DevOps Best Practices Platform Engineering Best Practices security Tanzu Application Platform

3 Key Takeaways from CloudNativeSecurityCon 2023

CloudNativeSecurityCon North America, a two-day event organized by the Cloud Native Computing Foundation (CNCF), recently took place in Seattle, Washington, and gave the industry an opportunity to come together to discuss cloud native security projects and how to address today’s security challenges and opportunities.

Supply chain security was a hot topic at the event, as it has been across the industry for the last few years. This is no surprise given the sharp increase in cyberattacks since 2019 (the eighth annual State of the Software Supply Chain Report states cyberattacks have increased an average of 742 percent yearly). 

Meme that says "Supply chain attack: So hot right now"

And according to experts, it’ll continue to get worse, with as many as 45 percent of organizations worldwide expected to experience an attack on their software supply chains by 2025, a three-fold increase from 2021.

But despite this ever-growing presence of threats, there may yet be some hope. 

Brandon Lum, a software engineer at Google, built upon this idea during one of the event’s keynote speeches: “The industry has gotten together and given a response to match.” And there’s evidence to support this claim. From the influx of organizations proactively prioritizing their supply chain security, to the burgeoning ecosystem that has come about as a result, the tech industry has been collectively working to develop unique solutions (open source and commercial), frameworks, standards and real-life examples to tackle the most significant security risks of our time. 

Grid showing dozens of security standards and tools

Screenshot from Hemil Kadakia and Yonghe Zhao's talk, How to Secure Your Supply Chain at Scale

CloudNativeSecurityCon provided an incredible opportunity to experience this first-hand. Here are three big takeaways from the conference.

We are drowning in supply chain metadata 

Software supply chain metadata, such as SBOMs (software bill of materials), vulnerability reports, signatures, provenance, attestations, and more are crucial to organizations for assessing security risks. To accomplish this, not only do we need to produce the metadata, but we also must transform it into something meaningful and actionable. And while we have the tools to provide the metadata we need, it has been a challenge to process the resulting flood of information swiftly enough to generate actionable insights. 

One recommendation from the event to effectively tackle this problem was to aggregate and synthesize our metadata first. That is, bring all the metadata together in one central place and establish links between them so that users can easily query the aggregated data to answer questions about their applications and supply chain security. New solutions, such as GUAC, Hoppr, and Hoppr-Cop, are emerging to help in this regard and to enable security practitioners to focus on the consumption part of the story.

The Supply Chain Security Tools Store (also known as Metadata Store) component of VMware Tanzu Application Platform was designed around this outcome. By aggregating SBOMs from vulnerability scan results, the Metadata Store enables users to query relationships between vulnerabilities detected and their impacted repositories, packages, or images. You can use the Tanzu insight CLI as well as the Tanzu Application Platform GUI to surface these correlations from the Metadata Store to help you answer questions such as “What Common Vulnerabilities and Exposures (CVEs) were found on this commit?” or “What images or repositories have this CVE impacting them?” We are working to add more data, more relationships, and easier access to insights in the Metadata Store with future Tanzu Application Platform releases.

Here are a few notable session recordings on this topic:

Policy and security go hand in hand

Speaking of consumption, we need to leverage policies to make the most of the insights generated from synthesized metadata, and convert them to actionable items. Organizations administering strong security policies can use this to their benefit not just to mitigate risks, but also to maintain internal standards, as well as security best practices. There is an effort currently under way by the CNCF Security Technical Advisory Group to provide direction on what kind of policies are important to ensure secure software supply chains.

Both Open Policy Agent and Kyverno are popular policy engines that allow users to write policies that can be used to control any number of things, such as user access and permissions, what can run in production, etc. But we should also proactively monitor how these policies are managed, created, and curated given that frequently changing requirements and regulations have the potential to turn this into a cumbersome experience. The policy automation capabilities of the National Institute of Standards and Technology’s Open Security Controls Assessment Language (OSCAL) can help alleviate some of the pains in the process.

With Tanzu Application Platform secure supply chains (powered by Tanzu Supply Chain Choreographer), users have the ability to set policies based on the CVEs reported by their scanners. These policies are enforced after the software composition analysis and container image scan steps in the supply chains and can prevent workloads containing critical/high CVEs from being deployed without being triaged or remediated first. 

Here are a few notable sessions on this topic:

Signatures, provenance, and attestations are the next big thing in supply chain security

If you thought vulnerability scanning was the only protagonist of your security story, you thought wrong. Signatures, provenance, and attestations grabbed a significant amount of the spotlight at the conference and are clearly integral to vetting the trust of your supply chain artifacts. In a world where trust is hard to come by, these components help us answer important questions, such as:

  • Who built the software?

  • How was it built?

  • Where did the code come from?

  • Can we trust these claims?

When combined with scanning, these can go a long way in establishing chains of trust within our application development practices.

VMware Tanzu users can leverage the kpack/cosign integration included in VMware Tanzu Build Service to cryptographically sign their container images at the time of build. Signing an image creates metadata that can be used to verify its origin and integrity. This enables Tanzu Application Platform secure supply chains to be configured with a deployment-time policy to verify image signatures, before admission to the cluster. The signatures created will also persist as the images are relocated from one registry to another, which is important in many use cases, including at the edge. 

Here are a few notable sessions on this topic:

Learn more

Want to dive deeper into these topics? Check out the following sessions led by the VMware Tanzu team, all available for replay:

Natalie Fisher behind a podium for a talk at CloudNativeSecurityCon 2023