logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Justin Cormack, Toddy Mladenov
2023-04-21

tldr - powered by Generative AI

The presentation discusses the importance of standards in supply chain security and the ongoing efforts to incorporate transparency logs and metadata into software in the container ecosystem.
  • Verifying identity and large entities is important in supply chain actions
  • Working with the SKET project to build a transparency log and record identities and signatures
  • Incorporating additional metadata around supply chains, such as S-BOMs and SPGX, to have more fine-grained controls
  • Proposing a new sub-project of Notary to directly store TUF repository metadata in the registry
  • Seeing Notary projects as a home for a set of standards around supply chain security
Authors: Vinod Anandan, Meha Bhargava, Niklas Jan Duster
2023-02-15

With the need to deliver software faster to clients, it is typical not to "reinvent the wheel" and instead rely on open source/3rd party components.With increased adoption of open source/3rd party components the complexity and inherited risk of software supplychain is rising. It is crucial to have a complete and accurate inventory of the open source/3rd party component usage and risk associated with it."Our software supply chain security is our responsibility".In order to achieve a complete inventory, Bill Of Material (BOM) is a fundamental building block. OWASP Dependency Track consumes BOM and helps to continuously monitor risk associated with these components.In this talk, we will explain and demonstrate OWASP Dependency Track and how it can be a foundational platform to add to your arsenal of tools to improve software supplychain security.
Authors: Michael Lieberman, Parth Patel
2022-10-26

There are multiple tools out in the ecosystem trying to deal with parts of the software supply chain threat but what does an end-to-end solution look like? The OpenSSF - FRSCA is an implementation of the CNCF best practices that aims to protect the build system, secure ingestion and enforce policy in the production environment to minimize the attack vectors associated with software supply chain. With the integration of Tekton Pipelines/Chains, Sigstore, SPIFFE/SPIRE, and Kyverno, we can create a holistic approach that can meet SLSA Level 3 from beginning to end. Utilizing CUE, admission controller and short-lived certificates, we can cryptographically and based on policy protect the cluster. Building off binary authorization, FRSCA can validate the signature and attestation to authorize until the next release cycle. FRSCA aims to be an implementable architecture that the open source community and end-user organizations can utilize to ingest and produce SLSA compliant artifacts.
Authors: Bill Bensing
2022-06-22

tldr - powered by Generative AI

The presentation discusses the implementation of modern governance and automated governance in software delivery capabilities. It highlights the importance of establishing open visibility within the organization to drive trust and reshape the socio-technical construct. The main thesis is to automate control gates and remove the cognitive load of understanding tools in depth to allow for a standard centralized understandable way for the organization.
  • The need for a next generation of software delivery capabilities beyond automation to autonomous and industrial scales
  • The concept of software factories to remind us of the importance of delivery
  • The importance of establishing open visibility within the organization to drive trust
  • The implementation of modern governance and automated governance in software delivery capabilities
  • The automation of control gates to remove the cognitive load of understanding tools in depth
  • The externalization of policy application from the tools themselves to other centralized systems
Authors: Adolfo García Veytia
2022-05-19

tldr - powered by Generative AI

The presentation discusses the importance of provenance and attestation in the DevOps process, specifically in the Kubernetes project.
  • The speaker emphasizes the need for general-purpose tooling to make the process as efficient as possible
  • The S1 standard from the Linux Foundation is used to issue the S-bomb
  • Two main patterns for attestation are discussed: binary calling and web hook
  • Signing and verifying artifacts is crucial to prevent compromised dependencies
  • Provenance information is necessary to understand the build process and detect errors
Authors: Duane DeCapite
2022-05-17

tldr - powered by Generative AI

Scaling Container Builds with Software Supply Chains
  • Buildpacks, flux, and Cartographer projects can automate the software supply chain and help to address container builds at scale while minimizing the burden on developers
  • Buildpacks simplifies the process of going from source code to a running container without requiring Docker files
  • Buildpacks creates an S-bomb natively as part of the build process and supports a wide variety of S-bom formats
  • Rebasing capability in Buildpacks is key for large organizations with hundreds of apps that use a common base OS layer
  • Cartographer is a Kubernetes native supply chain that automates best practices and a shift left methodology
  • Flux is a Git watcher that runs the supply chain when the developer commits code to the repository
  • Choreography is more flexible than linear orchestration and is based on a Kubernetes API
  • Supply chain can be triggered automatically without a code commit from the developer
Authors: Adolfo García Veytia
2021-10-15

tldr - powered by Generative AI

The presentation discusses the creation of a software bill of materials (S-BOM) for Kubernetes releases using SPDX and a custom tool.
  • The S-BOM includes source code, container images, binaries, packages, and dependencies.
  • The tool packages the S-BOM into more consumable documents for different tools to use.
  • The tool also generates an attestation file for compliance purposes.
  • Future directions include adding RPM and dev file analysis, merging efforts with the SPDX community, and adding validation and verification capabilities.