Config Management Camp 2023 Ghent

Alexis Mousset

Coming from a system administration background, Alexis switched to doing mostly software engineering. He is currently lead developer on the system parts of Rudder, including networking, configuration management agents and security.
He is also part of the Rust language Secure Code working group, which promotes tooling to help writing secure code in Rust and manages the Rust ecosystem vulnerability database.

The speaker's profile picture

Sessions

02-06
15:55
25min
How do we make Rudder secure?
Alexis Mousset

Rudder is used in critical contexts and the focus on its security has increased over the years, along with the threats. This talk will give an overview of how security topics are handled by the Rudder team, how they have evolved over time and what are our plans to handle current challenges. We will expose:

  • our recent features and architectural changes improving software security, especially in terms of node/server communication, user authentication and attack surface limitation.
  • our process to handle vulnerabilities reported or discovered in Rudder.
  • our efforts for software supply chain securitization, in particular regarding dependencies management and build infrastructure (dedicated signature server, ephemeral build environments, etc.)
  • and finally how we try to steer the dev culture towards security topics awareness, through integration of security assessments to our specification processes, and regular training and discussions.
Rudder
B.2.009
02-07
14:00
50min
Securing the software supply chain for Infra management tools
Alexis Mousset

Infrastructure management tools have a special place among software regarding security, as they usually run ubiquitously, with high privileges and a relatively high attack surface. This makes them targets of choice, especially in the current context of increased threats on software supply chains.

What are our (new) responsibilities as software editors in an open source ecosystem? They include a precise identification and authentication of all software components (to provide a Software Bill of Material) and constraints on the build process and software distribution models.

This talk will give an overview of the current state of the rapidly evolving software supply chain standards and tooling (e.g. SLSA, SBOMs, etc.). It will also explore more concrete items, focused on dependencies management in open source ecosystems and our experience with Rudder.

Security
B.3.037