BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News How Yahoo Secures Their Software Supply Chain at Scale: CloudNativeSecurityCon 2023

How Yahoo Secures Their Software Supply Chain at Scale: CloudNativeSecurityCon 2023

Bookmarks

At CloudNativeSecrityCon 2023 in Seattle, WA, Hamil Kadakia and Yonghe Zhao, software engineers at Yahoo’s security team, presented on Securing Software Supply Chain at Scale, including how to put together policies to safeguard against supply chain attacks.

Kadakia started the talk by discussing what a software supply chain is and by exploring common attacks, such as injecting vulnerable dependencies, compromising artifacts, or altering privileges.

After highlighting the importance of protecting the Software Supply Chain, he cited the recent reports about software supply security from Anchor and Sonatype. He pointed out that:

85 to 97% of enterprise codebases use open source software. This means that most of our applications consist of code we did not write. This can pose significant security risks.

The image below highlights some of the supply chain vulnerabilities.

 

Supply Chain Attacks

 
Image courtesy of Hamil Kadakia and Yonghe Zhao CloudNativeSecurityCon slides

He presented the existing security and compliance toolset that is part of the CNCF’s landscape and pointed out that the Software Supply Chain best practices whitepaper provides good guidance. However, it can be challenging to decide where to begin.

Software Supply Chain was among the common topics covered in twenty different breakout sessions, including the keynote by Brian Behlendorf, managing director of the Open Source Security Foundation (OSSF).

InfoQ sat down with Liz Rice, chief open source officer at Isovalent, who also presented keynotes and closing remarks, and talked about the state of cloud native security. She underscored not only the importance of a secure supply chain but also that it is part of a bigger solution. 

Because of the US executive order on cybersecurity last year, there has been a huge focus on supply chain security and SBOMs. This has been a massive topic of conversation, and a lot of tooling that is being developed.

We also need to remember that there are real-time security elements as well. We can not expect to do all the security by protecting the supply chain. One way or the other, vulnerabilities will get through. That’s why runtime threat detection is important as well.

Next, Zhao gave an overview of Yahoo's current infrastructure, including seven hundred clusters and a hundred thousand pods or more and the tools supporting the different teams at Yahoo.

He pointed out that to simplify things, the team decided on the cloud native path by using GitHub enterprise for source control, screwdriver, an open source build platform for continuous delivery, an internal OCI registry for artifacts, and a combination of on-premise and cloud Kubernetes clusters.

 

Secure Supply Chain Guardrails

 
Image courtesy of Hamil Kadakia and Yonghe Zhao CloudNativeSecurityCon slides

Furthermore, he talked about existing security controls that are widely used, including static code analysis and mirroring of external registries. However, such fundamental security controls needed to be improved in three areas:

  • Software composition analysis was introduced during the continuous integration step to detect open source dependencies and vulnerabilities and automatically remediate them.
  • Build time vulnerability assessment was integrated into the build process to scan images, not only of the software being built, but also of the extra components that go into building a container image, including base images, programming libraries,...etc.
  • Production deployment verification was added to check images before deployment for provenance, signature, and freshness.

Zhao ended with a recorded demo showing the different production deployment verification checks and how they can be controlled using policies to allow or reject deployments.

Kadakia wrapped up the session by pointing out lessons learned throughout the journey. This included preplanning for adopting from the outset, embracing open source technologies, and seeking continuous feedback to optimize developers' workflow and experience.

The breakout session recording is available on the CNCF Youtube channel playlist. The presentation slides are on the event’s webpage.

About the Author

Rate this Article

Adoption
Style

BT