Software Supply Chain Security, with Priya Wadhwa

Kubernetes Podcast from Google

Episode | Podcast

Date: Fri, 23 Jul 2021 11:30:54 +0000

<p>The idea of software supply chain security rocketed into the public consciousness in the last year, with the news that US government agencies had been breached. <a href="https://twitter.com/priyawadhwa16">Priya Wadhwa</a> is a software engineer at Google working on open source security, including projects to secure and verify container deployments. She outlines what is being done to make sure this doesn’t happen to you.</p> <p>Do you have something cool to share? Some questions? Let us know:</p> <ul> <li>web: <a href="https://kubernetespodcast.com">kubernetespodcast.com</a></li> <li>mail: <a href="mailto:kubernetespodcast@google.com">kubernetespodcast@google.com</a></li> <li>twitter: <a href="https://twitter.com/kubernetespod">@kubernetespod</a></li> </ul> <h3 id="chatter-of-the-week">Chatter of the week</h3> <ul> <li><a href="https://www.youtube.com/watch?v=RTpWYWIfP7Y">Virgin Galactic launch</a> <ul> <li><a href="https://www.youtube.com/watch?v=y6Cspcb6hCQ">NBC News</a></li> <li><a href="https://www.bbc.co.uk/news/av/science-environment-57798319">BBC News</a></li> </ul> </li> <li><a href="https://www.youtube.com/watch?v=tMHhXzpwupU">Blue Origin launch</a> <ul> <li><a href="https://www.youtube.com/watch?v=pPuFuJAusv8">NBC News</a></li> <li><a href="https://www.bbc.co.uk/news/science-environment-57849364">BBC News</a></li> </ul> </li> <li><a href="https://www.youtube.com/watch?v=HV2UoWhV7qs">Rocket scene from Austin Powers: The Spy Who Shagged Me</a> <ul> <li><a href="https://www.businessinsider.com/jeff-bezos-compared-to-austin-powers-villain-dr-evil-2021-7?r=US&amp;IR=T"> The memes</a></li> </ul> </li> </ul> <h3 id="news-of-the-week">News of the week</h3> <ul> <li><a href="https://cloudonair.withgoogle.com/events/container-security?utm_source=google&amp;utm_medium=blog&amp;utm_campaign=FY21-Q3-northam-NA1102-onlineevent-er-container_security&amp;utm_content=kubernetes_podcast"> Google Cloud Container Security webinar</a></li> <li><a href="https://cloud.withgoogle.com/next?utm_source=kubernetes&amp;utm_medium=audio&amp;utm_campaign=FY21-Q4-global-ES903-onlineevent-er-next-2021&amp;utm_content=kubernetes-podcast-july21&amp;utm_term=-"> Register for Google Cloud Next 2021</a></li> <li><a href="https://cloud.google.com/blog/products/identity-security/detect-complex-network-threats-with-cloud-ids"> Google Cloud IDS</a></li> <li><a href="https://cloud.google.com/blog/topics/anthos/windows-server-support-comes-to-anthos-on-prem"> Windows Server support for Anthos on-prem</a></li> <li><a href="https://cloud.google.com/kubernetes-engine/pricing#multi-cluster-ingress"> Multi-Cluster Ingress for GKE</a></li> <li><a href="https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html"> CVE-2021-22555: Kernel code execution through Netfilter bug</a></li> <li><a href="https://groups.google.com/g/kubernetes-announce/c/aXolwNe_KT4/m/HKK3174yAQAJ"> CVE-2021-25740: Endpoint & EndpointSlice permissions allow cross-Namespace forwarding</a></li> <li><a href="https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf"> CVE-2021-32690: Helm repository credentials passed to alternate domain</a></li> <li><a href="https://www.intezer.com/blog/container-security/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/"> Attacks on Argo Workflows discovered by Intezer</a></li> <li><a href="https://sysdig.com/blog/sysdig-and-apolicy-join-forces-to-help-customer-secure-infrastructure-as-code/"> Sysdig acquires Apolicy</a>; <a href="https://apolicy.io/we-are-joining-sysdig/">Apolicy acquired by Sysdig</a></li> <li><a href="https://www.cockroachlabs.com/blog/cockroachdb-on-kubernetes/">CockroachDB Operator for Kubernetes</a></li> <li><a href="https://blog.cloudflare.com/automatic-remediation-of-kubernetes-nodes/"> Automatic remediation of Kubernetes nodes at Cloudflare</a> <ul> <li><a href="https://github.com/cloudflare/sciuro">Sciuro</a></li> <li><a href="https://github.com/weaveworks/kured">Kured</a></li> </ul> </li> <li><a href="https://www.cncf.io/blog/2021/07/16/learn-how-to-simplify-application-management-with-operators-with-the-cncf-operator-white-paper-from-tag-app-delivery/"> CNCF App Delivery TAG publishes operator whitepaper</a></li> </ul> <h3 id="links-from-the-interview">Links from the interview</h3> <ul> <li><a href="https://cloud.google.com/blog/products/identity-security/how-were-helping-reshape-software-supply-chain-ecosystem-securely"> Software supply chain</a> <ul> <li><a href="https://security.googleblog.com/2021/02/know-prevent-fix-framework-for-shifting.html"> Know, Prevent, Fix</a></li> </ul> </li> <li><a href="https://reproducible-builds.org/">Reproducible builds</a> <ul> <li><a href="https://wiki.debian.org/ReproducibleBuilds/About">Debian Project</a></li> </ul> </li> <li><a href="https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach"> SolarWinds hack</a></li> <li><a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/"> US Executive Order on Improving the Nation’s Cybersecurity</a></li> <li><a href="https://cloud.google.com/binary-authorization">Binary Authorization</a></li> <li><a href="https://en.wikipedia.org/wiki/Provenance">Provenance</a>, in art and software</li> <li><a href="https://in-toto.io/">in-toto</a> <ul> <li><a href="https://dl.acm.org/doi/10.5555/3361338.3361435">“Farm to table”</a></li> </ul> </li> <li><a href="https://sigstore.dev/">sigstore</a> <ul> <li><a href="https://security.googleblog.com/2021/03/introducing-sigstore-easy-code-signing.html"> Announcement blog</a></li> <li><a href="https://github.com/sigstore/cosign">cosign</a> <ul> <li><a href="https://security.googleblog.com/search/label/Open%20Source?updated-max=2021-06-16T11:36:00-04:00&amp;max-results=20&amp;start=3&amp;by-date=false"> Announcement blog</a></li> <li><a href="https://blog.sigstore.dev/cosign-signed-container-images-c1016862618"> Dan Lorenc’s blog</a></li> </ul> </li> <li><a href="https://github.com/sse-secure-systems/connaisseur">Connaisseur</a></li> <li><a href="https://github.com/sigstore/rekor">Rekor</a></li> <li><a href="https://github.com/sigstore/fulcio">Fulcio</a></li> <li>Key signing ceremony: <ul> <li><a href="https://kubernetespodcast.com/episode/152-sre-for-everyone-else/">Dan Lorenc on Episode 152</a></li> <li><a href="https://blog.sigstore.dev/a-new-kind-of-trust-root-f11eeeed92ef">Announcement blog</a></li> <li><a href="https://www.twitch.tv/videos/1053151994?filter=all&amp;sort=time">Video</a></li> </ul> </li> </ul> </li> <li><a href="https://tekton.dev/">Tekton</a></li> <li><a href="https://github.com/tektoncd/chains">Tekton Chains</a> <ul> <li><a href="https://security.googleblog.com/2021/06/verifiable-supply-chain-metadata-for.html"> Announcement blog</a>, by Priya & Dan</li> </ul> </li> <li><a href="https://en.wikipedia.org/wiki/Software_bill_of_materials">SBOM (Software Bill of Materials)</a></li> <li><a href="https://deps.dev/">Open Source Insights</a> <ul> <li><a href="https://opensource.googleblog.com/2021/06/introducing-open-source-insights-project.html"> Announcement blog</a></li> <li><a href="https://en.wikipedia.org/wiki/Year_Zero_(video_game)">Nine Inch Nails’ Year Zero ARG</a></li> <li><a href="https://github.com/ossf/scorecard">Scorecards</a> <ul> <li><a href="https://openssf.org/blog/2020/11/06/security-scorecards-for-open-source-projects/"> Announcement blog</a></li> <li><a href="https://security.googleblog.com/2021/07/measuring-security-risks-in-open-source.html"> v2 blog</a></li> </ul> </li> </ul> </li> <li><a href="https://slsa.dev/">SLSA</a> <ul> <li><a href="https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html"> Announcement blog</a></li> <li><a href="https://github.com/slsa-framework/slsa">GitHub</a></li> </ul> </li> <li><a href="https://events.linuxfoundation.org/supplychainsecuritycon-north-america/"> SupplyChainSecurityCon</a></li> <li><a href="https://github.com/sigstore/community#slack">sigstore Slack channel</a></li> <li><a href="https://twitter.com/priyawadhwa16">Priya Wadhwa on Twitter</a></li> </ul>