tldr - powered by Generative AI

• The new OCI changes make it easier to manage images and vulnerabilities as SBOMs.
• However, there are challenges in standardizing artifact types and annotations.
• Getting the right artifact is difficult and requires manual and automated steps.
• The specifications for SBOMs are not always accurate and require additional information to make vulnerability reports more accurate.

tldr - powered by Generative AI

• Open source software is often underfunded and maintained by overworked individuals, making supply chain security a crucial issue
• Governance and support are necessary to provide resources for open source projects to invest in tools like Salsa and supply chain security
• Tools like Salsa, Toto, and Fossio can help with securing the supply chain by providing container signing, ephemeral certificates, and certificate authority services
• Encryption is a key component of securing the supply chain, with digital signatures providing authenticity and identity verification
• The presentation encourages attendees to engage with open source maintainers and participate in discussions around standards like Salsa and vulnerability scanning

tldr - powered by Generative AI

• Salsa sets standards for build system execution to ensure trustworthiness
• Threat modeling for build system on Kubernetes identifies additional threats and ways to mitigate them
• Tecton can do more to verify image provenance and address volume isolation
• Spire can be used to catch tampering with Tecton CRDs
• Trusted resources in Tecton ensure execution of intended tasks and pipelines

tldr - powered by Generative AI

• Third-party solutions can assist in improving security and visibility in JavaScript applications
• Behavioral overriding or monkey patching is used by third-party solutions to gain control over the application and runtime
• However, these solutions lack visibility into JavaScript Realms, which affects security
• Realms are ecosystems in which JavaScript plugins exist and have their own global execution environment
• Improving security and visibility in Realms requires solutions that can provide visibility into Realms

tldr - powered by Generative AI

• Real-world data can help organizations decide where to focus and when to pivot
• There is plenty of eye-opening data from surveys and reports on the security of cloud-native and open source software, as well as the security of the software supply chain as a whole
• Identifying the most important actions to improve the security of open source projects or software applications is critical
• A panel of experts examines key data points from recent surveys and reports and provides actionable steps organizations and projects can take to secure their software supply chain

tldr - powered by Generative AI

• Threat modeling is important to bring quantifiability and reason to abstract threats and to identify attack paths.
• The Stride process and standards documents can be used to exhaust potential permutations of threats and identify simple controls to cover as many cases as possible.
• The attack tree is a visual representation of an attack and can be used to multiply likelihood and impact to give abstract risk scores.
• Layering controls across the branches of the attack tree can break the attack chain and provide a minimum viable set of security configurations.
• Pipeline metadata is important for piecing things back together and giving a different type of observation.
• Best practices for securing the supply chain include using S-bombs, artifact signing, and evidence leaks and ledgers.
• Measuring SAL level and mean time to remediation are useful indicators of vendor maturity.
• Retrofitting and slowly maturing the supply chain is important.
• Asking vendors for S-bombs is a closer first step than asking for SAL level.

tldr - powered by Generative AI

• Conan.io is an open-source package manager for C and C++ that has over 11 million binaries built by user-submitted recipes.
• Despite its wide reception, Conan.io has had 0 security incidents since its inception.
• Conan.io utilizes automated quality checks, compiler security mitigations, package signing, a secure build pipeline, and an extremely strict and efficient review process to maintain supply chain security.
• Diego Rodriguez and his team have received over 9000 pull requests in the last two years and have a dedicated team of 10 people sponsored by jfrog as maintainers of the Conan project.
• Conan.io is becoming an important piece in the C++ ecosystem and needs to be secure.

tldr - powered by Generative AI

• SLSA is a framework used to quantify the security of supply chains
• Sixdoor is a project used for signing and verification
• SLSA and Sigstore are brought together to achieve higher security levels in Tecton and Github workflows
• Demos are provided for each platform

tldr - powered by Generative AI

• Notary v2 focuses on the distribution and consumption of software content in the supply chain
• Verifying the identity and authenticity of software content is crucial in ensuring security and reliability
• Policy management and trust are necessary in the deployment process
• Real-world analogies, such as airport security checks, can help illustrate the concept