《Supply Chain presentation (1).pptx》由会员分享,可在线阅读,更多相关《Supply Chain presentation (1).pptx(19页珍藏版)》请在三个皮匠报告上搜索。
1、Demian Ginther,SuperOrbital LLC 2022Demian Ginther,SuperOrbital LLC 2022Learning from Supply Chain Learning from Supply Chain Failures and Best Practices in Failures and Best Practices in Other IndustriesOther IndustriesAbout meAbout me20+years of Security and Systems Administration/DevopsUniversity
2、 of New MexicoBoeingRiskSense,LLCAd Hoc,LLCCenter for Medicaid and Medicare ServicesDepartment of Veterans AffairsSuperOrbital,LLCWho needs a supply chainWho needs a supply chainNon-Software industries with supply chains you may have heard about:Food,Goods/Commerce,Medical/Chemical,Entertainment,Ene
3、rgy/Utilitiesand what is it,anyway?and what is it,anyway?A network of entities-individuals,groups,resources,activities,and technology involved in the creation and sale of a productThe entire system of producing and delivering a product or serviceNotable recent software supply chain Notable recent so
4、ftware supply chain issuesissuesSolar Winds Orion -2020PHP git repository-2021Homebrew-2021Log4j-2021Non-Software Supply Chain conceptsNon-Software Supply Chain conceptsSome apply,some dont.Some apply,some dont.Traceability and TransparencySafety and QualityProductionProcessingPackagingStoragePhysic
5、al DistributionInventory ControlDisposal and CleanupLogisticsTracking DistributionAfter-Sales TrackingTraceability and TransparencyTraceability and Transparency“When the lack of transparency in supply chains delays the identification of contamination sources and the root causes of product problems,t
6、he economic and public health costs can be considerable.”-Scott Gottlieb,Statement as FDA Commissioner,March 19,2019Ingredients(Dependencies)Producer(Author)Location(Deployments)Problems/Recalls(Vulnerabilities)Safety and QualitySafety and QualityFreshnessPackagingPersonnel safety(Labor laws,transpo
7、rt laws)Safety and Quality apply to software,but in a different wayYou or your team,as the developer,are responsible for the quality and safety of your codeKeep Toxic Ingredients out of your code!LogisticsLogisticsTraversing the supply chainTraversing the supply chainAssemblyStorageShippingTrackingC
8、ontinuous Integration PipelinesJenkinsArgo WorkflowsTeamCityCircleCIGithub ActionsCode RepositoriesGithubGitlabBitBucketArtifactorySourceforgeContainer/SBOM/Signature RegistriesDockerHubGithub Package RegistryGitlab CRGoogle Artifact RegistryAmazon ECRAzure CRHarbor CRRed Hat QuayContinuous Deployme
9、nt PipelinesJenkinsArgo WorkflowsAWS CodeDeployTeamCityCircleCIAWS CodePipelineApplication VisibilityDatadogRaygunDynatraceAppDynamicsNew RelicFailureFailureKaizen“Continuous Improvement”Image by macrovector on FreepikImage by Dall-EBest way to learn?AgileThe“Eureka Moment”Romaine LettuceRomaine Let
10、tuceE.coli outbreak,November E.coli outbreak,November 20182018Multi-state outbreak of E.ColiTotal loss$280-350MSource:E.Coli in the Romaine Lettuce Industry:Economic Impacts From the November 2018 Outbreak.July,2021.Kristin Diesel,Rachael E.Goodhue,Richard J.Sexton,and Ashley Spalding.https:/kiesel.
11、ucdavis.edu/Full%20Report.pdfImprovements?TraceabilityTransparencyBlockchain?Peanut Corporation of AmericaPeanut Corporation of AmericaSalmonella,2006-2009Salmonella,2006-2009At least 714 infections,9 deadIntentional coverupMost companies rely on the One-up-One-back approachInsufficient!Whole chain
12、visibility is necessaryKnowing where your dependencies are fromKnowing where your dependencies are fromAutomate the creation of an SBOM for each deliverableAnchore Syft(multi-language)kubernetes-sigs/bom(Kubernetes)cyclonedx/bom(NodeJS)Others:https:/ your SBOMsSigstore CosignAdmission Controllers/Au
13、tomated checks before runningAnd where their dependencies are fromAnd where their dependencies are fromEver GivenEver GivenSuez Canal,March 2021Suez Canal,March 2021Estimates of$60B in trade affectedPlan B not so good6 day bottleneck of resource created months of detrimental effectsPlan BPlan BAnd P
14、lan C,Plan 9And Plan C,Plan 9Infrastructure for your pipelinesMultiple regionsSelf-healingPerformance visibilityMonitoring and alertingLoggingPractice and use ChaosHuman processes can be slowKnow what happens when things are downTransfusion blood Transfusion blood supplysupplyStudy-2011 Study-2011 h
15、ttps:/www.ncbi.nlm.nih.gov/pmc/articles/PMC3096861/https:/www.ncbi.nlm.nih.gov/pmc/articles/PMC3096861/48%of records had errors before 2002Traceability was 99%after 2005How?Automation!Never Trust,Always Verify.Never Trust,Always Verify.Trust but VerifyAutomationAutomationAutomate the easy stuffVersi
16、on bumps in dependenciesVulnerability scansSBOM creation,and future useAdmission controllersIn conclusionIn conclusionThe ability to determine where your dependencies came from is vital in detecting and reacting to potential problemsIts not enough to know what your dependencies are,you must also kno
17、w what your dependencies dependencies are!Add automatic checks to ensure you do not run unsigned/un-checked codeHave infrastructure and resources available to support a Plan B,and possibly a Plan C,if your Plan B might not be tenableHave a plan in place to mitigate the ripple effects of an outage in
18、 your development pipelinesAutomate everything!Image CreditsImage CreditsSome images generated with the assistance of Dall-E 2Failure image:Freepik/MPhoto of the Ever Given:Associated PressPlan 9 poster:Tom JungReagan/Gorbachev photo:Bettmann Archive/Getty ImagesVarious logos:Relevant Official WebsitesZero Trust logo:Tigera.ioMr Yuk:UPMC Childrens Hospital of Pittsburgh