Software Supply Chain ⛓

Software supply chain attacks are on the rise and making headlines almost every day. Luckily, there are many good tools available in the cloud native ecosystem to help secure your supply chain. I’m wondering what we’ll see in the upcoming KubeCon about this topic too! In the meantime, here are a few great links we’ve been reading lately to better understand what’s happening with these hacks.

Issue #130

The CNCF Technical Advisory Group is keeping an updated list of known supply chain compromises that have occurred. This list is informative to learn as much as possible from recent attacks to make sure you are protected from the same style of hack. If you aren’t familiar with supply-chain-style attacks, reading about recent attacks is a good way to start learning.

Here’s a recent post from the CNCF Technical Advisory Group full of good recommendations on how to secure your supply chain. This post starts out by explaining why you should pay attention to supply chain hacks, and then outlines an approach to managing (and hopefully preventing) them in your environment. The second half of this post offers some very actionable steps you can take to start securing your supply chain. 🔒

Here’s a great online book all about software supply chain. This book is less about a specific tool, but rather more about the challenges and standard best-practices available to remediate some common supply chain problems. The OWASP standard has been a great way to think about security of code, and this SCVS book looks to be the same about supply chain.

The CNCF Technical Advisory Group is working hard and producing amazing content and this is no exception. A detailed document (also available as a PDF) that discusses all of the best practices that everyone should consider when building your own supply chain. A supply chain has a lot of different parts, and it’s not an easy task to wrap your head around. This list of best practices is an amazing resource. 📑

A talk from the recent KubeCon EU showing off how in-toto secures the supply chain. If you aren’t familiar, in-toto is a CNCF Sandbox Project that provides some tools to secure your supply chain. This presentation from Santiago Torres is a great walkthrough of the in-toto project and how you can use it.

From the 2020 North America KubeCon, here’s Justin Cormack & Steve Lasker showing off how Notary v2 can help secure the supply chain. Notary is another CNCF project that focuses on image signing and delivery. Ensuring that content isn’t modified between publishing and running is a huge part of the supply chain security problem, and Notary is a mature project to help provide that assurance.

The shape of the SBOM (Software Bill Of Materials) is available in the latest Kubernetes alpha release! Can’t wait to be able to see how this raises the bar for everyone running Kubernetes starting with 1.22.