Dates
Conferences
Tags
Sort by:
Most recent
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Aditya Sirish A Yelgundhalli
2023-04-20
tldr - powered by Generative AI
The presentation discusses the use of the update framework (TUF) and the attestation framework (I10) in securing the software supply chain. It also introduces the witness project and its tools to simplify the creation and consumption of attestations.
- TUF and I10 are complementary projects that can be used together to secure the software supply chain
- TUF allows for the use of metadata to associate internal metadata with the artifact being distributed from the repository
- I10 provides enhanced capabilities for layouts that allow for the verification of the software supply chain execution
- Witness is a community-driven open source implementation of TUF that focuses on indoor attestations
- Witness has developed tools such as the witness run action and the policy tool to simplify the creation and consumption of attestations
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Marina Moore, Santiago Torres-Arias
2022-10-27
Download the code ahead of time. DCO Required.Join us for some live collaboration on TUF, in-toto, and Sigstore where we will be implementing new features and creating more cohesive integrations between these software supply chain projects.This Contribfest session is designed to provide projects with the space and resources to tackle outstanding technical debt, security issues, or outstanding impactful feature requests. They are intended to provide a place for maintainers to meet contributors and potential contributors and work together on solving a problem.
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Justin Cormack
2022-10-27
This talk gives an overview of the status of the Notary project, and the Notary v2 work, and the context in the broader ecosystem. Supply chain security is becoming increasingly critical and its importance has been recognised, but the ecosystem of tools around this is confusing. So this talk will cover the context of the key ideas, including the TUF and in-toto projects and how they relate to the security outcomes people want to achieve.
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Santiago Torres-Arias, Aditya Sirish A Yelgundhalli
2022-10-26
tldr - powered by Generative AI
The speaker discusses the complexities and vulnerabilities of software supply chains and the need for higher degrees of assurance and resiliency in the pipeline.
- Software supply chains are vulnerable to compromise, with examples including version control systems, build farms, packaging, and testing infrastructure.
- Compromises in the supply chain can have a significant impact on users, reputation, budget, and intellectual property.
- Integrity checks, reproducible builds, verifiable compilers, and secure package delivery can provide higher degrees of assurance and resiliency.
- Centralized metadata storage and integration with CI systems are possible solutions.
- The speaker emphasizes the need for addressing the problem and improving the software supply chain.
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Brandon Lum, Chris Phillips
2022-10-26
tldr - powered by Generative AI
The presentation discusses the importance of generating software bill of materials (S-BOM) and the challenges in ensuring its security against malicious actors. The speakers suggest using metadata and attestation formats to address these challenges.
- Generating S-BOM is important for software security and transparency
- Scanning and pre-populating are two ways to generate S-BOM
- Scanning has limitations in detecting malicious actors
- Metadata and attestation formats can address security challenges
- Composability is important in combining S-BOM from different ecosystems
Conference: Cloud Native SecurityCon North America 2022
Authors: Cole Kennedy
2022-10-24
tldr - powered by Generative AI
Witness is an open-source project that allows software producers to make and verify attestations about the software they produce, making it easy to produce verifiable evidence for software builds. Archivist is a platform that stores these attestations. The goal is to automate pipeline compliance and ensure that the build materials that are expected to go into the build actually do go into that build.
- Witness implements the internal specifications and allows software producers to make and verify attestations about the software they produce
- It has integrations with open-source projects such as Sig store, Inspire, GitHub, and GitLab
- Witness makes it easy to produce verifiable evidence for software builds
- It supports both containerized and non-containerized workloads
- Archivist stores these attestations
- The goal is to automate pipeline compliance and ensure that the build materials that are expected to go into the build actually do go into that build
Conference: Cloud Native SecurityCon North America 2022
Authors: Mikhail Swift
2022-10-24
tldr - powered by Generative AI
Archivist is a graph database and service that indexes Toto attestations to find and discover relevant attestations using a GraphQL API.
- Archivist is designed to archive more data and make finding relevant attestations easier
- Archivist uses Toto attestations as graph edges and indexes them onto a graph using Dgraph
- Archivist exposes a GraphQL API for users to query and refine their searches over time
- Archivist pulls out specific information such as what attestations were in the Toto attestation and the signatures before pulling the attestation
- Archivist uses in Toto subjects as graph edges and the statement itself as arbitrary data
- Archivist can be used to find code review attestations and other relevant attestations to prove policy enforcement
Conference: KubeCon + CloudNativeCon Europe 2022
Authors: Priya Wadhwa, Laurent Simon
2022-05-19
tldr - powered by Generative AI
The presentation discusses practical steps to secure container native build systems using SLSA, Github, and Tekton.
- SLSA is a framework used to quantify the security of supply chains
- Sixdoor is a project used for signing and verification
- SLSA and Sigstore are brought together to achieve higher security levels in Tecton and Github workflows
- Demos are provided for each platform