SOSS Community Day India

Achieving Software Supply Chain Security Assurance (SLSA) compliance is essential in today's world of increasing cyber threats. This talk will provide a hands-on approach to implementing SLSA standards for your OCI artifacts, starting from your existing build pipelines. We will delve into the practical steps involved, including: * Generating high-quality Software Bill of Materials (SBOM) and provenance: Learn how to create accurate and comprehensive metadata for your artifacts. * Leveraging cosign for keyless attestations: Discover how to securely sign attestations without relying on traditional key management. * Integrating with Buildkit providers for hermetic builds: Ensure the integrity and reproducibility of your builds by isolating them from the surrounding environment. * Addressing best practices for dependency pinning, automated patching, attestation sharing, and collaboration with compliance teams: Gain insights into effective strategies for maintaining compliance and security. By the end of this talk, you will have a clear understanding of how to implement SLSA principles in your build processes and create secure, trustworthy OCI artifacts.

We depend on cryptography to secure our software supply chain. But what if that cryptography didn't work? What if an adversary could casually break your key signing? This session will detail one possible approach to convert a Quantum Vulnerable Stack to Quantum Resistant Stack focusing on Tekton, a powerful open-source framework for creating CI/CD as a sample. Chains is a component of Tekton that integrates with Sigstore to offer a Secure CI/CD solution. We will explore the steps to make Tekton Quantum Proof in the following sequence: - What are the Quantum threats to existing Cryptographic algorithms? - How to Identify the Quantum Vulnerabilities in Tekton? - What are Post Quantum Cryptographic (PQC) Algorithms? - Walkthrough of NIST standards and guidelines for migrating to PQC - Importance of HYBRID approach that includes classical quantum-resistant and new quantum signing algorithms in while transitioning. Key takeaway for the audience would be an understanding of Quantum Vulnerabilities, PQC, reliable guidelines for transitioning to quantum safe state along with a deep dive of how we transitioned Tekton quantum safe as reference implementation.

In an era of rising software supply chain attacks, this talk explores how we implemented robust security practices in Fission, an open-source serverless framework for Kubernetes used by thousands globally. We will detail our implementation of SLSA(Supply chain Levels for Software Artifacts) specifications, addressing critical threats like compromised builds and unauthorized modifications through reproducible builds, signed artifacts, and secure dependency management. We will demonstrate how we addressed these challenges through: - Implementing reproducible builds to ensure build integrity - Adopting signed artifacts and attestations for authenticity verification - Securing our base images and dependency chain - Establishing automated security scanning and verification pipelines Through practical code examples, we'll show how organizations can implement these security practices in their CI/CD pipelines. We'll share our experiences, challenges faced during implementation, and lessons learned while securing a widely-used open-source platform.

The question "Who guards the guards?" often relates to the challenge of ensuring security even for those tasked with providing it. In the context of securing open-source software, this can mean asking: how do we secure the very tools, libraries, and frameworks that we rely on to protect our systems? In open-source ecosystems, the “guards” are often the developers, maintainers, and security tools that help manage code integrity, vulnerabilities, and trustworthiness. Here’s how different aspects of the open-source community address this: Present on the below 5 points. 1. Transparency as Defense 2. Automated Security Tools 3. Supply Chain Security Initiatives 4. Maintainer Oversight 5. Community and Bug Bounty Programs The ultimate goal is to create an ecosystem where multiple layers of checks and balances — human, automated, and cryptographic — watch each other.

Organizations rely on Admission Controllers like Kyverno and Static Analysis tools to enforce a wide range of security best practices, but these measures alone may not protect against future vulnerabilities. When new vulnerabilities are discovered, application upgrades often take time, and it can be more effective to sandbox these vulnerabilities than to wait for upstream fixes. Preventing application downtime due to vulnerabilities is crucial, and virtual patching helps by containing and preventing the exploitation of vulnerabilities at runtime without impacting application behavior or deployment processes. In this talk, we will explore live examples using well-known vulnerabilities such as Log4j, PwnKit, xz, and Leaky Vessels. We will demonstrate how to use Kyverno to identify vulnerable workloads, leverage results from image vulnerability scanners, and generate KubeArmor policies to apply virtual patches to specific deployments, ensuring security without disrupting operations.

Finalizing the right policies to secure a Kubernetes cluster involves tedious manual effort, from selecting relevant policies to running them in AUDIT mode and reviewing compliance reports. Moreover, addressing non-compliant configurations and handling exceptions, such as Istio's `initContainer` requiring `runAsRoot` but conflicting with a `runAsNonRoot` policy, further complicates the workflow. Managing policies at scale is a significant challenge, often leading to misconfigurations, delays, and security risks. In this talk, we'll explore tools like k8sGPT or GPTScript to simplify Kyverno policy management by scanning a Kubernetes cluster and suggesting optimal policies based on best practices. Compliant policies can be automatically applied, while non-compliant ones are analyzed with AI-driven checks for fixes to your infrastructure. By integrating it as part of platform engineering, organizations can reduce human intervention, and ensure compliance and security with zero downtime.

Overwhelmed by the constant flood of CVEs? With vulnerabilities expected to rise by 25% this year, many security teams are experiencing "CVE fatigue"—the exhausting cycle of identifying, prioritizing, and remediating vulnerabilities. This talk will guide you toward a "Zero CVE" strategy, where vulnerabilities are minimized, and management is streamlined. We’ll explore actionable strategies to combat CVE fatigue, including reducing software dependencies, automating OS package updates, and simplifying vulnerability management with a single package manager. We’ll also discuss prioritizing remediation using runtime analysis and VEX (Vulnerability Exploitability eXchange) documents. By integrating security into the software development lifecycle, attendees will gain practical knowledge to build a strategy that not only minimizes CVEs but also strengthens the overall security posture.

Showcase how to use MITRE Caldera for adversarial emulation by leveraging Hashicorp Vault as the scapegoat app and showing attacks such as cryptominer attack, privilege escalation and most importantly a real time ransomware attack pawning vault secrets store. Audience will learn first hand how to use open source advesarial emulation tooling to validate security tooling that they may have in their organization. Mapping the attacks back to MITRE Att&ck framework and showing users how the attackers gains foothold in their assets.

Gartner believes that more than 95% of IT organizations are using open source whether they are aware of it or not. With the inclusion of GenAI, this consumption is only increasing. This session will enable organizations to tackle the top three challenges of open source: legal implications, software supply chain and community viability by bringing the right collaborations and processes in place.

As containerized applications dominate the software development landscape, securing these environments has become essential. Vulnerabilities within container images can expose your applications to significant risks and potential attacks. Docker Scout provides an effective solution to detect and fix these vulnerabilities, enhancing the overall security of your software supply chain. This talk will help you understand the process of integrating Docker Scout into Continuous Integration and Continuous Deployment (CI/CD) pipelines using GitHub Actions. We will walk through the process of setting up automated vulnerability scans for incoming Pull Requests, comparing the current image with the base image to ensure continuous security checks are embedded within your development workflow. The session will include practical insights and real-world examples.

Security can be a daunting task when managing hundreds of applications running simultaneously in a hybrid+multi-cloud architecture. Starting from choosing the right base image to implementing run-time security, not to forget about the Day 2 exploits that can arise post-release. But what if your underlying clusters are compromised? Join the session as Prerit takes you on a safari ride to streamline and sanitize your Cloud Infrastructure. We’ll explore how Popeye, an open-source cluster sanitizer tool can help cleanse and optimize your underlying infrastructure. We will explore a diverse range of 20 sanitizers, each offering a unique security flavour to identify potential issues with deployed resources and configurations. These sanitizers effectively identify potential over/under allocations, RBAC misconfigurations, and other issues related to various Kubernetes objects. Don't miss this session for valuable insights on strengthening the security posture of your Kubernetes environment, ensuring resilience and optimized performance.