Dates
Conferences
Tags
Sort by:
Most recent
Conference: Cloud Native SecurityCon North America 2022
Authors: Parth Patel, Shripad Nadgowda
2022-10-25
Container build is arguably one of the most security sensitive operations in the whole application supply chain spectrum, which has largely remained opaque to date. It is typically implemented as a multi-stage process in the Continuous Integration (CI) pipeline that includes cloning the source code, resolving and downloading dependencies, compiling and packaging applications and finally publishing the built artifacts. To establish trust in the final built artifact, it is not sufficient to ensure security guarantees around just the built artifact, but it is critical to provide provenance and integrity assurance for every action in the pipeline that went into building that artifact. While tools, such as Tekton Chains, provide visibility into the steps that were performed and components that were used during the build process, we are still missing the lower level syscalls that were made. In this presentation, Parth and Shripad will present an open framework using tetragon to bring out-of-band runtime visibility and provide automated attestation for tekton based CI pipeline.
Conference: Cloud Native SecurityCon North America 2022
Authors: Mikhail Swift
2022-10-24
tldr - powered by Generative AI
Archivist is a graph database and service that indexes Toto attestations to find and discover relevant attestations using a GraphQL API.
- Archivist is designed to archive more data and make finding relevant attestations easier
- Archivist uses Toto attestations as graph edges and indexes them onto a graph using Dgraph
- Archivist exposes a GraphQL API for users to query and refine their searches over time
- Archivist pulls out specific information such as what attestations were in the Toto attestation and the signatures before pulling the attestation
- Archivist uses in Toto subjects as graph edges and the statement itself as arbitrary data
- Archivist can be used to find code review attestations and other relevant attestations to prove policy enforcement
Conference: SupplyChainSecurityCon 2022
Authors: Rose Judge, Joshua Lock
2022-06-21
tldr - powered by Generative AI
The presentation discusses the importance of reproducibility in software development pipelines and infrastructure for better security and transparency. It provides three levels of reproducibility and their supply chain security implications.
- Reproducibility in software development pipelines and infrastructure is crucial for better security and transparency
- There are three levels of reproducibility: unscripted builds, repeatable builds, and rebuildable builds
- Rebuildable builds control all explicit inputs for a build and can produce an equivalent artifact that can be reproduced at any future point in time
- Achieving reproducible builds requires engineering effort and long-term storage, which can be costly for some organizations