Upload File

andy clemenko - @clemenko - docker building a secure ... a secure su… · what is a secure supply...

  • Home
  • Documents
  • andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?
30
BUILDING A SECURE SUPPLY CHAIN andy clemenko - @clemenko - Docker

Upload: others

Post on 08-Jun-2020

13 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

BUILDING A SECURE SUPPLY CHAINandy clemenko - @clemenko - Docker

Page 2: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

•Ask Questions•Help each other•Have fun•Learn•There will be prize…

Please:

Page 3: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

What is NOT a Secure Supply Chain?

Page 4: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

What is a Secure Supply Chain?•Known good source - Source of truth?•Known good path?•CVE Scanned?•Repeatable?•Chain of Custody ( Audit Trail )?

Page 5: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Why?

Page 6: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Honestly Why?

Page 7: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Anyone have an Asus Laptop?

https://andyc.info/asus

https://andyc.info/asus
Page 8: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Man in the Middle?Docker pull from 35k feet!

Page 9: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Replay Attack?

Page 10: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Automation = Vacations!

Page 11: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Automation = Repeatability

Page 12: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Vulnerabilities?

Page 13: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Chain of Custody?

Page 14: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

“No human should EVER build or deploy code meant for production!”

Image credit: h"ps://www.deviantart.com/uvnik/art/No-humans-allowed-142046016

https://www.deviantart.com/uvnik/art/No-humans-allowed-142046016
Page 15: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Images for everything!

T R A D I T I O N A L A P P S P A C K A G E D A P P S N E W A P P S

M I C R O S E R V I C E S E D G EI O T

APP

Page 16: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

We can do this…

• Known good source / Source of truth • Known good path • CVE Scanning • Repeatable and automated • Chain of Custody ( Audit Trail )

Page 17: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Source of Truth!

Code Images

Page 18: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Two Good Starting Points

Page 19: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Fundamental Path

Docker pushDocker Trusted Registry

git commit build number tag

Page 20: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Image Signing

Webhook

Docker push

Docker Trusted Registry

Page 21: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

DTR Tooling• CVE Scanning • Promotion Policy (Internally) • Mirroring Policy (Externally) • Pruning Policy - Age Off • RBAC - Control • *Soon* - Full PKI Support

Page 22: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Quarantine?

Docker Trusted Registry

Docker Trusted Registry

Non-ProdQuarantine

Page 23: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Multiple Domains

Docker Trusted Registry

Docker Trusted Registry

UnClassified Top Secret

Page 24: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Spoke and Hub?

Docker Trusted Registry

Non-Prod

Docker Trusted Registry

Prod - OnPrem

Docker Trusted Registry

Prod - Cloud

Page 25: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Secure Supply Chain - Git StartGIT CI

Docker for Mac or

Docker for Windows

PRODUCTION DTRNon-Prod DTR Private Repo

CVE Scanning

Non-Prod DTR Public Repo

Promotion Policy

Mirroring Policy

Page 26: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Secure Supply Chain - Docker Hub StartPRODUCTION DTR

Non-Prod DTR Private Repo

CVE Scanning

Non-Prod DTR Public Repo

Promotion Policy

Mirroring Policy

hub.Docker.com

Mirroring Policy

http://hub.Docker.com
Page 27: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Soon - PKI!• No Passwords - Full Authentication• Client Bundle or External CA• UCP/DTR Swarm/Kubernetes• CLU and GUI

External CA

Client Bundle

Page 28: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Do you have a Secure Supply Chain?•Known good source - Source of truth?•Known good path?•CVE Scanned?•Repeatable?•Chain of Custody ( Audit Trail )?

Page 29: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

Play - With - Docker (PWD)

Page 30: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?

https://andyc.info/summit19

https://dockr.ly/mid-atlsummit


Secure MICR Printer User’s Guide - Source Technologies · ST9720 Secure MICR Printer . User’s Guide . Source Technologies, LLC 4205B Westinghouse Commons Drive ... Congress established

The State of Open Source in Secure Converged Networks

Secure Solar Power Source - Cornell University · A Design Project Report ... Project Title: A Secure Solar Power Source Author: Vladimir Kozitsky ... buck converter was utilized

Open-Source Software-Based SRAM-PUF for Secure Data and

Open Source Used In AnyConnect 4 Source Used In Open Source Used in AnyConnect Secure Mobility Client 4.7

Secure Your Source Code - Dynamsoft: Provider of version control

Is Open Source Software More Secure? - … · 2005-12-08 · Is Open Source Software More Secure? Russell Clarke [email protected] ... The number of Linux security attacks is

Secure and Policy Compliant Source Routing

secure and policy compliant source routing1

LogLogic Log Source Report Mapping Guidebook · PDF fileLog Source Report Mapping Guide 3 ... Cisco Secure ACS User Access Cisco Secure ACS User Authentication ... IBM i5/OS System

Keeping Gentoo Secure - Open Source Security and how Gentoo

Secure Solar Power Source - Cornell Engineeringpeople.ece.cornell.edu/land/courses/eceprojectsland/STUDENTPROJ... · SECURE SOLAR POWER SOURCE A Design Project Report ... A self-sustaining

Known Secure Sensor Measurements for Resilient Infrastructure · Known Secure Sensor Measurements for Resilient Infrastructure O. Linda, ... High importance to security •KSSM concept

Open Source in the web enterprise world a secure success

Why Won’t Developers Always Just Write Secure Open Source

Overview of Secure Boot and Secure Firmware …...To get more information about the open-source TF ‑M reference implementation, refer to [TF-M]. Overview of Secure Boot and Secure

ACCESS SECURE IDENTITY - HID Global | The Trusted Source for

Secure Source Verification Solutions

Secure Solar Power Source

Open Source Software Projects I Have Known

Secure Source Stages3

A source code per - spective framework to produce secure

Secure MICR Printer User's Guide - Source

Open Source secure software updates for Linux-based …events17.linuxfoundation.org/sites/events/files/slides/Open Source...Open Source secure software updates for ... AGL to implement

Waste Management - HID Global | The Trusted Source for Secure

Secure and Policy-Compliant Source Routing ppt

Small Modular Reactors: The Army’s Secure Source of Energy?

Formally Secure Compilation - Proseccoprosecco.gforge.inria.fr/personal/hritcu/talks/2017-12-18-Secure... · Formally secure compilation high-level attacker low-level attacker source

Open Source secure software updates for Linux …schd.ws/hosted_files/als2016/a9/Open Source secure software updates...Open Source secure software updates for Linux-based IVI systems

Secure logging with syslog-ng - FOSDEM9 FOSDEM 2020 Secure logging implementation File Relay Network OS Application syslog-ng Source Source driver Source driver Destination FilterFilter

Secure Source Backup Users Manual - MarshallSoft · 7.2 PASS.BIN File ... • Can back up and restore files in multi-level sub ... 1.2 Script Assembler Secure Source Backup also includes

Secure and Interoperable Teleradiology Solutions based on Open Source Standards

Invesco Markets plc (formerly known as Source Markets plc

Secure Your Source Code

PENETRATION TEST REPORT Secure Open Source (Mozilla) · 2018-08-14 · Confidential Document Properties Client Secure Open Source (Mozilla) Title PENETRATION TEST REPORT Target Graphite