andy clemenko - @clemenko - docker building a secure ... a secure su… · what is a secure supply...
TRANSCRIPT
![Page 1: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/1.jpg)
BUILDING A SECURE SUPPLY CHAINandy clemenko - @clemenko - Docker
![Page 2: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/2.jpg)
•Ask Questions•Help each other•Have fun•Learn•There will be prize…
Please:
![Page 3: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/3.jpg)
What is NOT a Secure Supply Chain?
![Page 4: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/4.jpg)
What is a Secure Supply Chain?•Known good source - Source of truth?•Known good path?•CVE Scanned?•Repeatable?•Chain of Custody ( Audit Trail )?
![Page 5: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/5.jpg)
Why?
![Page 6: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/6.jpg)
Honestly Why?
![Page 8: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/8.jpg)
Man in the Middle?Docker pull from 35k feet!
![Page 9: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/9.jpg)
Replay Attack?
![Page 10: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/10.jpg)
Automation = Vacations!
![Page 11: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/11.jpg)
Automation = Repeatability
![Page 12: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/12.jpg)
Vulnerabilities?
![Page 13: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/13.jpg)
Chain of Custody?
![Page 14: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/14.jpg)
“No human should EVER build or deploy code meant for production!”
Image credit: h"ps://www.deviantart.com/uvnik/art/No-humans-allowed-142046016
![Page 15: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/15.jpg)
Images for everything!
T R A D I T I O N A L A P P S P A C K A G E D A P P S N E W A P P S
M I C R O S E R V I C E S E D G EI O T
APP
![Page 16: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/16.jpg)
We can do this…
• Known good source / Source of truth • Known good path • CVE Scanning • Repeatable and automated • Chain of Custody ( Audit Trail )
![Page 17: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/17.jpg)
Source of Truth!
Code Images
![Page 18: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/18.jpg)
Two Good Starting Points
![Page 19: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/19.jpg)
Fundamental Path
Docker pushDocker Trusted Registry
git commit build number tag
![Page 20: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/20.jpg)
Image Signing
Webhook
Docker push
Docker Trusted Registry
![Page 21: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/21.jpg)
DTR Tooling• CVE Scanning • Promotion Policy (Internally) • Mirroring Policy (Externally) • Pruning Policy - Age Off • RBAC - Control • *Soon* - Full PKI Support
![Page 22: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/22.jpg)
Quarantine?
Docker Trusted Registry
Docker Trusted Registry
Non-ProdQuarantine
![Page 23: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/23.jpg)
Multiple Domains
Docker Trusted Registry
Docker Trusted Registry
UnClassified Top Secret
![Page 24: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/24.jpg)
Spoke and Hub?
Docker Trusted Registry
Non-Prod
Docker Trusted Registry
Prod - OnPrem
Docker Trusted Registry
Prod - Cloud
![Page 25: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/25.jpg)
Secure Supply Chain - Git StartGIT CI
Docker for Mac or
Docker for Windows
PRODUCTION DTRNon-Prod DTR Private Repo
CVE Scanning
Non-Prod DTR Public Repo
Promotion Policy
Mirroring Policy
![Page 26: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/26.jpg)
Secure Supply Chain - Docker Hub StartPRODUCTION DTR
Non-Prod DTR Private Repo
CVE Scanning
Non-Prod DTR Public Repo
Promotion Policy
Mirroring Policy
hub.Docker.com
Mirroring Policy
![Page 27: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/27.jpg)
Soon - PKI!• No Passwords - Full Authentication• Client Bundle or External CA• UCP/DTR Swarm/Kubernetes• CLU and GUI
External CA
Client Bundle
![Page 28: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/28.jpg)
Do you have a Secure Supply Chain?•Known good source - Source of truth?•Known good path?•CVE Scanned?•Repeatable?•Chain of Custody ( Audit Trail )?
![Page 29: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/29.jpg)
Play - With - Docker (PWD)
![Page 30: andy clemenko - @clemenko - Docker BUILDING A SECURE ... A Secure Su… · What is a Secure Supply Chain? •Known good source - Source of truth? •Known good path? •CVE Scanned?](https://reader030.vdocument.in/reader030/viewer/2022041104/5f03dbef7e708231d40b1dc7/html5/thumbnails/30.jpg)
https://andyc.info/summit19
https://dockr.ly/mid-atlsummit