Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Michael Lieberman, Parth Patel

2022-10-26

There are multiple tools out in the ecosystem trying to deal with parts of the software supply chain threat but what does an end-to-end solution look like? The OpenSSF - FRSCA is an implementation of the CNCF best practices that aims to protect the build system, secure ingestion and enforce policy in the production environment to minimize the attack vectors associated with software supply chain. With the integration of Tekton Pipelines/Chains, Sigstore, SPIFFE/SPIRE, and Kyverno, we can create a holistic approach that can meet SLSA Level 3 from beginning to end. Utilizing CUE, admission controller and short-lived certificates, we can cryptographically and based on policy protect the cluster. Building off binary authorization, FRSCA can validate the signature and attestation to authorize until the next release cycle. FRSCA aims to be an implementable architecture that the open source community and end-user organizations can utilize to ingest and produce SLSA compliant artifacts.

Conference:  SupplyChainSecurityCon 2022

Authors: Jory Burson, Andrew Aitken, Jeffrey Borek, Rao Lakkakula

2022-06-21

The importance of software supply chain security and the need for organizations to prioritize knowledge and training in analyzing S-bombs.

• Encouraging younger developers to get involved in software supply chain security
• Creating a database to share and compare S-bombs
• Training people to review and analyze S-bombs
• Procurement as a gatekeeper to S-bomb adoption
• The OpenCRE project as a way to develop a common format for regulations and standards
• The importance of developing a constituency within an organization to address software supply chain security