《CNSCon Keynote - Brandon.pdf》由会员分享,可在线阅读,更多相关《CNSCon Keynote - Brandon.pdf(20页珍藏版)》请在三个皮匠报告上搜索。
1、Brandon Lum(lumjjb)Software Engineer,GoogleThe Next Steps in Software Supply Chain SecuritylumjjbSUPPLY CHAIN ATTACKSSECURITYIncrease in Attacks lead to strong industry responselumjjbProducing Trusted Software&AttestationsScorecardsFRSCAlumjjbProducing Trusted Software&AttestationsScorecardsFRSCAlum
2、jjbProducing and ConsuminglumjjbProducing and Consuming?lumjjbVEXVEXVEXVEXlumjjbOutcome of ProducingA decentralized,flexibly anchored trust fabricAttestations and MetadataTrust FoundationSchemas and sources for rich security metadataVulnerability Exploitability eXchange(VEX)lumjjbAggregation and Syn
3、thesisPolicy and InsightIntelligent aggregation across artifacts and identitiesAutomation and compliance throughout the SDLCSoftware Supply Chain Integrity ConsumptionA decentralized,flexibly anchored trust fabricAttestations and MetadataTrust FoundationSchemas and sources for rich security metadata
4、Vulnerability Exploitability eXchange(VEX)ConsumelumjjbOSS Package Repository MetadataThreat intelligenceAggregation and SynthesisInternal Software/Build SystemsThird-party/Vendor SoftwarelumjjbOSS Package Repository MetadataThreat intelligenceAggregation and SynthesisInternal Software/Build Systems
5、Third-party/Vendor SoftwarelumjjbRepologydeps.devPublic Data Source AggregatorsPackage ManagersMulti-source generic aggregatorConsuming-Aggregation&SynthesislumjjbConsuming-PolicyMechanism to create and enforceHow to evaluate and enforce+Proprietary GRC/CMDB systemsWhat are checks for“Good”Supply Ch
6、ain Security”?TAG Security Issue#987lumjjbConsuming-PolicyMechanism to create and enforceHow to evaluate and enforce+Proprietary GRC/CMDB systemsWhat are checks for“Good”Supply Chain Security”?TAG Security Issue#987lumjjbConsuming-PolicyMechanism to create and enforceHow to evaluate and enforce+Prop
7、rietary GRC/CMDB systemsWhat are checks for“Good”Supply Chain Security”?TAG Security Issue#987lumjjbConsuming-Policy and InsightsReactiveHOW AM I AFFECTED?A vulnerability or supply chain compromise is discovered!+Codecov,SolarwindscompromisesPreventiveHave I taken the right safeguards?When deciding
8、to use and deploy software,are there sufficient security checks and approvals?SLSAWhich projects are these?https:/ do I prevent large scale supply chain compromises?lumjjbConsuming-Policy and InsightsReactiveHOW AM I AFFECTED?A vulnerability or supply chain compromise is discovered!+Codecov,Solarwin
9、dscompromisesPreventiveHave I taken the right safeguards?When deciding to use and deploy software,are there sufficient security checks and approvals?SLSAWhich projects are these?https:/ do I prevent large scale supply chain compromises?lumjjbCall to ActionYes,all the ingredients used are certifiedLets start to dive deeper into“Aggregation&Synthesis”and“Policy and Insights”Join community efforts:TAG Security Issue#987Talks at CNSCon related to consumptionNot All Thats Signed Is Secure:Verify the Right Way with TUF and SigstoreSpicing up Container Image Security with SLSA&GUAClumjjb