Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / CloudNativeSecurityCon 2023 - Seattle / 3 Feb 2023
Cloud Native Computing Foundation / CloudNativeSecurityCon 2023 - Seattle / 3 Feb 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Sponsored Keynote: Trust and Risk in the Software Supply Chain - Emmy Eide, Red Hat

Description

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Sponsored Keynote: Trust and Risk in the Software Supply Chain - Emmy Eide, Director, Product Security, Red Hat

Building a trusted software supply chain that minimizes risk starts at the very beginning of the development process and continues through the application life cycle. Administering security tests at the end of the development and production cycle or patching running applications is counterproductive to how cloud-native applications are built and secured. Just as automation is key for cloud native development, it’s also critical for cloud native software supply chain security.
In this talk, we will explore balancing trust and risk throughout the entire supply chain using open source projects. We will look at why trusted supply chains are necessary, what it means to reduce risk continuously, and how Red Hat is building trust in its own software supply chain using open source technologies.

A

Hello, all right so I have five minutes to take you on an adventure and uh ending with an action that um for the industry to step up its game in supply chain security.

A

All right so I'll be surprised, given how much this topic is prevalent right now, if you haven't seen this data, but for those who haven't. According to the sonotype report, there's been a 742 percent increase in the average annual supply chain attacks. Why? Because it's lucrative. Not only can you attack your target, but you can attack your Target's customers in that same report. uh They showed us that six out of every seven project vulnerabilities come from transitive dependencies.

A

So that's a gold mine attackers gotten Weiss this thing that has been stumping Security Experts for the last decade and then just when we think we've got our handle on it. Some amazing new technology comes out and it makes our software Supply chains even more complex.

A

So what is trust in the supply chain mean I'm, not talking about zero trust. That's different! I'm talking about having a trusted supply chain. We've all seen the worldwide disruption when physical Supply chains are disrupted. The impact is catastrophic, manufacturing, essential services and international economies have all been hit extremely hard in recent years. Our software supply chain is no different and the ability to impact when disrupted when the supply chain is trusted. Everyone's job is easier sales marketing legal engineering. We can provide customers with attestations to how we our products are made.

A

We can develop on stable, Enterprise platforms and, most obviously, we can avoid massive security disruptions that stop production. All of these things frankly lead to more room for Innovation and development. Externally many of our customers rely on our products to be a part of their supply chain, which means that if this is a positive spiral, we can ultimately lead to advancements that make this world a better place all because of a trusted supply chain.

A

So we have a problem and there's about 10 other presentations in this conference that can dive into that deeper than I can in five minutes so I'm going to jump to the next steps of what can we do about it?

A

Obvious answer is to implement security controls throughout your supply chain. There's a variety of controls that you can Implement depending on what your supply chain looks like this is the prettiest supply chain that I have ever seen. Most of them. Don't look like this. You have various scanners, Sig store, cosine, kubliner, techton chains. All of these wonderful ideas, keyword, ideas, the supply chain level for software.

A

Artifacts are salsa walks you, through the various maturity stages in best practices, and if you haven't seen it I recommend going and educating yourself on it and, of course you have user and identity access management, which is still one of the more difficult things to implement. Even though we, the security Community, have been talking about it for many years and, unfortunately, discussion about what is right and what is wrong is not what leads to security improvements actually implementing those security gates and checks is what we need to do, but how?

A

How do we get this exhaustive list of ideas to reality? When you want to enable a Workforce to innovate and to breakthrough barriers? There's got to be some beautiful orchestration, which brings me to my biggest Point partnership in order to fully Implement supply chain security. You have to do it in Partnership and let me walk you through how we learned how to do this and how it transforms security at Red Hat. We tried to implement all of those controls throughout our supply chain, but those were ideas in isolation were not enough.

A

We had to get the people, the team that was creating those standards and guidelines in implementation timelines to understand how those security, Implement implementations, impact product planning, timelines, integration, requirements, maintenance and upkeep. We couldn't just broadly apply security requirements as a security team and then expect the product teams to just pick those up some Enterprises go through a model of a single supply chain which, in my mind, would be really really nice, but having that and the limited code coding languages to pick from kind of inhibits innovation.

A

So what do we do? What we want to do- a red hat was not be so restrictive that our teams couldn't innovate and come up with these Technologies and we wanted. So we wanted to make security a part of the development process and I'm not talking about sec. Devops I am talking about something different where security controls and supply chain decisions are made hand in hand with feature development.

A

How do you do that? You keep your messaging around risk, always tie it back so that never turns into a check the box exercise. We've had more government regulation around supply chain Security in the last couple of years than we ever have before. So this makes it really easy to go back into that check the box state.

A

You have to be able to articulate the why as a security team, and then you have to collaborate on the What the how and the when, when you work with development teams, to articulate this risk and to understand it and to have it, be part of your core culture, then you can really apply security controls that I've discussed on previous slides.

A

We've only seen success in supply chain at Red Hat when we were able to use this partnership approach without partnership. They're, just ideas and ideas in isolation are nothing. Security.

A

Partnership transforms those ideas into results, so people are going to go around ideas and they're going to take the path of least resistance, because that's what people do it's not going to systemically reduce your risk, because the approach that approach will have holes so my proposal for starting to tackle this massive security problem and Supply chains is to do so in partnership with your engineering teams and open source community without that partnership.

A

Without this beautiful orchestration of expectations, reality necessary tools for production, types of Technologies timelines and people, we will not be able to truly and fully secure our supply chains. Thank you and enjoy the conference. The people here are truly truly wonderful speakers, so I hope you have a great time. I am at the red hat Booth. If you have any questions.