Published on

SLSA, SigStore, SBOM & Software Supply Chain Security. What does it all mean - Abdel Sghiouar

SLSA, SigStore, SBOM & Software Supply Chain Security. What does it all mean? - Abdel Sghiouar

Hello everyone, thanks for attending my talk. It's quite amusing that this podium is dividing the room. Before delving into the subject, I will introduce what to expect from this session. The session's title is "SLSA, SigStore, SBOM & Software Supply Chain Security." My aim is to provide a fundamental introduction to these concepts and how they relate to software supply chain security.

I will focus on the core ideas and frameworks that constitute software supply chain security. A demo will be included to illustrate one method of protecting and trusting your software. Many cloud providers have tools for securing the software supply chain, but the implementation varies. While I will showcase how we at Google Cloud handle this, the principles discussed today are applicable across platforms. Implementation specifics are up to you.

Introduction

I am Abdel Sghiouar from Stockholm, working for Google for ten years. I co-host the Kubernetes Podcast by Google. Surprisingly, very few people are familiar with our podcast. My Twitter handle is provided above.

Why Care About Software Supply Chain Security?

Let me share some anecdotes that highlight the importance of software supply chain security. Terms like these were rarely heard before COVID, but now they are increasingly common. As the industry evolved, securing production became more sophisticated, driving malicious actors to focus on earlier stages of the software development lifecycle. By compromising dependencies, attackers can infiltrate production systems.

Real-World Examples

  1. Log4j: Widely known vulnerability.
  2. SolarWinds: A backdoor in monitoring software led to the compromise of a critical infrastructure.
  3. Coop in Sweden: A monitoring software vendor had a compromised dependency, leading to leaked purchase information.

Understanding the Software Supply Chain

Your typical software building process involves collecting source code and dependencies, packaging the application, and running it in production. Each dependency could itself rely on multiple other dependencies, creating a complex web.

Common Vulnerabilities

  • Internal malicious actors: Employees with harmful intentions.
  • Compromised source control or build systems: Instances like CircleCI leaking AWS keys.
  • Compromised packages: Libraries that download malicious files during runtime.

Key Concepts

Shift Left

Shift left in security means involving developers early in the security process, ensuring that safe practices are implemented right from the development stage.

Zero Trust

This involves verifying every entity that interacts within a system, including microservices. Protocols like Spire and Spiffy enable this with microservice-to-microservice authentication.

SigStore

An open-source initiative with tools for signing, verifying, and monitoring software components. Contributors include multiple companies, and it is under the OpenSSF.

SLSA Framework

SLSA (Supply-chain Levels for Software Artifacts) is a set of practices to secure the software supply chain, defining levels from 1 to 4 based on compliance with these practices.

Software Bill of Materials (SBOM)

Analogous to ingredient lists in a recipe, SBOM lists the binaries and files in an artifact. Compliance with SBOMs could soon be mandated by regulations such as those in the EU.

Implementation Example

Using the example of a simple Go application, I demonstrated how to:

  1. Build and tag a container image.
  2. Sign the container image using Cosign.
  3. Verify the signature of the container image.
  4. Generate an SBOM for the container image.
  5. Attach and sign the SBOM to the container image.

Available Tools and Free Services

  1. Google Cloud Workstations: Offers a cloud-based development environment.
  2. GitHub Dev / GitPod: Alternatives for cloud-based development environments.
  3. Google Cloud Code: A Visual Studio Code plugin for interacting with Google Cloud.
  4. Assured Open Source Software: Verified and secure open-source software libraries.

Conclusion

That’s all on the foundational concepts of software supply chain security. Feel free to ask any questions.

Keywords

  • Software Supply Chain Security
  • SLSA
  • SigStore
  • SBOM
  • Dependencies
  • Zero Trust
  • Shift Left
  • Cosign
  • Transparency Log
  • Cloud Workstations

FAQ

1. What is software supply chain security?

It encompasses the processes and practices put in place to protect and maintain the security of software from development to production.

2. What is SLSA?

SLSA (Supply-chain Levels for Software Artifacts) is a framework with defined practices and levels ensuring software supply chain security.

3. What is SigStore?

An open-source initiative offering tools for signing, verifying, and monitoring software components to establish trust across the software supply chain.

4. What is an SBOM?

SBOM (Software Bill of Materials) lists the components, libraries, and dependencies within a software artifact, akin to ingredients in a recipe.

5. How can I ensure my container images are secure?

Use tools like Cosign to sign and verify container images. Attach and sign an SBOM to the container images for additional security.

6. Are there free tools available for ensuring software supply chain security?

Yes, tools like Google Cloud Workstations, GitHub Dev, GitPod, Google Cloud Code, and Assured Open Source Software are available, some of them for free.

Read More