►
From YouTube: Supply Chain Security Reference Architecture- Priya Wadhwa & Alex Marshall, Security TAG
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Supply Chain Security Reference Architecture- Priya Wadhwa & Alex Marshall, Security TAG
Security TAG will provide a brief presentation of the supply chain security reference architecture. This reference architecture is for developers and operators to experiment on how to build and implement a secure, zero-trust supply chain for their organizations given the existing tooling available to the community.
A
A
A
It
said
all
kinds
of
things
her
developers
should
sign
their
commits.
The
build
pipeline
should
be
reproducible
whatever
that
meant
she
should
carry
with
her
in
s-bomb.
A
few
days
later,
the
most
powerful
man
in
the
land
said
some
things
s-bombs
for
sure,
and
then
the
great
big
googles
said
she
should
eat
more
salsa.
A
A
B
Hi
everyone,
my
name
is
priya,
I'm
a
software
engineer
at
google
and
welcome
to
our
talk
on
supply
chain
security,
reference
architecture
and.
B
A
Yeah
so,
as
we
alluded
to
in
the
video,
the
the
cncf
published
a
document,
titled
software
supply
chain,
best
practices
back
in
may
and
that
included
over
50
recommendations
for
how
to
protect
your
software
supply
chain.
So
the
reference
architecture
we're
working
on
now
is
meant
to
be
a
road
map
for
implementing,
at
least
part
of
that
set
of
recommendations.
A
It
defines
what
the
components
in
a
secure
software
supply
chain
are.
It
explains
and
illustrates
how
those
components
interact
with
one
another
and
it
maps
those
components
to
some
real
world
tools
that
you
can
use
today,
and
we
hope
it's
going
to
also
include
some
sample
code
and
tutorials
that
are
going
to
help
you
get
started
on
implementing
tools.
A
Supply
chains
have
a
lot
of
pieces
to
them,
so
in
the
next
slide
we
have
this
high
level
diagram
we've
been
using
internally
to
guide
our
work
and
it
shows
some
of
those
pieces
and
breaks
them
down
basically
into
three
phases:
a
pre-build
phase
that
is
focused
on
the
development
and
handling
of
source
code
and
the
identification
and
collection
of
dependencies,
a
build
phase,
that's
basically
a
ci
cd
pipeline
that
results
in
a
final
artifact
and
the
post
build
phase.
A
B
We're
also
going
to
provide
some
guidance
on
best
practices
regarding
inputs
and
outputs
of
your
secure
software
factory
and
right
now
we
really
are
focusing
on
just
the
bill
pipeline
itself,
but
future
work
is
going
to
expand
to
cover
additional
pieces
of
the
supply
chain.
B
So
what
are
some
of
the
specific
things
that
you
can
learn
about
in
the
paper?
So
the
paper
is
pretty
comprehensive,
but
we'll
cover
a
variety
of
different
pieces
that
you
might
need
to
fully
secure
your
supply
chain.
So
this
will
be
things
like
integrating
s-bombs
or
out-of-stations
into
your
pipeline.
B
B
A
If
you're
wondering,
if
this
is
something
that
you
can
just
download
and
run,
it
definitely
is
not
one
of
the
things
that
we
realize
pretty
quickly.
Is
that
there's
a
lot
of
variables
that
are
distinct
from
environment
to
environment,
so
your
company
may
be
working
with
particular
languages
and
libraries
and
tools,
and
somebody
else
may
have
a
totally
different
stack
that
they're
working
on
and
since
our
goal
is
not
to
build
a
product
here,
trying
to
account
for
all
those
variables
is
just
not
practical.
A
So
instead,
what
we're
doing
is
giving
a
theoretical
description
of
the
components,
mapping
those
to
some
real
world
tools
that
you
can
use
and
including
some
alternatives.
If
you
don't
like
our
tools
of
choice
and
then
providing
some
inspiration
for
how
you
can
implement
those
tools
yourselves,
but
you're
going
to
have
to
figure
out
how
to
fill
in
some
of
the
blanks
for
your
particular
environment
and
its
specific
needs.
A
We
do
want
to
emphasize
that
we're
trying
to
ground
this
in
reality
and
in
how
to
do
this
in
the
real
world,
and
I
think
that
the
people
who
are
working
on
this
reference
architecture
lend
credibility
to
that.
So
the
project's
being
chaired
by
andres
vega,
from
vmware
tanzu
and
our
chief
architect
is
michael
lieberman
from
city
who
has
a
lot
of
real
world
practical
experience,
doing
this
with
actual
and
fairly
complex
supply
chains
and
then
supporting
them.
A
We
have
a
lot
of
people
from
all
across
the
industry,
including
folks
from
ibm,
google
box
boat
raft,
systig,
nyu
and
a
bunch
of
other
places.
So
it's
a
wide
spectrum
of
input
with
people
who
are
actively
working
on
secure
software
supply
chains
in
real
life,
actively
contributing
to
the
tools
that
we're
recommending
or
doing
both
of
those
things
so
priya
with
all
those
great
minds
at
work.
When
are
we
gonna
expect
to
see
something.
B
Okay,
great
question
so
hopefully
the
first
draft
of
our
paper
is
out
for
the
public
to
read
and
to
comment
on
and
to
provide
feedback
on
we're
actually
pre-recording.
This
talk
about
a
month
in
advance
of
kubecon
itself,
and
so,
though,
the
paper
is
not
out
right
out
right
now,
we're
hoping
that
by
the
time
this
airs
at
kubecon,
the
draft
will
be
available
for
people
to
see.
So
if
it
is,
hopefully
it
is,
please
go
ahead
and
read
it.
Please
feel
free
to
share
your
feedback.
B
And
what
else
can
you
look
for
from
the
stag,
so
we
recently
published
a
cloud
native
security
lexicon,
which
is
basically
a
document
describing
different
terms
that
you
might
have
heard
when
discussing
supply,
chain
security
and
kind
of
what
they
mean,
especially
in
the
context
of
the
papers
that
we're
writing
and
there's
also
a
cloud
native
security
map
and
landscape,
to
which
we'll
cover
different
security
tools
and
services
that
you
can
use,
and
we
also
just
want
to
like
clarify
that
the
reference
architecture
as
we're
writing
it.
B
We
definitely
see
it
being
a
living
document
right
now.
We're
definitely
suggesting
certain
tools
that
kind
of
fit
into
our
idea
of
a
secure
supply
chain.
But
we
fully
expect
that
more
tools
will
pop
up
the
supply.
Supply
chains
will
involve
based
on
what
people
need
and
require
from
their
builds,
and
so
we
plan
on
continuing
to
modify
this
document
so
that
it
is
as
up-to-date
as
possible
and
continues
to
reflect
the
needs
of
the
people
who
are
actually
building
secure
supply
chains.
B
So,
right
now
we
have
kind
of
like
left
certain
things
out
of
scope,
but
in
future
versions
of
the
document
we
definitely
plan
to
integrate
them.
So
things
like
hermetic
builds
and
reproducible
builds
are
definitely
on
the
top
of
our
mind
and
we
hope
to
discuss
those
in
future
versions
of
the
document.
A
If
you're
interested
in
getting
involved
or
taking
part
in
this,
and
especially
if
you're
interested
in
being
part
of
the
community
review
of
this
reference
architecture
jump
into
the
slack
channel
in
the
cncf
slack,
it's
the
tag,
security
supply
chain
working
group
channel
and
then
you
can
also
feel
free
to
connect
with
either
of
us,
we're
both
on
the
cncf
slack
we're
on
github
we're
on
twitter,
so
on
and
so
forth.
You
can
find
us
out
there
on
the
web.
Once
again,
I'm
alex
floyd
marshall,
I'm
a
security
engineer
at
raft
and.
B
I'm
priya
I'm
a
software
engineer
at
google.
Thank
you
so
much
for
coming.
We
hope
to
hear
from
you.