►
From YouTube: Keynote: Security of the Open Source Supply Chain, a Call to Action - Luke Hinds, Red Hat
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Keynote: Security of the Open Source Supply Chain, a Call to Action - Luke Hinds, Red Hat
Open source is everywhere and software is eating the world. However, we now face serious challenges within the security of our software and its supply chain from code commit to production. For this talk, Luke Hinds will outline the current immediate threats and what can be done by us as a community to address the risks we face by harnessing Open Source tooling and open transparent development models.
A
A
It's
been
a
challenging
time
for
us
all,
but
no
more
so
than
for
the
events
industry.
Many
thanks
to
kudos
to
them
for
allowing
me
to
perform
a
last-minute
switch
to
a
pre-recorded
keynote
in
a
parallel
universe.
I
will
be
in
sony
l.a,
alas.
Instead
I'm
in
the
rather
rainy
uk,
having
just
got
back
from
the
school
run,
security
of
the
supply
chain
has
become
one
of
the
leading
conversations
at
the
heart
of
information
technology.
A
The
past
decade
has
seen
a
tidal
wave
of
innovation
and
disruption
to
information
technology
software.
As
we
know,
it
is
eating
the
world
and
a
majority
of
it
is
open
source
in
parallel
to
the
incredible
adoption
rate
of
open
source
software.
We've
also
seen
automation,
accelerate
and
disrupt
the
core
paradigms
of
how
we
develop
build
and
ship
software.
A
A
Let's
take
kubernetes
as
an
example
where
the
dependency
matrix
is
currently
at
a
count
of
513.
In
fact,
it's
likely
even
more
since
I
recorded
this
talk,
react
native's,
yarn
dependency
file
currently
contains
7109
lines.
Now,
let's
get
this
straight,
there
are
no
fingers
being
pointed
here.
I
develop
in
precisely
the
same
way,
and
so
we
should
it's.
What
makes
open
source
software
development
tick
and
has
enabled
the
incredible
volume
of
innovation
we
have
seen
within
software
engineering
dependencies,
as
we
all
know
well,
are
managed
on
behalf
of
the
application
by
often
bespoke
packaging
systems.
A
However,
there
is
a
common
paradigm
where
different
levels
of
attention
are
granted
to
security.
I
think
it's
fair
to
say
that
when
we
look
into
the
average
open
source
packaging
system,
security
has
all
too
often
been
shoehorned
into
the
project
as
a
later
feature
where
maintainers
and
users
have
already
settled
on
a
familiar
workflow
lacking
a
basic
security
protection
system
such
as
software
signing
a
good
number
of
packaging
systems
have
no
security
at
all.
A
Let's
take
rust,
for
example,
a
language
I
migrately
that
introduces
security
as
a
first
class
element
with
strict
enforcement
of
memory
safety.
Yet,
with
all
of
those
great
guarantees,
we
get
the
packaging
system,
cargo
pulls
in
untrusted
code
as
they
do
not
have
a
basic
cryptographic
signing
system.
We
also
continue
to
struggle
with
the
application
of
identity,
even
more
so
in
a
world
of
abstraction
from
hardware
where
most
workloads
have
an
ephemeral
state.
Now
I
realize
I'm
sounding
harsh
and
appear
to
be
pointing
fingers
here,
but
it's
a
serious
topic
folks.
A
It
is
now
common
that
critical
infrastructure
systems
use
open
source
software.
We
are
talking
telecommunications,
health,
banking,
military
or
vital
services
that
we
rely
on
to
be
present
when
we
awake
each
morning,
systems
that
we
rely
on
to
communicate
and
care
for
ourselves
and
our
loved
ones.
It
really
is
that
serious.
This
goes
above
mere
buzzwords.
It
penetrates
deep
into
the
heart
of
our
society.
We
have
a
duty,
which
is
arguably
a
moral
one,
to
do
the
right
thing
here.
A
I
would
like
to
take
the
liberty
to
outline
a
vision
for
a
destination
which
I
believe
is
very
much
within
our
grasp.
The
building
blocks
are
there
and
some
smart
people
have
rallied
around
various
open
source
projects
that
are
grappling
with
the
problem
and
writing
code
to
try
and
solve
these
issues.
I
believe,
with
these
component
parts
and
further
innovations,
we
can
begin
a
journey
towards
an
end-to-end,
secure
supply
chain,
with
total
provenance
integrity
assurance
transparency
non-repudiation
from
commit
to
production.
A
It's
no
surprise
that
I
would
start
with
six
store.
Just
over
a
year
ago,
I
wrote
a
simple
prototype
for
a
software
supply
chain.
Transparency.
Log
named
recall.
The
idea
was
to
essentially
capture
build
system
metadata
within
an
immutable
transparency.
Log
I
could
see
this
could
alleviate
some
of
the
key
concerns
around
supply
chain
attacks
by
providing
an
open,
auditable
and
a
means
to
quickly
establish
the
blast
radius
of
an
attack
such
as
a
key
compromise.
Sigstor
is
now
a
vibrant,
growing
community,
with
over
90
contributors
producing
on
average
500
pull
requests.
A
In
a
month
in,
under
two
years,
we've
seen
the
project
covered
in
mainstream
media
and
large
tech
companies
come
forward
to
tell
us
how
they
plan
to
use
sigstor
and
contribute
sigstor's
call
to
action.
Is
software
signing
for
the
masses
so
that
anybody
can
sign
a
container
image,
a
software
bill
of
materials
or
any
other
artifact,
whether
that
be
a
blob
or
a
tarball?
We
are
also
in
the
final
plans
of
launching
a
free
to
use
non-profit
public
goods.
A
A
My
next
project
is
techton
cd
chains,
techton
cd
chains,
realizes
supply
chain
security
and
techton
pipelines.
Chains
to
use
its
moniker
allows
kubernetes
users
to
perform
the
cryptographic
sign-in
of
tecton
build
pipelines
over
the
past
few
years,
chains
have
seen
many
new
features,
such
as
creation
of
attestations
and
integration
with
project
six
doors
recall,
I
believe
chains
will
be
a
central
part
of
providing
machine-based,
non-repudiation
integrity,
verification
and
s-bomb
generation
within
a
cloud-native
environment.
The
update
framework
needs
no
introduction
to
most
security
folks
at
its
core.
A
It
addresses
one
of
the
most
scary
horror
stories
that
can
play
out
in
the
security
world
key
compromise.
There
is,
of
course,
a
lot
more
to
toff,
most
of
all
its
ability
to
play
our
role
delegation.
The
update
framework
underpins
the
trust
route
at
six
store
and
it
was
very
exciting
to
bootstrap
the
whole
process.
Alongside
the
tough
community,
I
believe
in
toto
will
be
to
s-bombs
what
wheels
were
to
cars
by
leveraging
in
toto
we
can
record
provenance
as
artifacts
and
machine
operations
interact
with
the
various
actors
that
constitute
a
supply
chain.
A
I
see
spiffy
inspire
as
an
integral
part
of
machine
identity
and
hybrid
cloud
federation
within
a
supply
chain.
It
is,
of
course
much
more
than
that.
As
well
with
its
position
within
the
realm
of
zero
trust
computing,
I
think
the
only
thing
they
may
have
got
wrong
was
coming
up
with
a
name
I
could
say
more
easily.
A
Finally,
we
have
keylime.
Some
of
you
may
not
be
aware
of
project
key
lime
with
the
previous
technologies.
We
can
measure
artifacts
as
they
move
through
a
supply
chain
and
verify
the
provenance,
but
what
about
when
it's
deployed
into
production?
Do
we
consider
it
out
of
our
hands?
No,
of
course
not.
Key
lime
is
able
to
remotely
measure
the
digest
of
an
artifact
at
execution
time
within
the
kernel.
This
allows
us
to
measure
provenance
at
runtime.
This
means
we
can
capture
and
measure
and
verify
the
entire
software
development
life
cycle.
A
I'm
very
excited
to
see
more
innovation
and
more
projects
enter
this
space.
We
also
have
some
great
minds
in
some
amazing
communities.
Looking
to
solve
these
challenges,
we
have
the
open,
ssf
and
the
cncf
security
and
the
existing
work
they
are
carrying
out
with
the
supply
chain
security
tag.
We
also
have
the
efforts
of
spdx
to
drive
adoption
of
the
s-bond
standard.
I
believe
all
of
these
projects
get
us
a
good
way
towards
an
end-to-end
secure
supply
chain
where
we
have
non-repudiation
integrity,
verification
and
provenance
from
commit
to
production.