logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Billy Lynch
2022-10-25

Attestations are a useful tool for attaching supply chain metadata to artifacts and images, but how can we attach attestations to source code itself? In this talk, we'll go into some of the ways you can attach attestations to source code with Git. Learn how data can be stored verifiably alongside commits, how attestations can be modeled to describe SLSA source requirements, and how tools like Gitsign can make this easy to add to your CI/CD pipelines.
Authors: Ayse Kaya
2022-10-24

tldr - powered by Generative AI

The talk discusses the evolution of vulnerabilities in popular public container images and the challenges faced by developers and DevSecOps teams in handling them. The speaker shares insights from a report on publicly available containers on Docker Hub and highlights the need for practical steps to prevent the dev process from grinding to a halt.
  • Container scanning and security is becoming more widely adopted, but the long-term security posture of containers is not well-understood.
  • New vulnerabilities arise constantly, and many vulnerabilities fall into a catchall bucket of 'won't fix'.
  • The attack surface of popular public container images like Python and NodeJS has changed over the past year, and different vulnerability scanners show different results.
  • Developers and DevSecOps teams face challenges in ensuring containerized applications are free from vulnerabilities due to the complexity of containers and manual processes.
  • Practical steps can be taken to stay on top of vulnerabilities and prevent the dev process from grinding to a halt.
Authors: Adrian Mouat
2022-10-24

tldr - powered by Generative AI

The talk discusses techniques and tooling to address security concerns in building images for the secure supply chain.
  • Provenance and reproducibility are major issues in the current state of security in IT.
  • The distroless philosophy and using smaller base images can save from scan report purgatory.
  • Updating images and dependencies is crucial.
  • Using apko to build container images with SBOMs and complete reproducibility.
  • Signing images with Sigstore.
  • Cutting down dependencies by using smaller base images and keeping them up to date.
  • Verifying signatures and using policy management tools to check for vulnerabilities.
  • The vulnerability exploitability exchange can help filter vulnerabilities and cut down noise.
  • Google container tools and digital images are small and perfect for running statically compiled binaries.
  • The drawbacks of using Google container tools include a hard-to-extend list and difficulty in installing apps.
  • Cutting down images to the minimum set of dependencies can drastically reduce noise in vulnerability reports.