logo

2022-06-21 ~ 2022-06-24

Presentations (with video): 0 (-2)

Cybersecurity incidents are among the greatest threats facing organizations today. This event, held in partnership with OpenSSF and CNCF, gathers security practitioners, open source developers, and others interested in software supply chain security to; explore the security threats affecting the software supply chain, share best practices and mitigation tactics and Increase knowledge about how to best secure open source software.

Sort by:  

Authors: Varun Sharma
2022-06-23

tldr - powered by Generative AI

The importance of setting minimum permissions for the GITHUB token and how the open-source project SecureWorkflows can automatically restrict permissions for the token.
  • GitHub Actions is a CI/CD platform with over 2 million workflows used by open-source projects, and each workflow gets a GITHUB token.
  • Restricting permissions for the GITHUB token is recommended by GitHub and the Open Source Security Foundation (OSSF) Security Scorecards.
  • Setting permissions for the token is difficult and time-consuming, as different GitHub Actions require different permissions.
  • SecureWorkflows is an open-source project that can automatically set minimum permissions for the GITHUB token, based on a knowledge base of required permissions for common GitHub Actions.
  • SecureWorkflows has been used to set token permissions for hundreds of workflows, including for the GitHub Actions starter workflows, and is recommended by OSSF Scorecards to fix token permissions.
  • The importance of setting minimum permissions for the GITHUB token is illustrated by a story of a supply chain attack on the VS Code GitHub repository, where a security researcher was able to push a commit to a release branch using a GitHub Actions workflow and an injected token with content's right permission.
Authors: Ariel Shuper
2022-06-22

tldr - powered by Generative AI

The need for a deeper Kubernetes risk assessment framework beyond the current CIS benchmarks
  • The current common Kubernetes risk assessment framework is based on the CIS benchmarks for Kubernetes
  • The framework only covers security misconfigurations and doesn't go deeper than the security configurations of the various elements
  • Real attacks can start by multiple elements expanding beyond security misconfigurations
  • There is a need for an additional risk-assessment framework that can go deeper than the Kubernetes configurations, verifying that all other attack methods, steps, and stages are covered
  • MITRE has crafted an ATT&CK matrix for containers/Kubernetes, which consists of tactics and techniques used in real attacks
Authors: Margaret Tucker, Justin Colannino
2022-06-22

This interactive session will discuss the important role of package registries in securing the open source software supply chain, as well as best practices and guiding principles for a secure package registry ecosystem. Maintainers have been managing risk in their ecosystems since the start and are the first line of defense for ecosystem code quality. But package registries also have a responsibility to protect developers depending on their package ecosystem and, ultimately, the end-users of the software. This responsibility to maintain safety and reliability must be balanced against the freedom and creativity of package maintainers whose skill, innovation, and gumption allow others to accomplish great things.
Authors: Bill Bensing
2022-06-22

tldr - powered by Generative AI

The presentation discusses the implementation of modern governance and automated governance in software delivery capabilities. It highlights the importance of establishing open visibility within the organization to drive trust and reshape the socio-technical construct. The main thesis is to automate control gates and remove the cognitive load of understanding tools in depth to allow for a standard centralized understandable way for the organization.
  • The need for a next generation of software delivery capabilities beyond automation to autonomous and industrial scales
  • The concept of software factories to remind us of the importance of delivery
  • The importance of establishing open visibility within the organization to drive trust
  • The implementation of modern governance and automated governance in software delivery capabilities
  • The automation of control gates to remove the cognitive load of understanding tools in depth
  • The externalization of policy application from the tools themselves to other centralized systems
Authors: Jossef Harush Kadouri
2022-06-22

While commercial supply chain attacks are becoming more manageable, security teams have a much harder time with open-source software supply chains. This session will provide an attacker's perspective of open-source flows and flaws and dive into several unique supply chain weaknesses. Demos will show the ease of conducting different attacks and provide a perspective on defeating them as defenders.
Authors: Tracy Ragan
2022-06-22

tldr - powered by Generative AI

The presentation discusses the importance of software supply chain security in a microservices world and how Artillios.io is addressing the issue through the use of S-bombs and CVE data.
  • Artillios.io is addressing the issue of software supply chain security in a microservices world
  • S-bombs and CVE data are important in tracking vulnerabilities and dependencies
  • Artillios.io aggregates S-bombs and CVE data to provide a comprehensive view of an application's components and their vulnerabilities
  • The use of S-bombs and CVE data saves time and resources in tracking vulnerabilities and redundancies
  • The presentation suggests the need for better management of code in an assembly line and the potential for autonomous coding in the future
Authors: Don Vosburg, Aaron Conklin
2022-06-22

tldr - powered by Generative AI

The presentation discusses the importance of software security in organizations and how to maintain it while reducing the surface area. It emphasizes the need for partnering with companies that specialize in security to handle the burden. The presentation also covers key concepts of security such as confidentiality, integrity, availability, authenticity, non-repudiation, accountability, and anonymity. The speaker highlights the ebb and flow between openness and closeness needed for a functional environment and security. The presentation also discusses security certifications and standards such as Common Criteria, NIAP, DISA's Security Technology Information Guides, Phipps 140.3 Standard, and CIS Benchmarks.
  • Partnering with companies that specialize in security can help reduce the burden of maintaining software security while still ensuring overall security
  • Key concepts of security include confidentiality, integrity, availability, authenticity, non-repudiation, accountability, and anonymity
  • There is an ebb and flow between openness and closeness needed for a functional environment and security
  • Security certifications and standards such as Common Criteria, NIAP, DISA's Security Technology Information Guides, Phipps 140.3 Standard, and CIS Benchmarks are important for maintaining software security
Authors: Daniel Elkabes
2022-06-22

tldr - powered by Generative AI

Malicious packages are a growing threat to organizations and communities, costing billions of dollars in damages. Attackers use various techniques to exfiltrate private information and evade detection. The community is exploring solutions such as Salsa and S-BOM to reduce the risk, but categorizing malicious packages is still a challenge.
  • Malicious packages are a significant threat, costing billions of dollars in damages
  • Attackers use various techniques such as dependency hijacking, typo squatting, and brain jacking to exfiltrate private information and evade detection
  • Solutions such as Salsa and S-BOM are being explored to reduce the risk of malicious packages
  • Categorizing malicious packages is a challenge for the community
Authors: Tony Loehr
2022-06-22

tldr - powered by Generative AI

The presentation discusses the OnSiteCode platform and its capabilities in assisting with anomaly detection and adhering to security frameworks in software development pipelines.
  • OnSiteCode connects to various tools in the software supply chain to analyze changes in real-time and provide notification of intrusive events
  • The platform is policy-based and covers different layers of security, including access, insecure configurations, sequence detection, leak detection, infrastructure as code, and cloud security scanning
  • Access-related configurations and privileged access are analyzed to ensure adherence to security standards
  • The platform can detect anomalies and behaviors such as commits outside of normal working hours, peer reviews from non-developer accounts, and changes in work patterns for employees leaving the company
  • The platform can assist with mitigating the risk of intellectual property theft
  • Additional tooling is recommended for organizations with complicated release cycles to conform to NIST guidelines
Authors: Hritik Vijay, Philippe Ombredanne
2022-06-22

tldr - powered by Generative AI

The presentation discusses the challenges of package and dependency management in software development and proposes solutions such as using package URLs and a universal versioning system.
  • The complexity of package and dependency management in software development makes it difficult to express boundaries between dependencies and automate the process.
  • Solutions proposed include providing installation prerequisites, using a single package manager, and using general-purpose package managers such as Spack, Conda, Nix, and Guix.
  • Package URLs can be used to name packages and a universal versioning system can be used to deal with version ranges.
  • The universal versioning system can accommodate different versioning schemes and express version ranges in a universal way.