At CloudNativeSecrityCon 2023 in Seattle, WA, Hamil Kadakia and Yonghe Zhao, software engineers of Yahoo’s security team, presented securing the software supply chain at scale and creating policies to protect against supply chain attacks.
Kadakia started the session by discussing what a software supply chain is and some common attacks like injection of vulnerable dependencies, compromising artifacts or changing permissions.
After emphasizing the importance of protecting the software supply chain, he cited recent software supply chain security reports from Anchor and Sonatype. He pointed out:
85-97% of enterprise codebases use open source software. This means that most of our application consists of code that we didn’t write. This can pose significant security risks.
He presented the existing security and compliance toolset that is part of the CNCF landscape and noted that the Software Supply Chain Best Practices white paper provides good guidance. However, it is difficult to decide where to start.
Software supply chain was among the common themes covered in twenty different breakout sessions, including the keynote from Brian Behlendorf, executive director of the Open Source Security Foundation (OSSF).
InfoQ caught up with Liz Rice, Isovalent’s Chief Open Source Officer, who also delivered some of the keynotes and closing remarks and discussed the state of cloud-native security. Not only did she stress the importance of a secure supply chain, but also that it is part of the solution.
Due to the US executive order on cybersecurity last year, there has been a lot of focus on supply chain security and SBOMs. This has been a massive topic of conversation and many tools are being developed.
We must also remember that there are real-time security elements as well. We cannot expect to achieve total security through supply chain protection. One way or another, vulnerabilities will come through. For this reason, threat detection at runtime is also important.
Next, Zhao provided an overview of Yahoo’s current infrastructure, which includes seven hundred clusters and hundreds of thousands or more pods, and the tools that support the various teams at Yahoo.
He noted that to simplify, the team chose to go cloud-native by using GitHub Enterprise for source control, Screwdriver, an open-source build platform, for continuous delivery, an internal OCI registry for Artifacts and a combination of on-premise and cloud Kubernetes cluster.
In addition, he spoke about existing security controls that are widely used, including static code analysis and mirroring of external registries. However, these basic security controls needed improvement in three areas.
- Software composition analysis was introduced during the continuous integration step to detect open source dependencies and vulnerabilities and fix them automatically.
- Build-time vulnerability assessment has been integrated into the build process to scan not only images of the software to be built, but also the additional components required to build a container image, including base images, programming libraries, etc.
- Added production deployment verification to verify images for provenance, signature, and timeliness before deployment.
Zhao ended with a recorded demo showing the different verification checks for production deployments and how they can be controlled using policies to allow or deny deployments.
Kadakia concluded the session by pointing out lessons learned during the trip. This included pre-planning for adoption from the start, embracing open-source technologies, and seeking ongoing feedback to optimize the developer workflow and experience.
The recording of the breakout session is available on the CNCF YouTube channel playlist. The presentation slides can be found on the event website.
