►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
thank
you.
Everyone
for
joining
us
welcome
to
today's
cncf
live
webinar,
secure
software
Factory,
adding
s
bombing
code,
signing
to
your
security
checks,
I'm,
Libby,
Schultz
and
I'll
be
moderating
today's
webinar
I'm
going
to
read
our
code
of
conduct
and
then
hand
over
to
Ariel
super
engineering,
product
manager
at
Cisco,
and
shy
simbaum
senior
developer
at
Cisco
a
few
housekeeping
items
before
we
get
started
during
the
webinar.
You
are
not
able
to
speak
as
an
attendee,
but
there
is
a
chat
box
on
the
right
hand.
A
Sidebar
of
your
screen,
please
feel
free
to
drop
all
your
questions
for
Ariel
and
shy
there
we'll
get
to
as
many
as
we
can.
At
the
end.
This
is
an
official
webinar
of
the
cncf
and,
as
such
is
subject
to
the
cncf
code
of
conduct.
Please
do
not
add
anything
to
the
chat
or
questions
that
would
be
in
violation
of
that
code
of
conduct
and
basically,
please
be
respectful
of
all
of
your
fellow
participants
and
presenters.
A
Please
also
note
that
the
recording
and
slides
will
be
posted
later
today
to
the
cncf
online
programs,
page
at
community.cncf.io
under
online
programs.
They
are
also
available
via
your
registration
link
and
the
recording
will
be
available
on
our
online
programs.
Youtube
playlist
with
that
I
will
hand
things
over
to
Ariel
and
shy
to
kick
off
today's
presentation.
B
A
B
We'll
talk
about
the
different
we're
going
to
use
them
and
then
we'll
put
a
special
focus
on
some
open
source
tools
that
are
dedicated
for
their
runtime
aspect
of
the
supply
chain,
security.
Let's
first
start
we
talk
about
like
what
it
is
or
why
we
are
all
concerned
from
software
supply
chain
recently.
So
I
think
you
know
software
supply
chain.
Security
was
always
an
issue.
It
was
always
kind
of
something
that
people
can
temporary.
B
Also
like
a
rumor
that
things
can
go
wrong
and
things
can
change
and
in
Docker
Hub
there
are
many
kind
of
Malaysia
things,
but
they
you
know
container
images,
but
I
think
the
turning
point
was
towards
the
end
of
2020.
When
the
solo
win
Attack,
you
know
took
place,
it
was
a
massive
attack
that
you
know
started
somewhere
in
2018
and
it
took
almost
15
months
just
to
discover
this
attack
and
soil
wins
is
a
software
manufacturer
that
was
breached
and
malicious
actors
manipulated
their
software
update
that
it
produces.
B
They
added
malicious
code
into
the
update
while
they,
but
it
was
built.
So
when
the
software
was
delivered
to
all
the
18
000
solarwind
customer,
it
was
signed
and
verified,
but
no
one
and
no
one
even
considered
the
fact
that
solving
was
bridging
in
such
a
way
that
someone,
you
know
inserted
the
malicious
code
and
consequently,
all
the
18
000
custom.
B
You
know
four
wheel:
customers
were
infected
and
got
hit
by
this
attack,
which
was
you
know,
super
sophisticated
and
that's
why
it
took
like
almost
15
months
to
discover
the
special
command
and
control
protocol
and
mechanism
was
really
impressive,
but
nevertheless
there
was
the
most
the
first
most
significant
supply
chain
attack,
which
had
a
huge
monetary
consequences
for
solarwinds
and
all
the
other.
You
know
customer
that
been
using
their
system
now,
I'm
calling
it
a
turning
point.
B
B
Do
you
see
the
amount
of
attacks
is
just
you
know
really
increasing
significantly.
So,
yes,
software
becoming
Target
made
easy
to
Target.
Some
software
really
use
I
mean
code
curved.
You
can
see
here
in
the
middle
there's
another
famous
like
that,
had
a
huge
impact
on
a
lot
of
customers
in
the
understanding
that
it's
much
easier
to
penetrate
users
through
the
software
they
consume
became
a
noticeable
fact
that
you
know
today
is
one
of
the
facto
popular
risks
and
attack
that
need
to
be
considered
now.
B
That
is
initiative,
and
even
the
cncf
as
a
reference
architecture.
In
the
diagram
of
the
best
practices
to
secure
so
definitely
there's
a
Hot
Topic
different.
A
lot
of
you
know
most
regulations
standards.
You
know
even
just
recommendation
which,
with
no
you
know
super
power
but
again
there's
a
proliferation
of
recommendation
and
document
that
trying
to
address
this
aspect.
B
So
let's
talk
about
what
it
is
and
what
do
we
secure
so
sort
of
supply
chain
process?
You
know
that
covered
your
that
cover
your
code,
development.
It
starts
when
developer
code
when
the
code
is
built
and,
of
course,
when
the
code
is
is
running
in
any
you
can
temper
and
you
can
modify
if
your
managers
code
now,
obviously,
as
you
can
see
from
this
diagram,
all
those
like
small
icons
of
hackers.
B
So
yep,
let's
talk
about
those
are
the
amount
of
attacks
which
I
mentioned
the
standards,
different
standards
and,
let's
talk
about
you,
know
the
supply.
So
thank
you.
Libby
and
I
apologize
through
this
for
stop
sharing.
Just
before
the
beginning
of
the
show,
I
didn't
mind,
it
I'm
keep
sharing
my
screen,
I'm.
Sorry
for
that.
So
when
you
look
about,
you
know
the
supply
chain,
you
look
about.
You
know
where
you
can
hack
the
code
to.
Obviously
you
can
see
those
small
icons
of
hackers.
B
You
know
with
the
hoodie
should
be
also
black
but
never
mind.
You
can
see
it
usually
being
you
know,
being
sent
to
build
a
system
in
the
build
system
with
the
dependencies
when
it's
into
you
know
to
the
to
the
different
register
before
it's
being
pushed
to
deployment,
even
the
post
deployment.
Those
are
the
places
where
you
know
the
code
can
be
changed
and
modified
so
through
the
entire
life
cycle
of
the
code.
B
Now
the
biggest
Focus
area
is,
you
know
on
the
build
process,
because
this
probably
where
you
generate
the
most
amount
s
and
a
part
of
which
focusing
on
you
know
how
you
making
sure
that
you're
getting
the
build
provenance.
And
how
do
you
do?
You
know,
maintain
the
Version,
Control
and
authentication
of
the
build
and
how
every
step
can
be
auditable
and
the
Integrity
of
the
different
steps
and
probably
the
most
tough
recommendations,
I'll
use,
making
sure
that
the
build
is
hermetic
and
it's
reproducible.
B
So
if
you
can
run
into
a
parallel
build
system,
they
will
reproduce
the
same
exact
you
know
artifacts.
So
all
those
aspects
are
targeting
the
build
environment
and
making
sure
that
the
build
process
by
itself
is
secure
and
is
not
tempered,
which
makes
perfect
sense.
But
we
need
to
understand
that
just
securing
the
build
is
not
enough
right
and
well.
You
can
argue
and
say
that
when
developer
is,
you
know,
writing
this
code,
it's
probably
inside
the
organization,
whether
it's
you
know
inside
they're
kind
of
connected
to
the
network.
B
C
B
So
when
you
talk
about,
you
know,
building
blocks
in
software
supply
chain.
So
one
of
the
the
first
item
is
the
software
bill
of
material
right
or
what's
known
as
sbone,
and
the
reason
why
the
S1
generates
so
much
interest
and
a
lot
of
probably
heard
it
a
lot
and
in
many
places
it's
because
it
offers
some
transparency
level
into
the
the
executable
that
you're
running.
So,
if
I'm
getting
the
next
equal
and
I'm
running
it,
I
have
no
idea
what's
coming
in.
B
If
I
get
the
software
bill
of
material
and
SEO
all
different,
you
know
libraries
and
dependencies
and
everything
which
the
code
is
built
from
I
get
better
visibility,
I
get
better
transparency
into
what
I'm,
using
which,
of
course,
is
super
important.
When
there
are
some
you
know
critical
vulnerabilities,
but
even
without
it
it
we
have
some
foreign.
B
Fact
table
of
this
software,
and
this
is
what
as
one
can
provide-
and
why
is
it
good
because
give
you
some
indication
on
the
maturity
level
of
the
security
program
of
the
software,
the
software
State
as
it
maintain?
Is
it
usable
supported
you
know?
Is
it
outdated
or
not?
It
also
give
you
a
very
important
information
about
vulnerabilities
level.
B
Now,
as
well
as
different
formats,
the
spdx
and
Cyclone
DX,
okay,
the
spdx
is
pushed
by
the
links
Foundation
the
sound
links
by
the
oasp,
while
the
spdx
is
more
focused
on
licenses
View
and
seeing
what
licenses
are
being
used.
The
second
digs,
in
my
opinion,
is
much
more
impressive.
It's
security
oriented
so
there's
a
lot
of
good
security
metadata
in
the
s-bomb
that
produces
with
the
second
DX
format.
So
if
you
look
about
tcves
and
exploitability-
and
you
know,
remedies
really
very
useful
information,
it
also
supports
all
the
advanced
programming
languages.
B
You
know
it's
extensible,
you
can
extend
it.
It's
pretty
proof.
It's
really,
at
least
in
my
opinion,
it's
a
very
impressive
format
or
provide
that
good,
useful
information
now
generating
as
well,
is
typically
something
you
do
in
your
CI,
okay,
because
this
is
where
you
produce
your
software,
but
generating
as
boom
of
your
runtime
environment.
B
Earth,
sorry
for
that,
okay,
so
this
is
the
cube
Clarity,
dashboard
I
run
it
in
my
kubernetes
cluster.
So
I
have
a
simple
conversation:
cluster
running
on
gke
I
I
deployed
a
few
containers
as
a
deployment.
I
use
the
the
stock
shop
demo
application
in
order
to
get
and
I'm
just
running
this.
You
know
this
dashboard,
which
is
connected
to
my
cluster
and
doing
a
port
forwarding
for
my
cluster
into
this
localhost.
B
B
Then
you
can
filter
everything
based
on
those
skins.
Now,
once
we
have
this
scanning
I
already
ran
this
can
before
you
can
see
it
by
the
way.
It's
a
very
fast
camera.
Just
you
know
already
done
it
before
you
get
this.
The
dashboard
is
start
populating
you're
getting
to
see.
You
know
all
the
the
cumulative
number
of
vulnerabilities,
how
much
of
them
hsfix.
You
can
see
different
packages
per
license,
so
you
can
I
can
show
what
how
many
GPA
licenses
I
have
MIT
licenses
or
if
I
want
something
else.
B
I
can
see
the
package
breakdown
based
on
programming
languages.
I
can
see
how
many
applications
I
have
resources
packages,
and
here
I
can
start
playing
with
applications.
I
can
start
playing
with
the
top
one
of
all
resources
or
or
even
the
top
ownable
packages
that
they
have,
and
it's
sorted
out
by
this
very
not
by
the
code
number,
but
but
how
many
you
know
based
on
the
severity
of
the
vulnerabilities,
then
I
can
start
going
into
the
nice
thing.
I
can
check
start
searching
for
vulnerability.
B
You
know
based
on
the
package,
it
exists,
or
vice
versa.
I
can
look
at
the
different
packages
that
are
there
and
try
to
try
to
find
you
know
specific.
You
can
see
who's
using
those
packages
and
then
I
can
again
check
all
the
different
resources.
I
know
they've
been
used,
so
it's
very
useful
for
me
to
get
a.
C
B
B
So
this
is
Cube
Clarity,
and
this
allows
you
to
address.
You
know
s-poma
aspects
in
runtime,
but
let's
talk
about
something
else,
so
as
always
important,
but
it's
not
enough.
We
also
want
to
make
sure
there
is
a
code.
Integrity
also
mean
code
Integrity,
so
core
Integrity
is,
of
course
we
want
to
make
sure
that
the
code
isn't
tempered,
isn't
modified,
isn't
change
one.
B
It
was
built
right
and
it's
not
only
in
the
build
phase,
but
also
Beyond,
because
code
contemporate
I
can,
if
I
have
access
to
your
registry
or
if
I
have
access
to
your.
Where
you
keep
where
you
store
your
your
potato,
even
if
I
have
access
to
your
cluster
I
can
temper
or
change
doesn't
have
to
be.
Kubernetes
can
be
also
into
your
cloud
account.
It
could
be
into
virtual
machines
and
give
it
to
your
serverless
functions
and
the
way
the
code
signing
works.
B
Is
you
know
you,
you
sign
the
code
when
you
produce
it
with
you
know
a
cryptographic.
Signature
then
part
of
it
is,
you
know,
store
the
private
key
or
the
private
signature
is
stored
with
the
code
and
it's
pushed
to
the
registry
together
with
the
concept
kind
of
a
metadata.
That's
it
push
with
the
code
and
then
I
have
the
public
key,
which
is
then
used
to
validate
so
in
the
validation
phase.
B
I'm
matching
the
product
in
the
public
and
I
can
see
if
it
matches
or
if
the
code
is,
was
tempered
and
changed.
Now.
One
of
the
more
interesting
things
that
I
think
today
is
existing
is
the
sixth
store.
Six
store
is
an
open
source
security
framework
that
creates
a
new
standards
for
signing
verifying
for,
and
it
really
it's
an
open
source
where
they
can
use
it
and
really
aim
to
increase
the
security
level
of
final
software
production.
So
it's
part
of
the
open
ssf,
the
open
source
security.
B
And
it's
really
a
a
great
contribution.
Security
of
software
in
general
and
one
of
the
the
the
the
the
interesting
thing
they
introduce
is
the
unique
structure
for
keyless
signing.
So
one
of
the
challenges
in
keyless
in
in
keys
or
the
classical
code
signing
is
that
you
have
long
lasting
keys
that
can
get
discovered
and
you
can
then
you
know
temper
them,
but
when
using
keyless,
this
is
much
safer
approach
and
then
it's
primarily
focused
on
container
images
and
they
can
sign
the
amino
with
signing.
B
And
then
you
can
use
any
admission
controller,
so
six
or
its
own
automation
controller.
But
you
can
use
any.
You
know
Opa
or
key
fairy.
Nobles
there's
also
submission
controllers,
then
they
can
divide
it
at
only
signed
in
the
verified.
Images
are
being
deployed
in
the
cluster
which
again
is
is
a
great
tool
that
provide
in
a
higher
level
which
are
running
in
the
cluster.
B
But
here
we
want
to
discuss
not
just
containers.
We
also
want
to
discuss
serverless
functions
and,
while
sixthor
is
really
focusing
on
containers,
serverless
functions
as
a
larger
security
challenge,
because,
unlike
containers
instead
of
structure,
there
is
no
sha.
There
is
no
hash
that
can
be
used
in
order
to
verify,
and
even
if
you
try
to
do
it,
you
know
different
deployment.
Frameworks
has
different
way
to
calculating
and
different
things.
They
include
in
the
in
the
zip
file.
So
it's.
A
B
Hard
to
get
a
unified
standard
just
like
we
have
a
shot
for
an
image,
and
even
if
there
was
like
a
unified
hash,
there's
no
validation,
so
we're
still
missing
the
validation
option.
Now,
I'm
saying
still
talk
about
most
of
the
clouds
AWS
has
their
code.
Sign,
which
you
know
is
a
great
service
code
sign.
Allow
you
to
sign
functions.
So
once
this
function
is
uploaded,
you
can
use
the
function.
You
can
sign
it.
B
You
can
add
a
signing
profile
that
to
tell
you
what
to
do
if
something
doesn't
match
and
then
you
can
select
which
Lambda
will
get
which
profile
and
then
before
the
Lambda
is
executed
code
designed
to
verify
the
function
hash.
That
was
not
changed,
so
this
is
great,
but
it's
only
post
deployment
and
remember.
We
want
to
make
sure
that
the
entire
chain
is
covered
and
it's
slightly
cumbersome
or
slightly
hard
to
configure,
and
ideally
we
would
like
to
have
the
same
concept
as
six
door.
Keyless
signing
also
enabled
for
serverless
functions.
B
So
for
that
we
created
function,
Clarity
and
again
it's
an
open
source
tool
that
sees
the
community
for
serverless
functions.
It's
extending
the
six
door
concept
also
to
service
functions,
so
it
allows
users
to
sign
the
functions
which
is
great,
I
mean
you
can
do
it
without
it,
but
it
you
know
added
the
missing
point
of
the
validation
functions.
You
can
really
validate
those
functions
in
any
Cloud
environment
and
you
can
get
it
making
sure
that
only
functions
which
were
not
tempered
are
being
used
in
the
cloud
moment.
Now.
B
How
does
the
work
so
when
you
write
your
service
function
and
you're
doing
after
doing
your
testing
before
you
do
making
the
deployment
we
are
inserting
a
step
into
your
CI
Pipeline
and
then
the
size
using
cosine.
In
order
to
find
the
image
you
can
use
it
with
key
pair,
but
you
can
see
that
with
keyless,
so
you
can
create
identity.
Get
an
entity
from
Full.
Co
use
this
identity.
You
know
upload
an
entity
to
the
to
the
record
or,
if
you're,
using
a
key
pair,
then
you
can.
B
You
know
upload
the
the
public
key
to
the
cloud
account
and
then
in
every
cloud
accounting.
When
you
want
to
install
Cube
Clarity,
there
is
like
the
infrastructure
that
first
we
need
to
listen
to
the
events
we
get.
The
notification
about
an
update
or
a
change
or
a
new
function
was
accredited
which
trigger
a
dedicated
validating
Lambda.
So
this
Lambda
this
on
the
either
check
versus
record
or,
if
you're,
using
public,
you
get
the
public
key
and
verify
it
with
the
private
key
of
the
function
and
then
allow
you
to
perform
actions.
B
So
if
you
to
decide,
if
you
want
to
get
alert,
if
you
want
to
get
a
block,
if
you
want
to
get
notified
or
on
the
consequent
action
that
post
the
validation,
so
the
function
is
voted
in
silence,
correct
thumbs
up,
you
can
move
ahead.
If
the.
If
the
function
is
not
or
it's
tempered,
then
you
know
you
can
decide
what
you
want
to
do
with
it.
So
this
is
function.
B
B
A
A
A
C
So
yes,
we
upload
the
the
the
signed
code,
the
signed
code
into
your
cloud
account
at
the
moment
we
support
AWS.
So
this
will
be
also
the
context
of
the
demo
and
I
will
show
how
I
deploy
two
functions,
one
on
top
of
the
signed
code
and
the
another
one
which
is
not
signed,
and
then
I
will
show
how
the
the
the
function
Clarity
is
triggered
and
then
it
realizes
that
the
sign
code
is
okay,
but
the
function
with
the
unsigned
code
is
is
is
was
not
verified
by
function.
C
Clarity,
and
in
this
case
we
have
several
options.
I
will
show
how
we
block
the
function
and
we
also
send
a
notification
in
AWS
context.
We
send
it
to
an
SNS
queue
and
I
did
some
a
cool
integration
where
it
will
send
me
an
email
that
will
notify
me
that
an
unrecognized
function
try
to
be
created
and
it
was
blocked.
C
C
C
The
other
one
with
the
code
which
is
not
signed
and
the
after
I
do
that
now
the
functions
are
created
at
the
AWS.
So
this
is
a
process
that
can
take
maybe
a
minute
or
two
where
the
we
have
in
AWS.
The
solution
is
to
use
cloud
trail
that
sends
all
the
events
to
cloudwatch
and
we
send
those
Cloud
those
log
events
into
our
own,
a
verifier
Lambda
and
once
the
our
Lambda
is
triggered,
then
it
will
process
the
the
function
that
was
created
and
it
will
check
if
the
function
is
is
verified.
C
It
will
take
the
function,
it
will
download
its
code
in
this
case
and
it
will
sort
of
reverse
engineer,
create
the
identity
and
then
we'll
seek
for
a
appropriate
certificate
or
a
signature
that
the
code
was
signed
with
and
if
it
will
find
it,
it
will
try
to
open,
of
course,
the
signature
using
the
the
signature
or
the
certificate.
And
if
it's
successful,
then
we
are
okay
and
if
not,
then
several
options
here.
B
C
Case
that
the
the
code
is
verified,
we
will,
for
example,
a
add
the
tag
to
the
function
that
states
that
the
function
was
verified
by
function,
clarity
and
let's
Wait
Another,
Minute
and
in
case
it
was
not
signed
by
us.
Then
we
will
see
that
in
this
case,
I
chose
to
block
the
function,
we'll
see
how
the
function
is
blocked
from
running
meaning
in
the
in
case
of
AWS.
It's
throttling
the
function
here.
As
you
can
see,
the
function
is
throttled,
meaning
we
reduce
its
concurrency
to
zero,
and
you
can
see
that
now.
C
C
We
see
that
just
we
just
tagged
it
and
said:
okay,
this
function
was
verified
by
function,
Clarity
and
it's
okay,
it's
more
informative
and
now
I
can
also
do
some
cool
stuff,
for
example,
if
in
this
in
the
function
that
inside,
if
you
try,
for
example,
to
just
change
in
the
function
at
runtime,
then
an
update
function
event
should
be
triggered
and
then
again
it
would
maybe
take
a
minute
or
so,
and
then
you
can
see
how
this
function
now
that
we
got
the
update
function
event.
We
do
this
process
again.
C
A
C
We
have
a
block
that
states,
let's
block
the
function,
and
besides
that
we
have
the
options
to
send
a
notification
to
a
predefined
queue
and
from
that
point
on,
the
user
can
decide
whatever
he
wants
to
do.
It
can
integrate
with
this
queue
and
do
whatever
you
want
in
the
case
of
a,
for
example,
on
a
verified
function.
C
So
here
you
can
see
that
now
the
function
that
was
signed,
the
event
was
picked
up
and
now
where
the
function
was
stopped
and
we
had
a
a
relevant
targets
where
that
function
is
not
signed,
and
you
can
see
here
that
I
got
of
course
another
event
now
that
the
function
is
is
now
blocked
as
well.
Is
that
someone
changed
the
code
without
signing
it?
First
I
see
that
another
question:
if
I'm
showing
is,
does
it
work
for
images
as
well?
So
yes,
the
the
new.
C
The
new
thing
we
brought
in
this
project
is
the
the
code
signature,
but
we
also
support
image
signature
which
harness
six
store
cost
time
and
we
use
it
to
sign
images
as
well
in
case
of
image,
signing
the
the
signature,
let's
say
or
the
the
code.
The
the
signature
of
the
signed
image
is
re
lies
in
the
repository
itself,
where
the
image
exists.
So
this
is
how
it
seeks
to
work
when
signing
images.
B
Perfect
I
was
trying
to
talk
so
I'm,
saying
that's
the
end
of
our
webinar,
so
I
have
no
more
slides,
we'll
be
happy
to
go
for
questions
so
if
I
just
want
to
summarize
I'll
just
try
to
summarize
what
you
know
what
we
saw.
So
we
talk
about
you
know,
generating
runtime
S1
Shai
also
did
as
a
demo
of
how
you
create
signatures.
How
you're
making
sure
your
code
Integrity
is
not
tempered
and
we
show
it
on
serverless,
which
is
a
very
special
use
cases.
A
A
A
B
Yes,
absolutely
so
definitely
I
would
love
to
share
here.
The
open,
Clarity
so
follow
our
repo
function.
Clarity
Cube
Clarity
is
their
function.
Clarity
is
going
to
be
there
shortly
and
we,
of
course,
would
love
to
get
users
to
address
it.
You
know
hear
about
it
and
hear
this.
You
know
for
sure
that
will
open
source
project
would
be
great.
A
A
A
B
No
I
think
you
know
recovery.
Thank
you,
Libby.
Thank
you
shy.
We
do
want
to
make
sure
that
people
are
keeping
their
environment
secure
and,
just
you
know,
using
open
source
free,
simple
tools
that
can
keep
them
much
more
secure
than
before.
That's
all
from
my
side,
anything
from
your
side
shy
and
nope.