Devconf.US

Policy-Driven Supply Chain Security with Enterprise Contract
2024-08-14 , Metcalf Small Ballroom (capacity 100)

Modern organizations are subject to ever-increasing expectations for security and regulatory compliance in their software supply chains. How can appropriate checks be performed simply and easily?

In this talk, Mark will discuss how Enterprise Contract (or EC) works as a simple decision engine that can help enforce the necessary provenance, regulatory compliance, and security requirements imposed on container images. Users can express a policy configuration and requirements that EC will enforce. This user-friendly system can verify image signatures, ensure attestations match the expected public key, check for CVE alerts, and more in an easily encoded manner. EC leverages the Open Policy Agent’s widely-used Rego rule system to provide an extensible interface for evaluating container attributes, allowing enterprises to more easily standardize on supply chain security expectations.

Additionally, Mark will discuss and show the process for building an image, verifying it using EC, and customizing the enforced policies with a live demo.

See also: Talk slides (788.1 KB)

Mark Bestavros is a Senior Software Engineer at Red Hat, working with his team on the Enterprise Contract project. He has contributed to a number of open source projects in the software supply chain security space, including Sigstore and Keylime, and has attended several related conferences. These include Red Hat Day Turkey 2022, where he delivered a talk on Red Hat’s secure software supply chain work, and Kubecon NA/SupplyChainSecurityCon 2021. He has a BA/MS in CS from Boston University.