Silly Gooses, Let's Make Sense of the Security Supply Chain, Together

Conference: KubeCon + CloudNativeCon Europe 2023

2023-04-19

Authors: Grace Nguyen

Summary

The presentation discusses the importance of securing the supply chain in open source software development and introduces tools like Salsa, Toto, and Fossio to help with governance and support.

Open source software is often underfunded and maintained by overworked individuals, making supply chain security a crucial issue
Governance and support are necessary to provide resources for open source projects to invest in tools like Salsa and supply chain security
Tools like Salsa, Toto, and Fossio can help with securing the supply chain by providing container signing, ephemeral certificates, and certificate authority services
Encryption is a key component of securing the supply chain, with digital signatures providing authenticity and identity verification
The presentation encourages attendees to engage with open source maintainers and participate in discussions around standards like Salsa and vulnerability scanning

The presenter explains the basics of asymmetric encryption, using the example of a digital signature to verify the authenticity of a software package. They also highlight the importance of ephemeral keys and short-lived certificates in securing the supply chain.

Abstract

When Grace started her job in security and open-source, she didn’t get the joke about honking geese folks in security would throw around and there was never a good time to ask. The same thing is happening for supply chain security. The landscape is evolving rapidly with high adoption but comprehensive documentations and talks, especially for beginners, are still lagging behind. Starting with why we care about supply chain security, the talk will provide an overview of the landscape and how tools like Fulcio, Rekor and cosign come together. Unlike geese, we won’t hiss at you!

Materials:

Slides

Tags:

Supply chain security