As a follow-up to #501, there is a renewed interest to organize and track community efforts concerning supply chain security-related efforts. Several SIG members have expressed interest to focus on this area. In order to discuss what we'd collectively like to achieve we want to start a forum for discussion to scope possibilities.
Interested parties: @TheFoxAtWork @justincormack @jonmuk @joshuagl @colek42 @magnologan
TO DO
This paper is intended to provide the community with a series of practices, tooling options, and design considerations that can assist organizations in reducing the likelihood and overall impact of a successful supply chain attack. It aims to provide a holistic, end to end guide for organizations and teams on supply chain resiliency and zero trust supply.
Feb 26 - initial content draft in the document for all sections
Mar 5 - Reviews of all draft content and clearing out commentary
Mar 12 - Content finesse
Mar 19 - single voice narrative review
Apr 9 - Community review (2 weeks)
Apr 30 - adjudication of community review and final group review
>>>>DRAFT DOC<<<<
Related
https://github.com/cncf/sig-security/tree/master/supply-chain-security
Please add me to this effort. I will specially like to participate in the threat modeling effort around software factory.
I'll start writing a formal proposal tonight and suggest an informal catch up next week with interested parties to define the scope ahead of presentation to SIG chairs. I'm collecting a list of interested parties but also feel free to add offers of support to this ticket.
Potential goals of working group for discussion (scope far too large here but food for thought):
Shorter term technical focus:
+1 looking forward to contributing
As discussed, here are some initial thoughts on a proposal. Happy to discuss this on an initial informal call along with a deeper dive into signing the initial meta data from the pipeline.
Proposal
Problem Statement
Whilst there are relatively few publicly disclosed software supply chain attacks each year, the impact of these events is often significant. The sig-security group has provided a detailed catalogue of these attacks however there is limited guidance on how to address these problems holistically. Additionally there are limited available architectures or implementations of secured software factories that can be adopted by end users to improve the security posture of their infrastructures.
Goal
The following high level goals will be discussed in the working group to confirm suitability in order to provide actionable guidance to the community to deliver supply chain infrastructure that is resistant to supply chain attack.
Short Term Tasks
During the presentation there were a number of questions surrounding the approach to signing the in-toto metadata. Specifically whether to use short or long lived certificates to sign the data.
Logistics
Initial suggestion would be to hold an initial call, the week of the 18th to discuss next steps and to ratify the problem statement / goals.
Updated Interested Parties
@TheFoxAtWork @justincormack @jonmuk @joshuagl @colek42 @magnologan @alok-raj @achetal01 Andreas Spanner, Andy Martin, Sabree Blackmon, @derwei @nishakm @ncdc @garryin @SantiagoTorres @magnologan @Robert Van Voorhees
I'd like to contribute to this.
Problem Statement
Whilst there are relatively few software supply chain attacks disclosed each year, the impact of these events is often significant.
Minor nit: we don't know that there aren't more of them happening, we only know that relatively few are disclosed.
I may struggle to make a call this week, depending on what timezone it's scheduled in (GMT here), but I am definitely interested.
Minor nit: we don't know that there aren't more of them happening, we only know that relatively few are disclosed.
Good point, @joshuagl I've updated the text.
I have availability at 16:30 GMT on 20th or 22nd January, @joshuagl also able to make that time.
Would that work for others?
@jonmuk I have both blocked out right now
- Design an end to end architecture to provide the secure ingestion, build and delivery of software. The architecture would have particular focus on signed attestations of software artefacts, hardened build artefacts and detective / responsive controls within the pipeline
The in-toto project is a CNCF project focused on this and already has a design with threat model, etc. It also has quite a bit of traction. I'd suggest looking here as a starting point instead of trying to come up with a design from scratch.
@SantiagoTorres
@JustinCappos in-toto is front and centre in those discussions
I have had a couple of people reach out requesting 22nd January at 16:30 GMT. I appreciate not everyone can join the initial session but lets start with that and see how we get on. Any objections let me know
Hi! I'm interesting in participating and helping out in any way I can.
I'm also interested :)
Count me in!
I'm interested in participating and contributing where I can!
+1, definitely interested, and definitely participating in figuring out how in-toto can contribute and/or adapt to the findings on this WG!
i++ 馃槈
Here are the details for supply chain working group meeting tomorrow:
CNCF SIG Security is inviting you to a scheduled Zoom meeting.
Topic: Supply Chain Security
Time: Jan 22, 2021 11:30 AM Eastern Time (US and Canada)
Join Zoom Meeting
https://zoom.us/j/92812532864?pwd=NmZRMDlrNXEvUjU2UktGanRuZnl1dz09
Meeting ID: 928 1253 2864
Passcode: 734638
Find your local number: https://zoom.us/u/acbSpef4Aj
@jonmuk Is that tomorrow or Friday? Date says Jan 22nd which is Friday. Could you please double check? Thanks!
Meeting is Friday the 22nd
Here are the high level notes from the 22nd Jan meeting.
Also here is a google doc for the Draft Supply Chain White Paper. I've added the headlines discussed during the meeting. Please feel free to contribute sections:
https://docs.google.com/document/d/1VURD9rdEhiuqPdixhEozkHw01Tk6e2AaJVjBK3pK6Zc/edit?usp=sharing
Hi @jonmuk, Is there a recording of the last meeting?
I've added notes in the Prior Art section of the above supply chain whitepaper draft, there's a Software Factory Operator or Trusted Software Supply Chain Operator being built:
https://github.com/ploigos/ploigos-software-factory-operator
Proposal
Problem Statement
Whilst there are relatively few publicly disclosed software supply chain attacks each year, the impact of these events is often significant. The sig-security group has provided a detailed catalogue of these attacks however there is limited guidance on how to address these problems holistically. Additionally there are limited available architectures or implementations of secured software factories that can be adopted by end users to improve the security posture of their infrastructures.Goal
The following high level goals will be discussed in the working group to confirm suitability in order to provide actionable guidance to the community to deliver supply chain infrastructure that is resistant to supply chain attack.
- White paper detailing best practices to mitigate supply chain attacks. This paper would reference existing work in the industry and from the group
- High level threat model of the traditional software supply chain to identify potential gaps
- Design an end to end architecture to provide the secure ingestion, build and delivery of software. The architecture would have particular focus on signed attestations of software artefacts, hardened build artefacts and detective / responsive controls within the pipeline
- Identify gaps within the architecture that are not well served in the open source space in order to suggest work that can be implemented. This may include the definition of API's or services that would need to be built
- Build out a reference implementation of the architecture defined above. This would take advantage of existing open source work and demonstrate more concrete API's and standard approaches
Given the goals formulated here and that the group has sufficiently self-organized over the past few weeks and made significant progress with the outline of a paper, I'd like to request for this workgroup to be sanctioned by a SIG co-chair representative. @TheFoxAtWork @ultrasaurus @pragashj
The approval is time-sensitive as the group would like to secure a maintainer track session during the upcoming KubeCon that are reserved for active working groups.
All - I'm going to spend some time today going through the existing documents, notes, proposal and outline. The work of the group is very much needed however i do have some scoping and 'deliverable'/outcome questions. We are good to move forward.
Tentative Schedule (due by dates)
Feb 26 - Initial content draft in the document for all sections
Mar 5 - Reviews of all draft content and clearing out commentary
Mar 12 - Content finesse
Mar 19 - Single voice narrative review
Mar 26 - Community review (2 weeks)
Apr 9 - Adjudication of community review (2 weeks) and final group review
Completed with https://github.com/cncf/tag-security/pull/627
Most helpful comment
Given the goals formulated here and that the group has sufficiently self-organized over the past few weeks and made significant progress with the outline of a paper, I'd like to request for this workgroup to be sanctioned by a SIG co-chair representative. @TheFoxAtWork @ultrasaurus @pragashj
The approval is time-sensitive as the group would like to secure a maintainer track session during the upcoming KubeCon that are reserved for active working groups.