSSI) application, a policy driven system built on Tekton & Open Policy Agent (OPA), to perform continuous secure ingestion from any source, including Google AOS. He will also show the additional constraints that are placed on the downstream enterprise Software Composition Analysis (SCA) tooling to handle the data graph that this generates.

Discovering who, how, and where a software artifact was created is a daunting task. Archivist is an open source In-Toto attestation index and store, allowing you to uncover the history and establish trust of a software artifact. Archivist allows you to discover the attestations you need to satisfy your in-toto policies and ensure only trusted artifacts make it to production. In this talk we’ll use Witness (an In-Toto implementation) to create attestations about a build process of an attestation and store them in Archivist. Then we will create a Witness policy and enforce it while querying Archivist to discover relevant attestations to satisfy the policy.

Attestations are a useful tool for attaching supply chain metadata to artifacts and images, but how can we attach attestations to source code itself? In this talk, we'll go into some of the ways you can attach attestations to source code with Git. Learn how data can be stored verifiably alongside commits, how attestations can be modeled to describe SLSA source requirements, and how tools like Gitsign can make this easy to add to your CI/CD pipelines.

It is a truth universally acknowledged that almost every modern software component contains a selection of external dependencies whose provenance is unknown. Another truth is that no dependency should be trusted until proven trustworthy. This second truth, though, is often ignored by organisations and their engineering teams, who argue that assuring the trustworthiness of dependencies is too complex, too time-consuming and has a detrimental impact on development velocity. This talk will describe how Jetstack has worked with several clients in the financial services and defence sectors to help them develop dependency assurance mechanisms and processes that allow greater visibility and insight into the dependencies used and their impact on the clients’ risk and security postures. The audience will learn how modern tooling and practices can be used to create efficient, automated pipelines that audit dependencies for vulnerabilities and licence obligations, assess them against the organisation’s security policies and ultimately provide the ability to control which dependencies can be used and deployed within the organisation.

Container build is arguably one of the most security sensitive operations in the whole application supply chain spectrum, which has largely remained opaque to date. It is typically implemented as a multi-stage process in the Continuous Integration (CI) pipeline that includes cloning the source code, resolving and downloading dependencies, compiling and packaging applications and finally publishing the built artifacts. To establish trust in the final built artifact, it is not sufficient to ensure security guarantees around just the built artifact, but it is critical to provide provenance and integrity assurance for every action in the pipeline that went into building that artifact. While tools, such as Tekton Chains, provide visibility into the steps that were performed and components that were used during the build process, we are still missing the lower level syscalls that were made. In this presentation, Parth and Shripad will present an open framework using tetragon to bring out-of-band runtime visibility and provide automated attestation for tekton based CI pipeline.