HowToSecureSupplyChain_2023.pdf

《HowToSecureSupplyChain_2023.pdf》由会员分享，可在线阅读，更多相关《HowToSecureSupplyChain_2023.pdf（28页珍藏版）》请在三个皮匠报告上搜索。

1、Hemil Kadakia&Yonghe Zhao,YahooSecure your Software Supply Chain at ScaleAgenda What is software supply chain&why is it important?Existing solutions Infrastructure&Scale at Yahoo!Demos&deep dive Lessons learnedWhat is the software supply chain?Everything it takes to produce your softwareWhat is the

2、problem?Why is it important to us?Recent studies 85 to 97%of enterprise codebase uses open source software Three out of Five Companies Targeted-Anchore 62%of Organizations Have Been Impacted by Software Supply Chain Attacks-AnchoreAnchores software supply chain security reportSonatypes state of the

3、software supply chainExisting standards/tools.Additional reading:TAG Security ResourcesButCurrent State at Yahoo!60k daily builds and 5k images published per day.700+K8s clusters and 100k+pods running.Many tooling choices at each step of SDLC!Choose your battles wiselyExisting security controls Stat

4、ic code scanning.GitHub branch protection&2 PR reviewers.MFA&SSH keys for GitHub operations.Ephemeral creds in build environment.Mirror external registry.Starting our journeySoftware Composition Analysis(SCA)SCA checks only vulnerabilities in open source dependencies.97%of open source vulnerabilitie

5、s can be fixed by updating to the latest version.Auto remediation of security vulnerabilities.Build time vuln assessmentProduction deployment verification Image provenance check.Image signature check.Image freshness check.Image provenance checkProvenance:records that tell you where this image comes

6、from.Provenance helps us to ensure images are:built from only allowed repo/branch/tag built using supported CI/CD pipelines Demo:provenance checkNote:All Yahoo internal host names and image names has been sanitized for all demos.Image signature check Signature makes integrity and publisher verifiabl

7、e.Existing templates build/sign/publish images.Demo:signature checkNote:All Yahoo internal host names and image names has been sanitized for all demos.Image freshness checkReject stale images.Update images regularly.Decrease the patch delta.Ensure a working build pipeline.Demo:freshness checkNote:Al

8、l Yahoo internal host names and image names has been sanitized for all demos.More deployment verifications Vulnerability check.Disallow images with latest tag.Check pre-defined labels.Our journeyLessons learned Continuous feedback Enhance existing developer workflows automatically and by default Pre-plan for adoption&enforcement Visibility of the project Embrace open-source technologies Thank YouSpecial thanks:Nate Burton,Sean Sposito,Aditya MahendrakarPlease scan the QR code above to leave feedback for this session