Understanding the concepts of Supply Chain Security, Container Images, SBOMs, and more with Aung
TLDR;
- Software Bill of Material (SBOM) is key for Supply Chain Security. It helps organizations understand dependencies and vulnerabilities associated with the dependencies.
- To analyze SBOMs, utilize a Software Composition Analysis (SCA) Tool and integrate is as part of CI/CD Process.
- Some of the best practices of Image Signing are using a Key Management Solution which has capabilities like Rotation, Secure Root and Private Keys, Use of a Trusted Registry with Continuous Monitoring on it to name a few.
Transcript
Host: Hi, everyone. This is Purusottam and thanks for tuning in to the ScaletoZero podcast. Today's episode is with Aung. Aung is a cybersecurity expert working at a global infrastructure services company. Prior to this, he was working with Standard Chartered Bank as a cloud application and container security SME. With a broad set of skills, he works in different areas from forensics to new technology to security awareness programs.
Welcome to the episode! For our audience, Do you want to briefly share about your journey?
Htet Naing Aung: Yeah, thanks for having me, Puru. Yeah, so my name is Aung. I bring over 12 years of extensive experience in the IT industry, heavy trust firms, various sectors in including education, financial institution, banking, and system integrated companies. So my career commenced in Linux Unix engineering with a specific focus on Redhat RPM-based Linux operating systems.
Over time, I have transitioned towards exploring cutting-edge technology trends, such as cloud, container, DevOps, DevSecOps, and application securities. Throughout my professional journey, I have specialized in desktop cost and application security, emphasizing the significance of security and designs and default cybersecurity programs and initiatives.
This expertise extends to fortifying clouds and container orchestration platforms like EKS, and open shift platforms. So presently, my role as a Prince River security architect revolves around separating cybersecurity initiatives. I focus on a spectrum of cybersecurity domains, including Zero Trust, SaaSy, Secure Service, and Sol security orchestration, automation, and response, managed service, security platforms, threat intelligence, as well as EDR and HDR, kind of like getting edge technology. Thank you.
Host: Wow, that's a very broad spectrum that you have expertise in. That's very rare nowadays. So a question that comes to my mind is, what does a day in your life look like today with expertise across so many areas? What does your day today look like?
Htet Naing Aung: So mostly I work with various business units, and stakeholders trying to provide the best securities and resiliency service and solution to our trusted customer. So such as working with operating, solutioning, delivery team based on the projects and I do architecture review. So how are we going to do like the solutions such as let's say we have got the SCSI centralized network management solution in the next year.
So how are we going to simulate? And how are we going to put the component in order to meet their business goals and the objectives?
Host: Okay, that makes sense. So today we are going to talk about primarily supply chain security. So let's dive into it. So there is an increased attention to supply chain security. So let's start with some definition.
What is a software supply chain security to you?
Htet Naing Aung: Well, software supply chains refers to the measures and practices implemented to safeguard the integrity, confidentiality, and availability of software throughout its lifecycle, from the development to deployment and ongoing maintenance. Basically, this involves ensuring that the software components, libraries, dependencies, and Updates integrated into an organization's system remain free from vulnerabilities and authorized alterations or malicious code infusion.
Host: So, that is a very good definition. So, why is it important for organizations to think about it?
Htet Naing Aung: Absolutely. So the importance of software supply chain security cannot be overstated, particularly in today's interconnected digital landscape. There are a few key reasons why organizations need to prioritize it. First of all, risk mitigation, product data integrity, prisoner continuity and reputation management, compliance, and regulatory requirements, and safeguarding against emerging threats.
So when is comes to risk mitigation? The software supply chain often involves numerous components sourced from various vendors. So any vulnerabilities or compromise in these components can be taken down and force security risks to an organization's entire ecosystem. Implementing robust security measures helps mitigate these risks. So when it comes to protecting data integrity, MalesyX targets software supply chains to inject malware, compromise code integrity or introduce backdoors. By securing the software supply chain safeguards against these threats, ensures the integrity and confidentiality of the sensitive data.
So we also need to take care of business continuity and reputation management, as I said earlier. So average or compromise in the software supply chain can lead to service distractions, financial losses, and reputation damage. So, we're active security measure mechanism, you know, maintain business continuity and foster customer trust.
So we also need to align all the compliance and regulatory requirements, such as like NICs, CADRA-related, federal-related compliance, and regulatory, GDPR. So this will also ensure software supply chain helps organizations comply with these regulations and standards and prevent some sort of cyber threats from the attacker.
Host: Okay, one of the things that you highlighted is like, if you are using any vendor or anything like that, then any software that they are building, you are also vulnerable for that. Right. And one of the parts of that is open-source software. And adoption of open-source software has been on the rise for a decade or so. And especially with supply chain security attacks to SolarWinds, Twilio, and PiPi, there is more attention now.
And in one of the recent studies by Anchor, they highlighted that around 85% to 97% of the enterprise code base uses open source, which means they are vulnerable to supply chain attacks. So we received this question from a first-time security leader.
How should they think about and tackle these supply chain security challenges in their organization?
Htet Naing Aung: Right, exactly. So for a first, uh, security leader concerned about supply chain security challenges, especially in the context of increasing open source adoption. So yes, a few guidance, you know, like we can talk at this issue where we should start addressing challenges with supply chain security. So we have to understand the software, and various of material now the popular name is SBOMs.
So, begin by comprehending the software base of materials, which essentially acts as a manifest detailing all the components within your software stack. It is crucial to identify vulnerabilities and dependencies in open-source and third-party software.
So, the second thing is risk assessment and inventory management. So conduct a throughout risk assessment and inventory of your software's blockchain, and identify all open-source and third-party components utilized in your organization's code base. This step will help in understanding vulnerabilities.
The next thing is, Security policies that focus on badging and monitoring the components integrated into your software that will ensure these policies encompass regularly vulnerability assessments and adherence to security best practices. So the other two more important things in this topic is that continuous monitoring updates and vendor community collaboration.
So when it's time for continuous monitoring and updates, you have to emphasize continuous monitoring and prompt updates for all components within the software supply chain. This includes a steady relevant for security advisory, purchase update from the vendor and open source community.
Host: Yeah, so one follow up question that comes to my mind is, let's say you get the S-bomb data from all of the vendors and then it becomes overwhelming, right? That you have so much data, so much dependencies, vulnerability information, all of that.
As a first time leader, where should I start from? Let's say I have 20 vendors, I got a S-bomb from 20 of them. Where should I start?
Htet Naing Aung: Sure, well absolutely. So the starting point would be like integrating your CNCD pipeline enabling the desktop core's toolings and practices. For instance, implement software composition analysis, and SCA tools, into your existing CICD pipeline.
So consider investing in SCA tools that assist in identifying and managing vulnerabilities within your software supply chain. So these two provide insight into the components and the dependency, aiding in risk assessment.
So let's say you have got a container orchestration platform, you're using containerization application too much and you can also anywhere, steady code scanning, dynamic scanning into your pipeline along with the ACI tool.
So another thing is adopting S-BOM formats and standards such as SBDA, Cyclone DAs. So begin implementing S-BORN standards within your organization. It will involve cooperating S-BORN into your procurement process, ensuring suppliers provide S-BOMs and utilizing these documents for risk assessment. And then you will need to educate and train your team the secure coding practices. How the software supply chain security is really important, it can impact and damage your organization, reputations, and business losses.
And now you have to, the most important thing is you have to also establish incident response plan. For instance, developing a comprehensive incident response plan, especially tailored to your supply chain security breaches. This plan should outline procedure of identifying, containing, and mitigating the impact of potential breaches.
Host: Okay, so if I understand correctly, S-BOM or the S-BOM helps with the software supply chain, and having a good grasp of the software supply chain helps with your incident response, helps with your procurement process, and all of those areas, right? So as a… As a security organization, it feels like S-BOM is one of the key areas, right? It plays a major role in your overall vendor management.
Now, how can S-BOM be used or analyzed? You mentioned that you can integrate with CI-CD pipelines and analyze using the SCA tool. How can that analysis be done so that the overall security and compliance can be improved?
Htet Naing Aung: Sure thing. So, so when we apply the S-forms to understanding, we have to understand the challenges in the supply chain security.
So basically, it can improve in the visibility, transparency, risk assessments, vulnerability management and compliance and regulatory requirements. So, for visibility and transparency, S-forms are all comprehensive software components used in an application, including dependencies and their relationships. This possibility is crucial due to the complexity of software supply chain.
Host: So, if a follow question to that is often what happens is when you get the S-form information vendors share or open source libraries even share their image information, container image and they often have a signature. So that you can validate that the image is not tampered with.
So can you, for our audience, can you highlight what is container image signing and why is it important for DevSecOps?
Htet Naing Aung: Well, container image signings involve digitally signed container images and their integrity, authenticity, and provenance throughout the software development and development life cycle. The process is crucial in the desktop code for several reasons. Security assurance, trust and compliance, and the same risk mitigation
When we talk about security assurance, provide the value in the Container Image Signing when it comes to the desktop box space. Signing verifies that Container Image has not been tampered or altered, mitigating the risk of deploying compromised or malicious software into your runtime environment, runtime system.
So the trust and compliance established trust by confirming the authenticity and the origin of the container image, aligning with the compliance requirements and industry standards. So regarding the risk mitigation, it states in risk mitigation by providing a secure way to manage container images, reducing vulnerability in the software supply chain.
Host: Okay, so now let's say I am convinced that container image signing is important. What are different methods of signing container images?
Htet Naing Aung: Container image signing have various methods. So in the next year, you have got the Docker content trust and the TEP framework. So this is like the most important and popular framework nowadays. So Docker trust contents utilize cryptographic signatures to sign container images.
It leveraged the concept of a root key and prerepository keys to ensure the integrity of the images. This method provides an option to enforce image signing for repository, allowing verification, the full pooling or running images into your runtime environment.
So when it comes to the TEP framework, the TEP is a security framework, as you know, that provide a secure software update system and it's offer protections against various types of attacks and compromise within the software distribution networks. That also ensures the same security integrity of the container images by utilizing a decentralized approach to signing verified images.
But when we like to talk about the technology in general. So we've got like OpenID, Connet, JSON, WebToken that are used for authentications and authorization within the container ecosystem. Why not directly use in the image signing? Yet these standards can complement image signing method by providing secure authentication mechanisms.
Host: Okay, so a follow up question to that comes to my mind is that there are you mentioned Docker trust. Similarly, there is cosine, there are different methods. What are some of the best practices that I should keep in mind when I am incorporating image signing?
Htet Naing Aung: Absolutely. So you're talking about the challenge of implementing the container signing image and overcoming them, right? So yeah, so why does container image signing offer immense benefits challenge exists? So first of all, we have to have take a look the key management So where's your like root key, private keys are hosted, handling keys securely, ensuring proper key rotation is a challenge.
So another challenge would be integration complexity. So by integrating the signing into the CNC pipeline without affecting the speed of the current, your bit process and efficiency can be complex. So to overcome these challenges, implement key management best practices, safeguard keys, follow key rotation protocols, and leverage key management tools, AWS, KMS, or HashiCode, Bob.
This kind of, you know, the tools you can leverage for enterprise and open source environment as well. So automate signing integration. Use automation to seamlessly integrate signing into the CI and CICD libraries.
Host: Okay, yeah, I think the keyword that I got from your response is automation, right? Instead of doing things manually integrated as part of the CI-CD process, so that it the signing process is automated, you are not doing it manually. So now the question is, there is a code signing or image signing? And when it comes to prioritization.
What should we prioritize first and how should what parameters should organizations look at while prioritizing this?
Htet Naing Aung: So I believe you're mentioning the best practices for container image signing. So effective container image signing relies on some of the best practices such as adopting trust or a trusted registry. So use the trusted repositories and registries that support image signing capabilities such as URL, private like DOCA registry or enterprise class repository like JFork Artifactory.
So implement continuous monitoring integrated into those you trust that registry, and regularly monitor and validate signed container images for any anomalies or tampering. Okay, and enforce policy, enforce map. To establish an enforced policy regarding signed image compliance across the development and deployment process. You can leverage open policy agents. Okay, if you are not from this trust, you cannot run the image in the runtime. This kind of implementation and policy enforcement can be done in non-state technology.
Host: Okay, so you highlighted some of the best practices when it comes to implementing image signing. And one of the recommendations that you have is to integrate as part of the CI-CD process.
So when integrating with the CI-CD process, do you have any additional best practices or recommendations or like key rotation, those take care of it already.
Htet Naing Aung: Sure. So integrating the code signing seamlessly into the CICD pipeline is crucial for the security of software throughout the development and deployment process. So I would recommend automating the code signing process and utilizing a security, storage, or management system and integrating it with your batching code storage system.
For instance, you might use Visual Studio for your code development, developing your flavors, or whatever. So you can integrate the safeguard cryptographic key for code signing in a secure and compliant key management system and implement approval workflows and policies.
So establish approval workflow and policy for code signing and define clear guidelines on when and how code should be signed, ensuring compliance with security standards and organizational policy. So I have so many things to recommend, like continuous monitoring, validation, secure artifact repository, registry, and documentation training and review, and improvements, such as secure code review, and manual process.
What is the control to promote the production? What are the minimum standards? This kind of thing also can be leveraged into your devosting, or tested accordingly, and security, stick together and try to improve workflow and process.
Host: Yeah, so what I'm hearing is, like, do the basics right, right? Even though you're, whether you are integrating in the CI-CD or you're doing it manually, whatever it is, do the basics right, like your KMS or the key management should be defined properly or you should have policies for stronger keys and stuff like that. So doing the basics right helps you with even the code signing process.
Htet Naing Aung: Exactly, yeah.
Host: Yeah, so yeah, that's a very good way to end the security question section.
Let's go to the next section, which is rating security practices.
Rating Security Practices
So the way it works is I'll share a security practice. You need to rate it one through five, one being the worst and five being the best. You can also add some context as to why you are giving it a particular rating. So
Let me start with the first one. The first one says to conduct periodic security audits to identify vulnerabilities, threats, and weaknesses in your systems and applications.
Htet Naing Aung: It's one to five, is this right? Okay, I would say a four. That is really important.
Host: Okay. The second one is DevOps practices are needed to move fast and deploy code to production. Security practices are not the most important right now.
Htet Naing Aung: I would say two because security practice is important for sure.
Host: Hehehe
Host: Right, that makes sense. The last one is continuous integration is a must for DevOps practices. Security architecture review should be conducted as part of the integration itself.
Htet Naing Aung: five.
Host: Okay, that's what I was expecting also. Okay, so I generally ask this question to all of our guests. Do you have any recommendations, or reading recommendations for our audience? It can be a blog or a book or a podcast or anything that you want to recommend to our audience.
Htet Naing Aung: Alright, I would recommend going through the Microsoft security blogs and it's you know have a comprehensive approach, not only into the desktop cards area, but you can also see security operation and zero trust kind of architecture, I would recommend to do reviews and keep track, you know, what they are trying to release and it's pretty good. So you know, I will recommend that one first.
Host: Oh, thank you so much. So what we'll do is when we publish the episode, we'll also tag the Microsoft Security blog post so that our audience can go there and read from there. Yeah, so thank you so much, Ang, for joining and sharing your knowledge with us on supply chain security, DevSecOps, image signing, and many other areas.
Htet Naing Aung Sounds great!
Host: Yeah. And to our audience, thank you so much for watching. See you in the next episode. Thank you.
Htet Naing Aung: Thank you everyone.
People also watch