Presenters

Source

Long Live Secrets? Let’s Talk Short-Lived Credentials for a More Secure Software Supply Chain! 🚀

Hey tech enthusiasts! Ever felt like managing secrets in your software supply chain is a bit like juggling chainsaws? You want to keep things secure, but sometimes the established practices feel… well, a little less than ideal. That’s exactly the sentiment Billy Lynch, a Software Engineer at Chainbound, shared at a recent tech conference, and it’s a topic that deserves our attention.

Chainbound, for those who might not know, is all about delivering hardened, production-ready builds for open-source software – think containers, VMs, libraries, you name it. Their mission? To help teams ship faster, more securely, and safer. And Billy, a maintainer for several open-source projects within the OpenSSF and cloud-native ecosystem, is on the front lines of this mission.

The Salsa Conundrum: High Levels, Lingering Questions 🤔

Billy kicked things off by referencing a LinkedIn post from Chainbound’s CTO, Matt, that highlighted a curious gap in the Salsa (Supply Chain Levels for Software Artifacts) framework. Salsa is fantastic for guiding us on securing deployment pipelines, but Matt pointed out a missing piece: language around using short-lived credentials for build pipelines.

Billy agrees wholeheartedly. He shared a thought-provoking observation: under a strict interpretation of Salsa Level 3 (the highest level), it’s technically permissible to leak your container registry or storage bucket credentials and still be considered L3, as long as you’re doing all the other verification and signing correctly. The logic is that if you can prove the artifact came from your pipeline, even if the credential is leaked, it’s less critical.

While this logic has its validity, Billy posed the crucial question: From a security standpoint, why would we consider leaking a credential as secure behavior?

The Swiss Cheese Model: Layering Our Defenses 🧀

Instead of getting bogged down in debates about framework specifics, Billy beautifully introduced Chainbound’s philosophy on supply chain security: the Swiss cheese model.

The core idea here is never relying on a single layer of defense. Just like a slice of Swiss cheese has holes, no single security measure is foolproof. Instead, we need to layer multiple security practices together. When one layer inevitably has a “hole” or a miss, another layer is there to catch it. This creates defensive depth, significantly enhancing the security of our pipelines and repositories.

Embracing Short-Lived Credentials & OIDC Federation 🔑➡️⏳

This is where Billy’s passion truly shines. Chainbound is a huge advocate for short-lived credentials, with a particular fondness for OIDC Federation.

  • What are Short-Lived Credentials? These are temporary credentials that are automatically rotated or expire after a very short period.
  • Why are they a Game-Changer?
    • Reduced Exposure: Even if compromised, the window of vulnerability is drastically minimized.
    • No Manual Management: You don’t have to worry about provisioning, rotating, or revoking long-lived tokens.
    • Workload-Specific: They are tied directly to your specific workload, enhancing security.

Billy highlighted that many cloud providers today support this model. He even showed a slide featuring logos from providers like S3, Google Cloud, Azure, and others, noting that the list is not exhaustive. Services like Sigstore, known for its keyless signing, operate on a similar principle.

OpenSSF’s Trusted Publishers: Leading the Charge 🛡️

Billy also took a moment to spotlight the crucial work being done within the OpenSSF, specifically the Security and Software Repositories Working Group and their Trusted Publishers initiative.

He gave a special shout-out to projects like PyPI and RubyGems. These platforms are implementing the trusted publisher model, allowing you to specify exactly which identity is expected to publish artifacts. The beauty of this? You never have to manage a long-lived token again!

This is a philosophy Chainbound deeply believes in and implements across all their products – containers, VMs, and libraries. It’s also what they most prefer their customers to use for authentication.

The Future is Now: Ditch Long-Lived Tokens! 🗓️

As Billy wrapped up, his message was clear and urgent:

  • It’s 2025 (or getting there fast)! No one should still be using long-lived access tokens for critical services like storage buckets and registries.
  • Advocate for Change: If your current provider doesn’t support short-lived credentials, start asking for it. This is rapidly becoming an industry standard.

Billy concluded by inviting attendees to visit the Chainbound booth for further discussions on their approach to supply chain security and how to adapt these practices to their own pipelines.

This session was a powerful reminder that while frameworks provide valuable guidance, we must continuously push the boundaries of security best practices. Embracing short-lived credentials isn’t just a trend; it’s a fundamental shift towards a more resilient and secure software future. 🌐✨

Appendix