Leverageing SBOMS to Automate Packaging, Transfer, and Reporting of Dependencies Between Secure Environments.pdf

1、Leveraging SBOMS to Automate Packaging,Transfer,and Reporting of Dependencies Between Secure EnvironmentsCloudNativeSecurityConP R E S E N T E RI a n D u n b a r-H a l lJ e r o d H e c kDAT EFe b 2 n d 2 0 2 32023 Lockheed Martin CorporationIntroductionsIan Dunbar-HallLockheed Martin Software Factor

2、y Chief EngineerJerod HeckLockheed Martin Software Factory Product ArchitectPremiseCommon Practice SBOMS are often a build artifact and used for compliance or trackingConsider SBOMs as a packaging definition or interface What if it were used to package dependencies instead of just an artifact?It bec

3、omes a package type independent method for defining dependenciesProblemIt sucks being a developer in disconnected strict environments!Slow to get packages approved Slow to get package updates Way too much paperwork Lots of“rinse and repeat”Is there a way to Automate the patching,compliance,and deliv

4、ery of build dependencies to”strict environments”?Can this be done using existing tooling?Can this be automated for multiple teams in a single dataflow?Can many artifacts be collected from many different sources at once?HopprTMis a framework for defining,validating,and transferring dependencies betw

5、een environments usingSoftware Bill of Materials(SBOM)Open Source Standards.HopprTMis a solution for delivering a well-defined,repeatable bundle to secure environments combating customer problems with digital asset delivery.Leveraging Other Excellent ProjectsAutomate Dependency Updates Renovate dete

6、cts updates to packages,container images,and other projects in gitlab.Semantic version generate Semantic Release used to create semantic versioned releases based on conventional commit messagesWhen pair together,you have the ability to create semantic versioned SBOMs which are updated automatically

7、with dependency updates.HopprTMconsumes these semantic versioned SBOMs to collect,validate,and delivery of“stuff”to a strict environment.Since these updates are triggered by renovate,this results in a continuous delivery pipeline.Multiple teams,Single ProcessRenovate Maintains:Upstream“patching”of b

8、uild dependencies Hoppr included project changesSemantic Release provides semver of internal productsDataflowAppflowProject Dependency UpdatesHurdlesIncomplete SBOM metadata for security approvals Lack of tooling or incomplete BOMsGenerate compliance documentation in custom formatsLegacy approval pr

9、ocessesAbility to restrict source repositoriesAbility to detect new packages in partially connected networksto address security patchingAbility to automate collection of build dependencies in a consistent manner across teamsDelivery into environments with one way connectivityAdvantagesReproducible R

10、eleasesContinuous detection of patched dependencies push to an disconnected environmentAll components entering disconnected environment are tracked using CycloneDX SBOMs which can be leveraged by other opensource tooling(like DepdencyTrack!)HopprTMprovides process for augmenting SBOMs with additiona

11、l data Vex CVE Attestation creating from collection and reportsNo manual interactionDemo FeaturesShow dependencies between teams and projectsShow CVE report with Hoppr-copAttestation creationShow tar bundleDemoLocated in DemoFutureUnified Report GenerationExpand component validationSignature validat

12、ion with rekorAttestation validation with in-totoOpenSSF ScoreCard SBOM augmentationUnbundling and installation on disconnected networksIn-Toto Secured Digitally Attested SBOM(its-da-(s)bom)An in-toto attestation implementation for SBOMsShout OutsInspiration SigstoreCommunities we engage in CycloneDX In-totoOther interesting projects in this space Zarf DefenseUnicorns Witness TestifySecQuestions?Hoppr.dev