Securing the Software Supply Chain with AWS and SUSE

Introduction

• The presentation is focused on securing the software supply chain, given by Ted Jones, who has over 25 years of industry experience and recently joined SUSE.
• The session aims to define the problem, discuss the consequences of not securing the software supply chain, and explore the components of the software supply chain.
• The presentation will then dive into the solution, including the use of AWS and SUSE products and features, and discuss next steps and a call to action.

The Problem

• Attacks on the software supply chain can lead to project delays, product release slips, compliance issues, revenue loss, and loss of customer trust.
• These issues can result in significant costs, with IBM estimating around $5 million per incident.
• Fines, legal expenses, and the impact of ransomware can further increase the costs.
• The loss of talent and expertise due to these incidents can also be a significant challenge.

Components of the Software Supply Chain

• The software supply chain for containers includes:
  • Developer committing code to source control
  • Use of third-party tools like IDEs and AI code assistance
  • CI/CD process to build, test, and push code to image repositories
  • Deployment to target environments

Potential Vulnerabilities

• Vulnerabilities can be introduced through:
  • Proprietary and open-source code
  • Third-party open-source libraries with known vulnerabilities
  • Malware, phishing, and process hijacking
  • Application and infrastructure misconfiguration

Security Models

• The CIA Triad (Confidentiality, Integrity, Availability) has been a longstanding security model.
• The DIE Triad (Distributed, Immutable, Ephemeral) is a more recent model that addresses the challenges of distributed systems, containers, and cloud environments.

SUSE Solutions

• SUSE Rancher Prime is built on SLSA Level-3 compliance, providing a secure container platform with features like:
  • SBOM (Software Bill of Materials) for each build
  • User management and integration with LDAP/AD
• SUSE Application Collection provides curated and patched open-source libraries for enterprise-grade applications.
• SUSE Observability, acquired through the Stack State acquisition, provides security and compliance monitoring.
• Kubewarden is an admission controller and policy engine that can be integrated with AWS CodePipeline.
• SUSE Security provides admission control, compliance scanning, and behavior-based zero-trust policies.
• SUSE Private Container Image Repository, based on the Harbor community project, provides a trusted and managed image repository.

SUSE Open-Source Ecosystem

• SUSE is committed to open-source and provides various products based on open-source projects:
  • SUSE Security (NeuVector and Kubewarden)
  • SUSE Observability (Stack State)
  • SUSE Rancher Prime (Rancher, SUSE Security, SUSE Observability)
  • SUSE Virtualization (Harvester based on KubeVirt)
  • SUSE Storage (Longhorn)

Next Steps and Call to Action

• Visit the SUSE booth at re:Invent (booth 1858) to:
  • Try the SUSE Observability free trial and enter a raffle for a Meta Quest-3 set of goggles
  • See demos of SUSE Rancher, SUSE Security, and SUSE Observability
  • Provide feedback and get your questions answered
• Check out the SUSE.com landing page for AWS and the blog post by the presenter.
• Fill out the survey to provide feedback.