►
From YouTube: As Strong As the Weakest Link: Securing the Software Supply Chain- Brendan O'Leary, GitLab
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
As Strong As the Weakest Link: Securing the Software Supply Chain- Brendan O'Leary, GitLab
The Solarwinds breach is an event that we won't truly understand for some time - if ever. Several discussions we've been having in the abstract for years have become very concrete. The systems we use to develop, build and deploy our code are essential production systems. Securing the software supply chain is one of the most underrated security aspects today. All software today is built with dependencies. However, a discussion of these dependencies - both explicit and transient - as links in the software supply "chain" couldn't be more accurate. And the truth is, a chain is only as strong as its weakest link. In this talk, we'll examine the complexities and sophisticated tradecraft from the various supply chain attacks. We'll also explore securing the cloud native supply chain with CNCF tools from Helm & Distribution to Cloud Custodian & Porter. More importantly, we'll delve into the simple, practical security measures that can help prevent such attacks.
A
That's
your
fun
fact.
You
learn
nothing
else.
From
this
talk.
You
can
tell
your
friends
that
fun
fact
today
is
the
42nd
anniversary
of
it
so
yeah.
I
I'm
really
honored
to
be
here
and
speak
with
you
I'll,
introduce
myself
in
more
detail
in
a
little
bit,
but
I
want
to
talk
first
about
a
story
because
I
think
a
lot
of
what
we've
heard
about
securing
the
supply
chain.
A
A
A
So
I
think
it's
been
mentioned
a
few
times
today
in
this
conference,
but
solarwinds
themselves
actually
spoke
at
the
supply
chain
security
conference.
Yesterday
they
had
fantastic
technical
details.
In
that
talk
about
you
know,
all
of
the
technical
things
that
went
wrong
went
right
all
of
the
efforts
their
team
put
in
after
the
event.
A
I
want
to
talk
about
some
of
those
today,
but
I
also
want
to
talk
about
the
human
factors
and
then
some
other
factors
that
we
don't
often
bring
into
the
discussion
around
supply
chain,
because
it's
not
just
about
this-
you
know
single
event,
it's
kind
of
easy
to
point
the
finger
and
say:
oh
here's,
here's
the
thing
that
shows
us
supply
chain
is
important,
but
you
know
it
it's
it's
not
new.
Again,
it's
not
new
and
we're
going
to
talk
about
why?
A
They
previously
had
written
a
report
to
nist
the
national
institute
of
standards.
Technology
called
the
supply
chain
risk
management
report
and
they
had
talked
about
how
organizations,
putting
you
know
greater
and
greater
security
and
and
maturing
their
security
position
to
the
rest
of
the
world
is
is
a
good
thing,
but
it
means
that
adversaries
will
necessarily
go
up
the
chain
or
down
the
chain
in
the
supply
chain
to
then
attack
their
real
targets
right
because
solarwinds
wasn't
even
the
target
of
this
attack
that
we
all
call.
A
You
know
solar
winds
or
sunburst
attack
and
that's
an
and
that's
important.
It's
worth
it's
worth,
knowing
just
a
little
bit
more
about
what
happened,
so
that
we
can
talk
about
that.
So,
if
you
weren't
familiar
with
the
details
attack
again
yesterday,
you
can
get
the
real
deal
from
from
the
firsthand
source.
A
If
you
watch
the
the
videos
from
yesterday,
but
just
to
give
you
a
little
flavor,
you
know
it
wasn't
this
kind
of
like
full-scale
assault
that
you
might
think
of
when,
when
you
think
of
an
attack
right,
it
was,
and
it
wasn't
against
the
intended
target.
Right.
Solarwinds
was
not
who
was
targeted
in
this
attack.
A
A
You
know
they
installed
that
software
pervasively
throughout
their
networks,
you
know,
gave
it
expansive
permissions
and
then
accepted.
You
know
updates
directly
from
solarwinds
and
that's
what
made
them
vulnerable
to
an
attack
on
solarwinds
as
part
of
their
supply
chain
and
again
just
to
kind
of
give
a
little
bit
more
of
a
detailed
overview
from
from
what
we
know
is
you
know
this
attack
wasn't
even
one
point
in
time.
A
The
attackers
were
very
sophisticated
and
originally
gained
access
to
the
ci
cd,
build
structure
or
build
infrastructure,
rather
solarwinds
built
infrastructure,
and
that
gave
them
the
ability
to
to
inject
their
own
code
into
the
pipeline.
Where
solarwinds
was
building
the
orion
product
and
at
first
they
kind
of
just
tested
this
right.
They
didn't
really
deliver
the
real
payload.
There
was
this
thing
called
sunspot
where
they
were
just
kind
of
testing
to
see.
Would
they
be
detected
right?
A
They
inserted
these
dlls
named
them
things
that
looked
like
and
sound
like
classes
that
solarwinds
was
already
using
in
the
package,
so
they
didn't
really.
They
wanted
to
know.
Where
are
we
going
to
be
noticed
and
when
they
realized
that
they
were
able
to
get
away
with
it,
then
they
released
sunburst,
which
was
the
the
real
trojanized
code
that
got
injected
into
the
orion
software.
A
A
You
know
to
actually
get
at
the
attackers
the
their
targets
that
they
were
looking
at,
and
it
was
kind
of
aptly
pointed
out
by
one
ceo
in
a
blog
about
it
that
you
know
they're,
not
the
only
ones
that
have
this
kind
of
infrastructure.
There's
you
know,
build
machines
that
are
signing
code
they're,
definitely
not
the
only
ones
vulnerable
to
this
type
of
thing,
and
that's
you
know
kind
of
the
point
of
this
talk
right.
A
We
have
this
kind
of
web
of
dependencies
and
we're
going
to
talk
about
that
in
more
detail,
but
as
we
build
our
modern
infrastructure,
on
top
of
you
know
more
and
more
dependencies,
you
end
up.
Building
on
you
know
something
that
eventually
you
don't
know
right.
You
have
this
little
little
piece
holding
up
everything
else,
and
so
we're
gonna
talk
about
that.
Today,
again
I,
as
promised
I'd
introduce
myself
I'm
brendan
o'leary,
I'm
a
developer
evangelist
at
get
lab.
A
I
had
the
inverse
problem
that
dan
pop
was
talking
about
or
no
sorry
that
dan
lorenz
was
talking
about.
His
hair
grew
out
from
worrying
about
supply
chain.
I
used
to
have
hair
before
I
thought
about
supply
chain
security.
Now
I
don't
so
yeah.
I
think
that
as
it
may
so
you
know
we
talk
about
these
dependencies
right.
We
saw
that
funny
xkcd
that
talks
about
dependencies
and
again
we've
talked
a
lot
about
that
today
and
these
these
tools
to
search
for
dependencies
and
talked
about
the
software,
build
materials
and
all
these
things.
A
So,
of
course
a
dependency.
Is
you
know,
traditionally
what
we
think
of
is
a
open
source
dependency
that
we
bring
into
our
project
a
library
to
do
something
better,
to
interact
with
a
known
api
to
interact
with
you
know,
piece
of
hardware,
maybe
we're
using
right.
So
this
is
some
data
from
the
activers
report
that
shows
you
know
the
percentage
of
of
projects
in
different
languages
that
use
open
source
dependencies.
This
is
not
news
right.
A
So
you
end
up
with
this
web
of
dependencies
that
come
along
with
it
right,
and
so
this
kind
of
graph
kind
of
shows
us
that
and
as
an
amateur
ish
no
developer,
I
can
attest
to
that
javascript
line
right
there,
like,
if
you
just
look
at
node
modules
on
this
computer
in
any
file,
you'll
you'll
see
that
that
that
bears
bears
out,
but
these
are
the
transitive
dependencies
that
we
bring
in
as
we're
adding
these
other
dependencies.
But
it's
not
even
just
that
right,
like
that
makes
sense.
A
We've
got
open
source
libraries,
we've
got
the
code.
We
write
right,
that's
part
of
what
you
know
our
is
included
in
our
final
product.
Again,
that's
not
new,
and
then
we
said:
okay,
it's
not
those
libraries.
It's
also
other
third-party
libraries
that
we
bring
in.
Maybe
those
are
you
know
ones
that
come
along
with
these
open
source
dependencies,
maybe
they're
closed
source
ones.
Like
you
know,
things
used
to
access
the
operating
system
or
from
some
vendor
that
again
hardware
vendor
or
some
api.
A
We're
using
that's
that's
closed
right,
but
that
the
library
then
really
is
a
dependency
as
well,
and
then,
of
course,
both
of
those
have
their
own
open
source
and
maybe
closed
source
dependencies
right.
This
is
where,
when
left
pad
gets
taken
out
of
the
mpm
registry,
all
of
a
sudden,
nobody
can
build
right,
not
that
many
people
were
pulling
left
pad
to
pad
some
numbers
into
their
code,
but
they
had
depended
on
something
that
was
doing.
A
A
We've
saw
that
in
the
solarwinds
attack
right,
it's
a
clear
dependency
to
our
production
environment
and
then
there's
our
production
environment
and
then,
of
course,
in
there
are
a
bunch
of
other
vendors
with
a
big
s,
and
they
have
a
lot
of
open
source
dependencies
that
they
rely
on
and
they
probably
have
a
lot
of
closed
source
proprietary
stuff.
They
rely
on
right,
so
this
web
gets
a
lot
bigger
than
just
oh.
A
These
are
the
dependencies
called
out
in
my
files,
and
so
I
think
it's
key
to
understand
that
the
sum
total
of
all
those
dependencies
really
is
what
you
should
think
of
when
you're
talking
about
supply
chain,
and
so
so,
okay.
So
let's
talk
about
then
what
is
a
supply
chain
yeah?
So
we
got
that.
I
thought
we
had
20
minutes,
no
just
10..
Oh
great,
sorry,
that
must
have
been
returned.