logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Itay Shakury, Toddy Mladenov
2023-04-20

tldr - powered by Generative AI

The presentation discusses the challenges and solutions in managing vulnerabilities as software bills of materials (SBOMs) in the context of DevOps and cybersecurity.
  • The new OCI changes make it easier to manage images and vulnerabilities as SBOMs.
  • However, there are challenges in standardizing artifact types and annotations.
  • Getting the right artifact is difficult and requires manual and automated steps.
  • The specifications for SBOMs are not always accurate and require additional information to make vulnerability reports more accurate.
Authors: Grace Nguyen
2023-04-19

tldr - powered by Generative AI

The presentation discusses the importance of securing the supply chain in open source software development and introduces tools like Salsa, Toto, and Fossio to help with governance and support.
  • Open source software is often underfunded and maintained by overworked individuals, making supply chain security a crucial issue
  • Governance and support are necessary to provide resources for open source projects to invest in tools like Salsa and supply chain security
  • Tools like Salsa, Toto, and Fossio can help with securing the supply chain by providing container signing, ephemeral certificates, and certificate authority services
  • Encryption is a key component of securing the supply chain, with digital signatures providing authenticity and identity verification
  • The presentation encourages attendees to engage with open source maintainers and participate in discussions around standards like Salsa and vulnerability scanning
Authors: Christie Warwick, Priya Wadhwa
2023-04-19

tldr - powered by Generative AI

The presentation discusses the use of Salsa standards and Tecton in threat modeling and securing CI/CD systems on Kubernetes.
  • Salsa sets standards for build system execution to ensure trustworthiness
  • Threat modeling for build system on Kubernetes identifies additional threats and ways to mitigate them
  • Tecton can do more to verify image provenance and address volume isolation
  • Spire can be used to catch tampering with Tecton CRDs
  • Trusted resources in Tecton ensure execution of intended tasks and pipelines
Authors: Gal Weizman
2023-02-15

tldr - powered by Generative AI

The presentation discusses the importance of improving security and visibility in JavaScript Realms through third-party solutions. However, these solutions lack visibility into JavaScript Realms, which affects security.
  • Third-party solutions can assist in improving security and visibility in JavaScript applications
  • Behavioral overriding or monkey patching is used by third-party solutions to gain control over the application and runtime
  • However, these solutions lack visibility into JavaScript Realms, which affects security
  • Realms are ecosystems in which JavaScript plugins exist and have their own global execution environment
  • Improving security and visibility in Realms requires solutions that can provide visibility into Realms
Authors: Eric Tice, Josh Bressers, Tracy Miranda, John Yeoh
2022-10-28

tldr - powered by Generative AI

Real-world data on software supply chain security can help organizations identify the most important actions to improve the security of their software. A panel of experts examines key data points from recent surveys and reports and provides actionable steps organizations and projects can take to secure their software supply chain.
  • Real-world data can help organizations decide where to focus and when to pivot
  • There is plenty of eye-opening data from surveys and reports on the security of cloud-native and open source software, as well as the security of the software supply chain as a whole
  • Identifying the most important actions to improve the security of open source projects or software applications is critical
  • A panel of experts examines key data points from recent surveys and reports and provides actionable steps organizations and projects can take to secure their software supply chain
Authors: Justin Cormack
2022-10-27

This talk gives an overview of the status of the Notary project, and the Notary v2 work, and the context in the broader ecosystem. Supply chain security is becoming increasingly critical and its importance has been recognised, but the ecosystem of tools around this is confusing. So this talk will cover the context of the key ideas, including the TUF and in-toto projects and how they relate to the security outcomes people want to achieve.
Authors: Andrew Martin
2022-10-26

tldr - powered by Generative AI

The presentation discusses the importance of threat modeling and supply chain security in DevOps and provides best practices for securing the supply chain.
  • Threat modeling is important to bring quantifiability and reason to abstract threats and to identify attack paths.
  • The Stride process and standards documents can be used to exhaust potential permutations of threats and identify simple controls to cover as many cases as possible.
  • The attack tree is a visual representation of an attack and can be used to multiply likelihood and impact to give abstract risk scores.
  • Layering controls across the branches of the attack tree can break the attack chain and provide a minimum viable set of security configurations.
  • Pipeline metadata is important for piecing things back together and giving a different type of observation.
  • Best practices for securing the supply chain include using S-bombs, artifact signing, and evidence leaks and ledgers.
  • Measuring SAL level and mean time to remediation are useful indicators of vendor maturity.
  • Retrofitting and slowly maturing the supply chain is important.
  • Asking vendors for S-bombs is a closer first step than asking for SAL level.
Authors: Diego Rodriguez-Losada Gonzalez
2022-10-24

tldr - powered by Generative AI

Diego Rodriguez shares how Conan.io, an open-source package manager for C and C++, has managed to maintain supply chain security despite its wide reception.
  • Conan.io is an open-source package manager for C and C++ that has over 11 million binaries built by user-submitted recipes.
  • Despite its wide reception, Conan.io has had 0 security incidents since its inception.
  • Conan.io utilizes automated quality checks, compiler security mitigations, package signing, a secure build pipeline, and an extremely strict and efficient review process to maintain supply chain security.
  • Diego Rodriguez and his team have received over 9000 pull requests in the last two years and have a dedicated team of 10 people sponsored by jfrog as maintainers of the Conan project.
  • Conan.io is becoming an important piece in the C++ ecosystem and needs to be secure.
Authors: Priya Wadhwa, Laurent Simon
2022-05-19

tldr - powered by Generative AI

The presentation discusses practical steps to secure container native build systems using SLSA, Github, and Tekton.
  • SLSA is a framework used to quantify the security of supply chains
  • Sixdoor is a project used for signing and verification
  • SLSA and Sigstore are brought together to achieve higher security levels in Tecton and Github workflows
  • Demos are provided for each platform
Authors: Justin Cormack, Steve Lasker
2021-10-14

tldr - powered by Generative AI

The presentation discusses the importance of verifying the identity and authenticity of software content in the supply chain through Notary v2. The speaker uses real-world analogies to explain the concept and emphasizes the need for trust and policy management in the deployment process.
  • Notary v2 focuses on the distribution and consumption of software content in the supply chain
  • Verifying the identity and authenticity of software content is crucial in ensuring security and reliability
  • Policy management and trust are necessary in the deployment process
  • Real-world analogies, such as airport security checks, can help illustrate the concept