tldr - powered by Generative AI

• The release toolkit generates binaries, checksums, and signatures for release artifacts
• It includes provenance attestation and S-BOM SPDX
• The toolkit can be used with GitHub actions and is language-agnostic
• The Salsa tester creates SLSA attestations and can be used with S-BOMs generated by other tools
• The toolkit uses OIDC tokens from GitHub to generate temporary certificates for attestation
• The toolkit can be used to donate repositories to Kubernetes organization

tldr - powered by Generative AI

• Tracy is a tool for tracing and profiling software executions in DevOps workflows
• The tool can be used to detect and prevent supply chain attacks
• Tracy uses denial and allow lists to identify good and bad activity
• The tool extends profiles to include user ID, arguments, and environment variables
• Tracy can ignore certain system and environment variables to ensure consistency
• The tool uses syscall to collect information on executed binaries
• An anecdote is provided to illustrate how Tracy can detect a supply chain attack

tldr - powered by Generative AI

• Code repositories are a prime target for attacks and are subject to several categories of threats such as pushing secrets, running GitHub actions with miners, and mistakenly publishing a private repository.
• Falco is a runtime security tool that traditionally protects containers and pods in Kubernetes but now has a GitHub plugin to provide real-time runtime security for GitHub repositories.
• Falco listens on containerized Kubernetes-based endpoints and captures signals such as system calls to detect bad stuff and give alerts.
• Falco's rule engine is simple and customizable, allowing users to add their own rules to detect specific threats.
• Falco is free, open-source, and can be helpful in securing code repositories.
• The presenter invites attendees to a Falco party and a session with Falco developers to learn more about the tool.

tldr - powered by Generative AI

• Open source projects and GitOps workflows are vulnerable to security threats
• GitHub Actions workflows can be abused by malicious actors to gain access to sensitive information
• Best practices, such as implementing environmental protection and short-lived tokens, can help protect against attacks

tldr - powered by Generative AI

• AI capabilities have created new opportunities for product development
• Product development requires a level of tinkering and creativity to find the intersection between new capabilities and user needs
• Language is an AGI complete problem with a lot of potential value to be unlocked
• Models are becoming more accessible and less brittle, making them easier to use for product development
• Startups have an opportunity to build new products that don't fit neatly into existing categories
• Incumbents face challenges in adopting generative AI technology due to reputational risk and the potential for offensive content
• The emergence of AI capabilities is not a joke and may be bad news for startups
• The moat for startups may be in the application or workflow rather than the model itself

tldr - powered by Generative AI

• GitHub Actions is a CI/CD platform with over 2 million workflows used by open-source projects, and each workflow gets a GITHUB token.
• Restricting permissions for the GITHUB token is recommended by GitHub and the Open Source Security Foundation (OSSF) Security Scorecards.
• Setting permissions for the token is difficult and time-consuming, as different GitHub Actions require different permissions.
• SecureWorkflows is an open-source project that can automatically set minimum permissions for the GITHUB token, based on a knowledge base of required permissions for common GitHub Actions.
• SecureWorkflows has been used to set token permissions for hundreds of workflows, including for the GitHub Actions starter workflows, and is recommended by OSSF Scorecards to fix token permissions.
• The importance of setting minimum permissions for the GITHUB token is illustrated by a story of a supply chain attack on the VS Code GitHub repository, where a security researcher was able to push a commit to a release branch using a GitHub Actions workflow and an injected token with content's right permission.

tldr - powered by Generative AI

• Artifact attestation creates a strong link between build artifacts and their source repositories, ensuring authenticity and enabling the creation of policies.
• Artifact attestation can be used to enforce policies at different stages of the supply chain, including control plane, build time, and installation time.
• GitHub's dependency API and S-BOM API can benefit from artifact attestation to ensure the authenticity of dependencies and S-BOMs.
• Artifact attestation can be used to prove to third parties that S-BOMs are authentic and created without cheating or hiding vulnerabilities.
• Artifact attestation can be used for any kind of metadata, including static analysis tool results.

tldr - powered by Generative AI

• Terraform is an infrastructure as code tool that automates provisioning infrastructure resources like VMs, managed databases, firewalls, or Kubernetes services.
• The presenter demonstrates how to create a Digital Ocean managed Kubernetes cluster using Terraform.
• The presenter explains the importance of using infrastructure as code tools in GitOps.
• The audience is given step-by-step instructions on how to set up a Digital Ocean account, configure Doctor, and use Terraform to create a Kubernetes cluster.
• An anecdote is not provided.