HowToSecureSupplyChain_2023.pdf

1、Hemil Kadakia&Yonghe Zhao,YahooSecure your Software Supply Chain at ScaleAgenda What is software supply chain&why is it important?Existing solutions Infrastructure&Scale at Yahoo!Demos&deep dive Lessons learnedWhat is the software supply chain?Everything it takes to produce your softwareWhat is the

2、problem?Why is it important to us?Recent studies 85 to 97%of enterprise codebase uses open source software Three out of Five Companies Targeted-Anchore 62%of Organizations Have Been Impacted by Software Supply Chain Attacks-AnchoreAnchores software supply chain security reportSonatypes state of the

3、software supply chainExisting standards/tools.Additional reading:TAG Security ResourcesButCurrent State at Yahoo!60k daily builds and 5k images published per day.700+K8s clusters and 100k+pods running.Many tooling choices at each step of SDLC!Choose your battles wiselyExisting security controls Stat

4、ic code scanning.GitHub branch protection&2 PR reviewers.MFA&SSH keys for GitHub operations.Ephemeral creds in build environment.Mirror external registry.Starting our journeySoftware Composition Analysis(SCA)SCA checks only vulnerabilities in open source dependencies.97%of open source vulnerabilitie

5、s can be fixed by updating to the latest version.Auto remediation of security vulnerabilities.Build time vuln assessmentProduction deployment verification Image provenance check.Image signature check.Image freshness check.Image provenance checkProvenance:records that tell you where this image comes

6、from.Provenance helps us to ensure images are:built from only allowed repo/branch/tag built using supported CI/CD pipelines Demo:provenance checkNote:All Yahoo internal host names and image names has been sanitized for all demos.Image signature check Signature