andy clemenko - @clemenko - docker building a secure ... a secure su… · what is a secure supply...
TRANSCRIPT
BUILDING A SECURE SUPPLY CHAINandy clemenko - @clemenko - Docker
•Ask Questions•Help each other•Have fun•Learn•There will be prize…
Please:
What is NOT a Secure Supply Chain?
What is a Secure Supply Chain?•Known good source - Source of truth?•Known good path?•CVE Scanned?•Repeatable?•Chain of Custody ( Audit Trail )?
Why?
Honestly Why?
Man in the Middle?Docker pull from 35k feet!
Replay Attack?
Automation = Vacations!
Automation = Repeatability
Vulnerabilities?
Chain of Custody?
“No human should EVER build or deploy code meant for production!”
Image credit: h"ps://www.deviantart.com/uvnik/art/No-humans-allowed-142046016
Images for everything!
T R A D I T I O N A L A P P S P A C K A G E D A P P S N E W A P P S
M I C R O S E R V I C E S E D G EI O T
APP
We can do this…
• Known good source / Source of truth • Known good path • CVE Scanning • Repeatable and automated • Chain of Custody ( Audit Trail )
Source of Truth!
Code Images
Two Good Starting Points
Fundamental Path
Docker pushDocker Trusted Registry
git commit build number tag
Image Signing
Webhook
Docker push
Docker Trusted Registry
DTR Tooling• CVE Scanning • Promotion Policy (Internally) • Mirroring Policy (Externally) • Pruning Policy - Age Off • RBAC - Control • *Soon* - Full PKI Support
Quarantine?
Docker Trusted Registry
Docker Trusted Registry
Non-ProdQuarantine
Multiple Domains
Docker Trusted Registry
Docker Trusted Registry
UnClassified Top Secret
Spoke and Hub?
Docker Trusted Registry
Non-Prod
Docker Trusted Registry
Prod - OnPrem
Docker Trusted Registry
Prod - Cloud
Secure Supply Chain - Git StartGIT CI
Docker for Mac or
Docker for Windows
PRODUCTION DTRNon-Prod DTR Private Repo
CVE Scanning
Non-Prod DTR Public Repo
Promotion Policy
Mirroring Policy
Secure Supply Chain - Docker Hub StartPRODUCTION DTR
Non-Prod DTR Private Repo
CVE Scanning
Non-Prod DTR Public Repo
Promotion Policy
Mirroring Policy
hub.Docker.com
Mirroring Policy
Soon - PKI!• No Passwords - Full Authentication• Client Bundle or External CA• UCP/DTR Swarm/Kubernetes• CLU and GUI
External CA
Client Bundle
Do you have a Secure Supply Chain?•Known good source - Source of truth?•Known good path?•CVE Scanned?•Repeatable?•Chain of Custody ( Audit Trail )?
Play - With - Docker (PWD)
https://andyc.info/summit19
https://dockr.ly/mid-atlsummit