Overview
Explore the intersection of software supply chain security and Infrastructure as Code (IaC) in this informative conference talk. Delve into the risks associated with reusing IaC snippets and templates, such as HELM charts, and learn how these practices can make infrastructure vulnerable to similar issues found in software packages and dependencies. Discover the open-source project KICS (Keep Infrastructure as Code Secure) and its role in addressing these challenges. Examine the potential future risks in the IaC world and their impact on lower levels of the software stack. Gain insights into leveraging IaC scanning to mitigate software supply chain problems in infrastructure. Explore topics including container supply chain security, the importance of metadata, distroless containers, reproducible builds, and signature verification. Learn about securing container creation and key takeaways for maintaining a robust and secure IaC environment.
Syllabus
Intro
Infrastructure as Code
Software Supply Chain
Software Security
(some) laC Efficiency
Find a HELM chart
Levels of Typosquatting
Supply Chain Security & laC
Container Supply Chain
debian:buster-slim
You're wrong, because...
The importance of metadata
Verifiable metadata
Distroless containers
Reproducible Builds
Reproducibility
Signatures (e.g. cosign)
These would also be signed..
What is the solution?
Securing Container Creation
Already adopted by GitLab
key takeaways
Taught by
Linux Foundation