securing-the-supply-chain-a-practical-guide-to-slsa-compliance-from-build-to-runtime-dun-chi-daepai-chan-zha-slsamao-zhi-enguerrand-allamel-ledger-1.pdf

1、Securing the Supply ChainA Practical Guide to SLSA Compliance from Build to RuntimeAugust 21 2024 Enguerrand Allamel,LedgerAbout MeEnguerrand Allamel-Academic Experience:Studied for one year at Tsinghua University-Current Role:Senior Cloud Security Engineer at Ledger-Company Overview:Ledger speciali

2、zes in secure hardware wallets and cutting-edge security productsAgenda1.Why is Supply Chain Security Important?2.What is SLSA Supply-chain Levels for Software Artifacts)?3.Possible Milestones for Supply Chain Security Defense4.Example Implementations4.1.On the Build Side4.2.On the Runtime Side5.Goi

3、ng Further with HSM Hardware Security Module)Example of a Supply Chain AttackGit RepositoriesBuild PlatformCorruptRegistryKubernetes+attacker applicationBuildPublishPull Malicious imageAttacker applicationMalicious PublishAn attacker gain access to the registryRegistryKubernetesPull imageWhy is Supp

4、ly Chain Security Important?Gartner predicts that by 2025,45%of organizations will have experienced a software supply chain attack*Type attackKnown exampleSubmit unauthorized change to source git repositorySushiSwap:Contractor with repository access pushed a malicious commit redirecting cryptocurren

5、cy to itselfMore than$3 millions of users funds impactedCompromise build processSolarWinds:Attacker compromised the build platform and installed an implant that injected malicious behavior during each buildMassive data breachAround 18 000 organisations impactedSolarWinds stock price drop by 40%Sourc

6、e:Gartner reportWhat is SLSA?-SLSA Security Levels for Software Artifacts-Backing:Sponsored by the OpenSSF Open Source Security Foundation),associated with the Linux Foundation-Collaborative Framework:Developed through cross-industry collaboration-Purpose:Establishes standards and guidelines for sec