"The Secure Software Supply Chain" by Kelsey Hightower (Strange Loop 2022)
Vložit
- čas přidán 3. 10. 2022
- After decades of gluing together software from a random set of libraries and frameworks, industry wide attacks on the software supply chain have proven this approach is unsustainable, and it's time to shift our thinking on how we write and ship software. In this session we will explore the various tools used to secure the software supply chain, and through a collection of live demos, learn how to put them to use in the real world.
Kelsey Hightower
Google, Inc.
As a curious and motivated self-learner, I gained an interest in computing at a young age, and started my IT career by opening a small consulting shop 20 years ago. From those beginnings my career progressed quickly, eventually passing through the halls of Google, Puppet Labs, New Relic and CoreOS. I am a system administrator by trade, a programmer by necessity, but a problem-solver at heart. With a passion for helping others, many successful speaking and teaching engagements under my belt, and a proven track record of getting things done and enabling others, I hope to solve the many problems facing IT culture by equipping people with the mental and computational software they need to succeed in the competitive world of technology.
------- Sponsored by: -------
Stream is the # 1 Chat API for custom messaging apps. Activate your free 30-day trial to explore Stream Chat. gstrm.io/tsl - Věda a technologie
This is StrangeLoop at its best. Educational and Entertaining.
highly underrated!
Really enjoyed your presentation 👍
Awesome talk!
awesome talk!
package managers should use Content hashing for dependencies. Sensible, safer ... if it used something like IPFS it could even make the sharing simpler...
This guy is a *great* speaker!
To be clear, this signing stuff only allows you to verify that a human looked at the list of dependencies, right? I think some more signatures should be in there, such as the signature of the company running the build (GitHub if using actions, etc.), as well as some sort of signed hash for any stdlib bundled in (for native, e.g. C++ apps). After that you also need each of the dependencies that were included to themselves be built with the same supply chain verification signature for any of this to mean anything, right?
I don't get the security model. You are worried that dependencies might be untrustworthy... so you run their arbitrary build code anyway, and then have that compromised environment generate the BOM and sign it? This sequence of operations seems fundamentally flawed to me.
29:17 moves on to not sha-pin his github actions O.O