logo
ArticlesConferencesPresentations
Dates
Author
Conferences
Tags

Sort by:  

In-Toto: Attestations and More for Software Supply Chain Security

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Aditya Sirish A Yelgundhalli
2023-04-20

tldr - powered by Generative AI

The presentation discusses the use of the update framework (TUF) and the attestation framework (I10) in securing the software supply chain. It also introduces the witness project and its tools to simplify the creation and consumption of attestations.
  • TUF and I10 are complementary projects that can be used together to secure the software supply chain
  • TUF allows for the use of metadata to associate internal metadata with the artifact being distributed from the repository
  • I10 provides enhanced capabilities for layouts that allow for the verification of the software supply chain execution
  • Witness is a community-driven open source implementation of TUF that focuses on indoor attestations
  • Witness has developed tools such as the witness run action and the policy tool to simplify the creation and consumption of attestations
Tags:
software supply chains
Security
in-toto
CNCF
attestations

Source Attestations with Gitsign

Conference:  Cloud Native SecurityCon North America 2022
Authors: Billy Lynch
2022-10-25
Attestations are a useful tool for attaching supply chain metadata to artifacts and images, but how can we attach attestations to source code itself? In this talk, we'll go into some of the ways you can attach attestations to source code with Git. Learn how data can be stored verifiably alongside commits, how attestations can be modeled to describe SLSA source requirements, and how tools like Gitsign can make this easy to add to your CI/CD pipelines.
Tags:
attestations
supply chain
metadata
artifacts
images

Image Layout: Stop Putting Everything in Registries

Conference:  ContainerCon 2022
Authors: Brandon Mitchell
2022-06-21

tldr - powered by Generative AI

The presentation discusses the benefits of using OCI-compliant images in DevOps and cybersecurity practices.
  • OCI-compliant images offer more portability and plug-and-play capabilities in the DevOps ecosystem
  • The end goal is to have a more efficient, modular, and secure system
  • OCI is a good packaging format for shipping and storing data, but not for querying vulnerabilities
  • Annotations and attestations are important metadata for auditing and security purposes
  • Image signing should include the final name of the repository
Tags:
registries
container images
signatures
SBOMs
attestations