This year has seen much focus on software supply chains and how organisations can move towards a zero trust approach, especially with regards to the 3rd-party artefacts they depend on. Yet a security gap still exists that is preventing organisations from knowing the provenance of their 3rd party software components. This is because the vast majority of build systems (both cloud-hosted and on-premise) do not directly provide the features necessary to achieve even the minimum SLSA Levels. This talk will describe how Jetstack worked with Improbable Defence to design and implement a framework to evaluate all the Images in use across all environments, and seamlessly map each one to known associated vulnerabilities and open-source licences. Assessing Images in this manner has allowed Improbable Defence to keep an accurate inventory and implement admission policies to prevent Images that don’t meet their risk posture from being used. The result is a fine-grained operational security framework which profiles the provenance of each 3rd party component and builds a comprehensive security posture across the supply chain.
|Event||Cloud Native SecurityCon Europe 2022|
|Speaker||Steve Judd & Chris Clarkson (Improbable)|