Securing the software supply chain with AWS and SUSE (SEC312)
Securing the Software Supply Chain with AWS and SUSE
Introduction
The presentation is focused on securing the software supply chain, given by Ted Jones, who has over 25 years of industry experience and recently joined SUSE.
The session aims to define the problem, discuss the consequences of not securing the software supply chain, and explore the components of the software supply chain.
The presentation will then dive into the solution, including the use of AWS and SUSE products and features, and discuss next steps and a call to action.
The Problem
Attacks on the software supply chain can lead to project delays, product release slips, compliance issues, revenue loss, and loss of customer trust.
These issues can result in significant costs, with IBM estimating around $5 million per incident.
Fines, legal expenses, and the impact of ransomware can further increase the costs.
The loss of talent and expertise due to these incidents can also be a significant challenge.
Components of the Software Supply Chain
The software supply chain for containers includes:
Developer committing code to source control
Use of third-party tools like IDEs and AI code assistance
CI/CD process to build, test, and push code to image repositories
Deployment to target environments
Potential Vulnerabilities
Vulnerabilities can be introduced through:
Proprietary and open-source code
Third-party open-source libraries with known vulnerabilities
Malware, phishing, and process hijacking
Application and infrastructure misconfiguration
Security Models
The CIA Triad (Confidentiality, Integrity, Availability) has been a longstanding security model.
The DIE Triad (Distributed, Immutable, Ephemeral) is a more recent model that addresses the challenges of distributed systems, containers, and cloud environments.
SUSE Solutions
SUSE Rancher Prime is built on SLSA Level-3 compliance, providing a secure container platform with features like:
SBOM (Software Bill of Materials) for each build
User management and integration with LDAP/AD
SUSE Application Collection provides curated and patched open-source libraries for enterprise-grade applications.
SUSE Observability, acquired through the Stack State acquisition, provides security and compliance monitoring.
Kubewarden is an admission controller and policy engine that can be integrated with AWS CodePipeline.
These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.
If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.