Abstract
Short
The Solarwinds breach is an event that we won’t truly understand for some time - if ever. Several discussions we’ve been having in the abstract for years have become very concrete. The systems we use to develop, build and deploy our code are essential production systems. Securing the software supply chain is one of the most underrated security aspects today.
All software today is built with dependencies. However, a discussion of these dependencies - both explicit and transient - as links in the software supply “chain” couldn’t be more accurate. And the truth is, a chain is only as strong as its weakest link.
In this talk, we’ll examine the complexities and sophisticated tradecraft from various supply chain attacks. We’ll also explore securing the cloud native supply chain with CNCF tools from Helm & Distribution to Cloud Custodian & Porter. More importantly, we’ll delve into the simple, practical security measures that can help prevent such attacks.
Long
The Solarwinds breach at the end of 2020 is an event that we won’t truly understand the breadth and depth of for some time - if ever. But already, several discussions we’ve been having in the abstract for years have become very concrete. Firstly, the systems we use to develop, code, build and deploy our code are all essential production systems - and should be treated as such. And second, securing the software supply chain is one of the most underrated aspects of security and is often overlooked.
All software today is built with dependencies. The vast availability of incredible open source tooling has allowed all of us to stand on the shoulders of giants and build software better and faster than we could have ever dreamed, even 5 or 10 years ago. However, a discussion of these dependencies - both explicit and transient - as links in the software supply “chain” couldn’t be more accurate. And the truth is, a chain is only as strong as its weakest link.
In this talk, we’ll examine what is known of the complexities and sophisticated tradecraft from various supply chain attacks. But perhaps more importantly, we’ll delve into the simple, practical security measures that were missed, allowing the attack to get a foothold in the first place.
Benefits to the Ecosystem
Supply chain security is a critical consideration for all makers of software. From sophisticated end users in regulated industries, finance, or critical infrastructure all the way to “small” but popular open source projects, it is essential for teams to understand their exposure to and plan for supply chain attacks.
As tools from the CNCF become more popular among critical infrastructure companies, governments, and other high-value targets for attackers, the CNCF projects themselves will become targets as attackers look for the “weak link” in those large organization’s supply chains. Understanding your place in the chain and your software’s dependencies on your upstream supply chain is critical for end-users, maintainers, and community members alike.