Untrusted Execution: Attacking the Cloud Native Supply Chain

Abstract

Should we trust the code we run in production? Not if a motivated attacker can compromise our system’s complex supply chains. While hardened runtimes and detection can mitigate some zero day attacks, malicious internal threat actors and software implants are much harder to detect. Supply chain security looks to address some of these concerns, but with so many signing options available to us, what do we really care about? Our source code, open source dependencies, CI/CD, built containers, vendor software — or the hardware and operating systems we run on? Securing the whole supply chain is a non-trivial task, and requires consideration at all of these levels.In this talk we:

  • Undertake a risk-based threat model of supply chain attacks against our systems
  • Compare the open source supply chain security controls available to us
  • Examine trusted execution environments and their security properties
  • Propose an open source solution for end to end supply chain security

Speaker

Francesco Beltramini

Security Engineering Manager @controlplaneio

 

Francesco Beltramini (@d1gital_f) is a security professional with 10+ years of working experience and deep technical competence matured on a number of high-end projects for both public and private sector organizations. Francesco had the opportunity of working on a variety of technology stacks in designing and implementing complex security architectures in both the IT and OT spaces, from Cloud to mission-critical/safety-critical/high-assurance infrastructure. Francesco enjoys managing teams of highly-skilled security professionals, setting and implementing security objectives, strategy and culture.

Read more

Date

Tuesday Oct 25 / 04:10PM PDT ( 50 minutes )

Location

Pacific DEKJ

Share

Share Share

From the same track

Session Microservices

Orchestration vs Choreography, A Guide To Composing Your Monolith

Tuesday Oct 25 / 01:40PM PDT

Microservices promise rapid evolution, operational independence, and technological freedom but come with imperceptible drag factors. Left unchecked, this drag leads to distributed balls of mud – hard to operate, evolve and maintain.

Speaker image - Ian Thomas

Ian Thomas

Software Engineer @Meta, QCon London 2024 PC Chair, Previously Technology Leader @Genesis Global

Session Microservices

[Recording] Overcomplicated Architecture: Scaling Bottleneck

Tuesday Oct 25 / 02:55PM PDT

As a digital scale-up continues to gain momentum and grow rapidly, one of the key determining factors of success is how quickly they can evolve their product. The business desires to push features to production as fast as possible and prove value to its customers.

Speaker image - Cassandra Shum

Cassandra Shum

Technologist | Architect | Ex-Thoughtworks

Session Microservices

Dark Energy, Dark Matter and the Microservices Patterns?!

Tuesday Oct 25 / 11:50AM PDT

Dark matter and dark energy are mysterious concepts from astrophysics that are used to explain observations of distant stars and galaxies.

Speaker image - Chris Richardson

Chris Richardson

Creator of microservices.io, Java Champion, & Core Microservices Thoughtleader

Session

Unconference: Microservices

Tuesday Oct 25 / 10:35AM PDT

What is an unconference? At QCon SF, we’ll have unconferences in most of our tracks.

Speaker image - Shane Hastie

Shane Hastie

Global Delivery Lead for SoftEd and Lead Editor for Culture & Methods at InfoQ.com

Session

Panel: Building Performant Microservice Architectures

Tuesday Oct 25 / 05:25PM PDT

Microservices improve cognitive load, velocity, isolation, and scalability. They also introduce complexity, increased reliance on the network, observability challenges, and, often, request latency.

Speaker image - Chris Richardson

Chris Richardson

Creator of microservices.io, Java Champion, & Core Microservices Thoughtleader

Speaker image - Ian Thomas

Ian Thomas

Software Engineer @Meta, QCon London 2024 PC Chair, Previously Technology Leader @Genesis Global

Speaker image - Todd Montgomery

Todd Montgomery

Ex Researcher @Nasa, Engineering Fellow @ Adaptive Financial Consulting and a High Performance Distributed Systems Whisperer