KubeCon + CloudNativeCon + Open Source Summit + AI_dev China 2024

Scorecard is a project of the OpenSSF, which makes it simple to assess the health of any repository. It is a fully open source project built with the aim of bringing transparency and standardization around security health metrics. Scorecard is a cross-industry collaboration between big and small names in OSS/security. Scorecard checks for vulnerabilities affecting different parts of the software supply chain including source code, build, dependencies, testing, and project maintenance.

Scorecard 是 OpenSSF 的一个项目，它简化了对任何代码仓库健康状况的评估。这是一个完全开源的项目，旨在为安全健康指标带来透明度和标准化。Scorecard 是开源软件/安全领域大大小小公司之间的跨行业合作。Scorecard 检查影响软件供应链不同部分的漏洞，包括源代码、构建、依赖关系、测试和项目维护。

Cloud native is rapidly developing towards multi-cloud, hybrid cloud and edge computing, which are becoming key trends in cloud native development. However, in the edge computing scenario, the traditional VPC-based security model is difficult to ensure safe production. There are more and more challenges faced, including weak edge security mechanisms, vulnerable service interfaces exposed to the outside network, vulnerable end device access protocols, and supply chain security risks. In 2023, KubeEdge completed its security audit. This talk will presents the work around the audit, including the threat model, fuzzing efforts and Tips about how to get started with contributing to KubeEdges continued security. Since the completion of the audit, KubeEdge has worked on several initiatives to improve the security of its consumers, and the talk will cover these. One of these initiatives was SLSA L3 compliance, and the presentation will present what has been done and how it helps the community.

云原生正迅速发展为多云、混合云和边缘计算，这些正在成为云原生开发的关键趋势。然而，在边缘计算场景中，传统的基于VPC的安全模型很难确保安全生产。面临的挑战越来越多，包括边缘安全机制薄弱、暴露于外部网络的易受攻击的服务接口、易受攻击的终端设备访问协议以及供应链安全风险。 2023年，KubeEdge完成了安全审计。本次演讲将介绍围绕审计的工作，包括威胁模型、模糊测试工作以及如何开始为KubeEdge持续安全做出贡献的提示。 自完成审计以来，KubeEdge已经开展了多项改进其消费者安全性的倡议，本次演讲将涵盖这些内容。其中一个倡议是SLSA L3合规性，演示将展示已经完成的工作以及它如何帮助社区。

Container supply chain threats are on the rise; to mitigate these threats, enterprises and open-source project maintainers are exploring new safeguards. Signing and verifying images, enforcing policies to block untrusted deployment, generating SBOM, provenance attestation, and vulnerability scanning are ways to keep attackers from compromising software. To safeguard the software supply chain with Gatekeeper policy, we built Ratify for Gatekeeper which acts as an external data provider and returns verification data that can be processed by Gatekeeper. Ratify as a verification engine enables users to enforce security policies through the verification of image signature, vulnerability reports and SBOM. We’ll demonstrate how you can establish trust for container images by enforcing security policies with Gatekeeper and Ratify. You can admit for deployment only the images that comply with your admission control policy, resulting in a more trustworthy container supply chain.

容器供应链威胁正在上升；为了减轻这些威胁，企业和开源项目维护者正在探索新的保障措施。签名和验证图像、强制执行政策以阻止不受信任的部署、生成SBOM、来源验证和漏洞扫描是防止攻击者损害软件的方法。 为了通过Gatekeeper策略保护软件供应链，我们为Gatekeeper构建了Ratify，它作为外部数据提供者返回验证数据，Gatekeeper可以处理这些数据。 Ratify作为验证引擎，使用户能够通过验证图像签名、漏洞报告和SBOM来执行安全策略。 我们将演示如何通过Gatekeeper和Ratify强制执行安全策略来建立对容器图像的信任。您可以仅允许符合入场控制策略的图像进行部署，从而实现更可信赖的容器供应链。

Imagine the inevitable has already happened—you’ve had a security breach—and you’re now dealing with the aftermath. Organisations must act fast to ensure business returns to operations quickly while also figuring out how to prevent similar incidents in the future. By adopting new use cases, engineering teams are simultaneously accelerating the deployment of sensitive data across multi-cloud architectures and tapping into new risk factors. In this talk, we will use the “Data Security Bang” analogy and learnings from resilience engineering to answer questions such as: How could we do more left of bang (prevention) to help with the speed of right of bang (remediation)? The audience will be guided through a set of example scenarios in a 90s-style game, using Kanister, OPA, and Prometheus, in which they can make decisions on data security to guide the way towards a more robust infrastructure.

想象不可避免的事情已经发生了——您遭遇了安全漏洞——现在您正在处理后果。组织必须迅速采取行动，确保业务迅速恢复运营，同时还要想办法防止将来发生类似事件。通过采用新的用例，工程团队同时加速了跨多云架构部署敏感数据，并利用新的风险因素。 在这次演讲中，我们将使用“数据安全爆炸”的类比和弹性工程的经验教训来回答诸如：我们如何可以在爆炸之前做更多的事情（预防），以帮助加快爆炸之后的速度（补救）？观众将通过90年代风格的游戏中的一系列示例场景，使用Kanister、OPA和Prometheus，来做出关于数据安全的决策，引导通往更健壮基础设施的道路。