andy clemenko - @clemenko - docker building a secure ... a secure su… · what is a secure supply...

BUILDING A SECURE SUPPLY CHAINandy clemenko - @clemenko - Docker

•Ask Questions•Help each other•Have fun•Learn•There will be prize…

Please:

What is NOT a Secure Supply Chain?

What is a Secure Supply Chain?•Known good source - Source of truth?•Known good path?•CVE Scanned?•Repeatable?•Chain of Custody ( Audit Trail )?

Why?

Honestly Why?

Anyone have an Asus Laptop?

https://andyc.info/asus

Man in the Middle?Docker pull from 35k feet!

Replay Attack?

Automation = Vacations!

Automation = Repeatability

Vulnerabilities?

Chain of Custody?

“No human should EVER build or deploy code meant for production!”

Image credit: h"ps://www.deviantart.com/uvnik/art/No-humans-allowed-142046016

Images for everything!

T R A D I T I O N A L A P P S P A C K A G E D A P P S N E W A P P S

M I C R O S E R V I C E S E D G EI O T

APP

We can do this…

• Known good source / Source of truth • Known good path • CVE Scanning • Repeatable and automated • Chain of Custody ( Audit Trail )

Source of Truth!

Code Images

Two Good Starting Points

Fundamental Path

Docker pushDocker Trusted Registry

git commit build number tag

Image Signing

Webhook

Docker push

Docker Trusted Registry

DTR Tooling• CVE Scanning • Promotion Policy (Internally) • Mirroring Policy (Externally) • Pruning Policy - Age Off • RBAC - Control • *Soon* - Full PKI Support

Quarantine?

Docker Trusted Registry

Docker Trusted Registry

Non-ProdQuarantine

Multiple Domains

Docker Trusted Registry

Docker Trusted Registry

UnClassified Top Secret

Spoke and Hub?

Docker Trusted Registry

Non-Prod

Docker Trusted Registry

Prod - OnPrem

Docker Trusted Registry

Prod - Cloud

Secure Supply Chain - Git StartGIT CI

Docker for Mac or

Docker for Windows

PRODUCTION DTRNon-Prod DTR Private Repo

CVE Scanning

Non-Prod DTR Public Repo

Promotion Policy

Mirroring Policy

Secure Supply Chain - Docker Hub StartPRODUCTION DTR

Non-Prod DTR Private Repo

CVE Scanning

Non-Prod DTR Public Repo

Promotion Policy

Mirroring Policy

hub.Docker.com

Mirroring Policy

Soon - PKI!• No Passwords - Full Authentication• Client Bundle or External CA• UCP/DTR Swarm/Kubernetes• CLU and GUI

External CA

Client Bundle

Do you have a Secure Supply Chain?•Known good source - Source of truth?•Known good path?•CVE Scanned?•Repeatable?•Chain of Custody ( Audit Trail )?

Play - With - Docker (PWD)

https://andyc.info/summit19

https://dockr.ly/mid-atlsummit