Should we trust the code we run in production? Not if a motivated attacker can compromise our system’s complex supply chains. While hardened runtimes and detection can mitigate some zero day attacks, malicious internal threat actors and software implants are much harder to detect. Supply chain security looks to address some of these concerns, but with so many signing options available to us, what do we really care about? Our source code, open source dependencies, CI/CD, built containers, vendor software — or the hardware and operating systems we run on? Securing the whole supply chain is a non-trivial task, and requires consideration at all of these levels.In this talk we:
- Undertake a risk-based threat model of supply chain attacks against our systems
- Compare the open source supply chain security controls available to us
- Examine trusted execution environments and their security properties
- Propose an open source solution for end to end supply chain security
Security Engineering Manager @controlplaneio
Francesco Beltramini (@d1gital_f) is a security professional with 10+ years of working experience and deep technical competence matured on a number of high-end projects for both public and private sector organizations. Francesco had the opportunity of working on a variety of technology stacks in designing and implementing complex security architectures in both the IT and OT spaces, from Cloud to mission-critical/safety-critical/high-assurance infrastructure. Francesco enjoys managing teams of highly-skilled security professionals, setting and implementing security objectives, strategy and culture.