SOSS Community Day India

Achieving Software Supply Chain Security Assurance (SLSA) compliance is essential in today's world of increasing cyber threats. This talk will provide a hands-on approach to implementing SLSA standards for your OCI artifacts, starting from your existing build pipelines. We will delve into the practical steps involved, including: * Generating high-quality Software Bill of Materials (SBOM) and provenance: Learn how to create accurate and comprehensive metadata for your artifacts. * Leveraging cosign for keyless attestations: Discover how to securely sign attestations without relying on traditional key management. * Integrating with Buildkit providers for hermetic builds: Ensure the integrity and reproducibility of your builds by isolating them from the surrounding environment. * Addressing best practices for dependency pinning, automated patching, attestation sharing, and collaboration with compliance teams: Gain insights into effective strategies for maintaining compliance and security. By the end of this talk, you will have a clear understanding of how to implement SLSA principles in your build processes and create secure, trustworthy OCI artifacts.

In this session, I will demonstrate how to build security into the DNA of your open source project from day one, using industry-tested tools and automation. You'll learn how to implement a comprehensive security strategy leveraging popular open source security tools including GitHub's CodeQL for advanced vulnerability detection, OpenSSF Scorecard for automated security best practices assessment, and key supply chain security frameworks. Through live demonstrations, we'll walk through setting up automated security scanning pipelines that catch vulnerabilities early and maintain high security standards without burdening developers.

We depend on cryptography to secure our software supply chain. But what if that cryptography didn't work? What if an adversary could casually break your key signing? This session will detail one possible approach to convert a Quantum Vulnerable Stack to Quantum Resistant Stack focusing on Tekton, a powerful open-source framework for creating CI/CD as a sample. Chains is a component of Tekton that integrates with Sigstore to offer a Secure CI/CD solution. We will explore the steps to make Tekton Quantum Proof in the following sequence: - What are the Quantum threats to existing Cryptographic algorithms? - How to Identify the Quantum Vulnerabilities in Tekton? - What are Post Quantum Cryptographic (PQC) Algorithms? - Walkthrough of NIST standards and guidelines for migrating to PQC - Importance of HYBRID approach that includes classical quantum-resistant and new quantum signing algorithms in while transitioning. Key takeaway for the audience would be an understanding of Quantum Vulnerabilities, PQC, reliable guidelines for transitioning to quantum safe state along with a deep dive of how we transitioned Tekton quantum safe as reference implementation.

In an era of rising software supply chain attacks, this talk explores how we implemented robust security practices in Fission, an open-source serverless framework for Kubernetes used by thousands globally. We will detail our implementation of SLSA(Supply chain Levels for Software Artifacts) specifications, addressing critical threats like compromised builds and unauthorized modifications through reproducible builds, signed artifacts, and secure dependency management. We will demonstrate how we addressed these challenges through: - Implementing reproducible builds to ensure build integrity - Adopting signed artifacts and attestations for authenticity verification - Securing our base images and dependency chain - Establishing automated security scanning and verification pipelines Through practical code examples, we'll show how organizations can implement these security practices in their CI/CD pipelines. We'll share our experiences, challenges faced during implementation, and lessons learned while securing a widely-used open-source platform.

The question "Who guards the guards?" often relates to the challenge of ensuring security even for those tasked with providing it. In the context of securing open-source software, this can mean asking: how do we secure the very tools, libraries, and frameworks that we rely on to protect our systems? In open-source ecosystems, the “guards” are often the developers, maintainers, and security tools that help manage code integrity, vulnerabilities, and trustworthiness. Here’s how different aspects of the open-source community address this: Present on the below 5 points. 1. Transparency as Defense 2. Automated Security Tools 3. Supply Chain Security Initiatives 4. Maintainer Oversight 5. Community and Bug Bounty Programs The ultimate goal is to create an ecosystem where multiple layers of checks and balances — human, automated, and cryptographic — watch each other.

Organizations rely on Admission Controllers like Kyverno and Static Analysis tools to enforce a wide range of security best practices, but these measures alone may not protect against future vulnerabilities. When new vulnerabilities are discovered, application upgrades often take time, and it can be more effective to sandbox these vulnerabilities than to wait for upstream fixes. Preventing application downtime due to vulnerabilities is crucial, and virtual patching helps by containing and preventing the exploitation of vulnerabilities at runtime without impacting application behavior or deployment processes. In this talk, we will explore live examples using well-known vulnerabilities such as Log4j, PwnKit, xz, and Leaky Vessels. We will demonstrate how to use Kyverno to identify vulnerable workloads, leverage results from image vulnerability scanners, and generate KubeArmor policies to apply virtual patches to specific deployments, ensuring security without disrupting operations.

Finalizing the right policies to secure a Kubernetes cluster involves tedious manual effort, from selecting relevant policies to running them in AUDIT mode and reviewing compliance reports. Moreover, addressing non-compliant configurations and handling exceptions, such as Istio's `initContainer` requiring `runAsRoot` but conflicting with a `runAsNonRoot` policy, further complicates the workflow. Managing policies at scale is a significant challenge, often leading to misconfigurations, delays, and security risks. In this talk, we'll explore tools like k8sGPT or GPTScript to simplify Kyverno policy management by scanning a Kubernetes cluster and suggesting optimal policies based on best practices. Compliant policies can be automatically applied, while non-compliant ones are analyzed with AI-driven checks for fixes to your infrastructure. By integrating it as part of platform engineering, organizations can reduce human intervention, and ensure compliance and security with zero downtime.

Growth of software supply chain attacks has propelled a deeper look into security of CI/CD. Build environments are prone to secrets/sensitive data exfiltration attacks. Covering here, the learnings around building BOLT(https://github.com/koalalab-inc/bolt), an Open-source tool which secure CI runtime(For GitHub Actions). Taking inspiration from Runtime security, enabling a firewall on buildtime/CI runtime(Egress-filter as CI is a traffic source) should be good start. Complexity 1: IP-based rules won't work. A lot of internet traffic is behind CDNs/WAFs, so egress-filter will require domain-name based filtering. Complexity 2: CI runtime has outbound traffic to multi-tenant systems like github/dockerhub/jfrog etc. This demands deep SSL based inspection capabilities in egress control. Solution: TLS interception+eBPF Linux kernel supports eBPF which provides a way to tap into SSL traffic without the need to decrypt traffic. Such a solution does not add any overhead for developers and is efficient. Covering implementation complexity of eBPF probing for various different kind of SSL libraries to make the solution comprehensive for all kinds of CI pipelines.

Overwhelmed by the constant flood of CVEs? With vulnerabilities expected to rise by 25% this year, many security teams are experiencing "CVE fatigue"—the exhausting cycle of identifying, prioritizing, and remediating vulnerabilities. This talk will guide you toward a "Zero CVE" strategy, where vulnerabilities are minimized, and management is streamlined. We’ll explore actionable strategies to combat CVE fatigue, including reducing software dependencies, automating OS package updates, and simplifying vulnerability management with a single package manager. We’ll also discuss prioritizing remediation using runtime analysis and VEX (Vulnerability Exploitability eXchange) documents. By integrating security into the software development lifecycle, attendees will gain practical knowledge to build a strategy that not only minimizes CVEs but also strengthens the overall security posture.

The Software Supply Chain encompasses all components, libraries, tools, systems, and processes involved in a software artifact. To support effective risk management and to reduce attack vector while creating a software artifact, SBOM (Software Bill Of Materials) and VEX (Vulnerability Exploitability eXchange) documents can be used. An SBOM is a comprehensive list that details all components, libraries, and dependencies within a software package. Meanwhile, VEX serves as a communication standard for vulnerabilities in a software component. Correlating SBOM and VEX data enables to choose high-quality components and ultimately reducing the attack vectors. In this session, we will discuss the significance of SBOM (Software Bill of Materials) and VEX (Vulnerability Exploitability eXchange) documents to mitigate the dependency threats. Additionally, we’ll look at how trustification.io (a foundation of the Red Hat Trusted Profile Analyzer) provides developers with easy access to curated builds and hardened open-source libraries that have been verified and attested through provenance checks. Open Source Project: Trustify (https://github.com/trustification/trustify)

Showcase how to use MITRE Caldera for adversarial emulation by leveraging Hashicorp Vault as the scapegoat app and showing attacks such as cryptominer attack, privilege escalation and most importantly a real time ransomware attack pawning vault secrets store. Audience will learn first hand how to use open source advesarial emulation tooling to validate security tooling that they may have in their organization. Mapping the attacks back to MITRE Att&ck framework and showing users how the attackers gains foothold in their assets.

Containers have revolutionised SDLC but we still build them on Linux distributions designed for physical/virtual machines. The mismatch between single-process containers and full-system distros creates security risks. Minimal base containers are the solution, building them presents unique challenges & this talk presents suggestion around common problems building Secure base containers 1. Container-first Design: a. Traditional distros mark packages(like shell & coreutils) as essential based on machine runtime but real world containers don’t need that. b. Implement installation scripts to avoid unnecessary dependencies 2. Container build enhancements: a. Creating FROM SCRATCH images is tough, bootstrapping with package manager leads to cyclic or installation script dependencies. b. Support for rapid rebuild cycles. 3. Metadata framework: a. Current minimisation approaches miss out on metadata causing container scanning mismatches 4. Porting existing packages: a. The universe covered by existing distros is vast. it makes sense to create tools to transform those packages into self contained binaries that don’t require any package outside of runtime dependencies

Gartner believes that more than 95% of IT organizations are using open source whether they are aware of it or not. With the inclusion of GenAI, this consumption is only increasing. This session will enable organizations to tackle the top three challenges of open source: legal implications, software supply chain and community viability by bringing the right collaborations and processes in place.

As containerized applications dominate the software development landscape, securing these environments has become essential. Vulnerabilities within container images can expose your applications to significant risks and potential attacks. Docker Scout provides an effective solution to detect and fix these vulnerabilities, enhancing the overall security of your software supply chain. This talk will help you understand the process of integrating Docker Scout into Continuous Integration and Continuous Deployment (CI/CD) pipelines using GitHub Actions. We will walk through the process of setting up automated vulnerability scans for incoming Pull Requests, comparing the current image with the base image to ensure continuous security checks are embedded within your development workflow. The session will include practical insights and real-world examples.

The rise of open-source large language models (LLMs) like GPT, BERT, and T5 has greatly enhanced natural language processing. However, these models face significant security challenges due to their vulnerability to adversarial attacks. This abstract examines the susceptibility of open-source LLMs to OWASP Top 10 risks, including model inversion, data poisoning, insecure deployment, and adversarial examples. While open-source LLMs democratize AI, their transparent architecture can expose sensitive data. Model inversion can extract proprietary information, and data poisoning can corrupt outputs with malicious data. Insecure deployment without encryption or authentication leads to data breaches, while adversarial examples exploit model weaknesses. To strengthen these models, implementing differential privacy, adversarial training, and rigorous data validation is crucial. Adopting security best practices, such as penetration testing and real-time monitoring, along with fostering a security-aware community, is essential. By addressing these vulnerabilities, organizations can enhance the robustness and security of open-source LLMs, ensuring safe deployment and trust in AI applications.

Security can be a daunting task when managing hundreds of applications running simultaneously in a hybrid+multi-cloud architecture. Starting from choosing the right base image to implementing run-time security, not to forget about the Day 2 exploits that can arise post-release. But what if your underlying clusters are compromised? Join the session as Prerit takes you on a safari ride to streamline and sanitize your Cloud Infrastructure. We’ll explore how Popeye, an open-source cluster sanitizer tool can help cleanse and optimize your underlying infrastructure. We will explore a diverse range of 20 sanitizers, each offering a unique security flavour to identify potential issues with deployed resources and configurations. These sanitizers effectively identify potential over/under allocations, RBAC misconfigurations, and other issues related to various Kubernetes objects. Don't miss this session for valuable insights on strengthening the security posture of your Kubernetes environment, ensuring resilience and optimized performance.