SupplyChainSecurityCon hosted by CNCF + CDF 2021

The software bill of materials (SBOM) has quickly become a critical foundation for software supply chain security. Gaining the ability to see and process the full picture of all software components included in your applications is the first step in preventing vulnerabilities and malware from reaching production systems.

The recent United States Executive Order on Improving the Nation's Cybersecurity details the need for software producers to supply SBOMs, as well as maintaining controls on the provenance of software components and tools. The U.S. NTIA has subsequently released minimum elements for a compliant SBOM. This highlights the important role of an SBOM for open source projects, whether they are incorporated in software applications or used as part of the development toolchain.

Multiple Linux Foundation and CNCF projects including SPDX, In-Toto, and SigStore are providing critical frameworks and specifications designed to advance the security of the software supply chain.

This session will explore best practices for generating SBOMs for both open source projects and software producers, we will share insights and lessons learned from creating SBOMs for CNCF projects using Syft, an open source SBOM generator, and predict ways that we see the role of the SBOM in securing software supply chains evolving over time.

Several recent high-profile security incidents were due to compromised software supply chains. Software Supply Chain is a collective term used to describe the stages of software lifecycle from source to deployment through CI/CD pipelines, and all the static and dynamic analyses in between. In the world of microservices and cloud computing, trust in your company’s supply chain is critical, as most of the tooling and dependencies are from open source and vendor projects. When the code hits production, it’s essential to have enough observability to detect and investigate the problem and get to the root cause and mitigation as quickly as possible. With software supply chain attacks, not only is the newly deployed code under suspicion, but also all the tooling used to produce it becomes a potential attack vector, so an efficient and effective way to verify the integrity of the supply chain is paramount. This talk will discuss what information needs to be collected to allow DevOps to inspect and verify the integrity of the supply chain, the challenges of having the right level of detail to reduce mean-time-to-detection and mean-time-to-understanding, some of the existing solutions and open problems in this space.

As you're no doubt aware, SolarWinds was hit in December 2020 with a sophisticated supply chain attack perpetrated by nation state actors. In the months since, they've been working to create an entirely new build system based on a number of CNCF and CDF projects. In this talk, you'll learn about what they're building, why it's necessary, and what it's like to be on the inside when the unthinkable happens.

Open source is everywhere and software is eating the world. However, we now face serious challenges within the security of our software and its supply chain from code commit to production. For this talk, Luke Hinds will outline the current immediate threats and what can be done by us as a community to address the risks we face by harnessing Open Source tooling and open transparent development models.