Dates
Conferences
Tags
Sort by:
Most recent
Conference: Cloud Native SecurityCon North America 2022
Authors: Stephen Giguere
2022-10-25
tldr - powered by Generative AI
The presentation discusses the security challenges faced by open source projects and GitOps workflows, particularly in relation to GitHub Actions workflows. The speaker demonstrates potential abuses and vulnerabilities in GitHub Actions workflows and highlights the importance of implementing best practices to protect against attacks.
- Open source projects and GitOps workflows are vulnerable to security threats
- GitHub Actions workflows can be abused by malicious actors to gain access to sensitive information
- Best practices, such as implementing environmental protection and short-lived tokens, can help protect against attacks
Conference: SupplyChainSecurityCon 2022
Authors: Laurent Simon, Asra Ali
2022-06-21
tldr - powered by Generative AI
The presentation discusses the importance of artifact attestation or salsa provenance in ensuring the authenticity of build artifacts and creating strong links between artifacts and their source repositories. It also highlights the various use cases of artifact attestation in the supply chain.
- Artifact attestation creates a strong link between build artifacts and their source repositories, ensuring authenticity and enabling the creation of policies.
- Artifact attestation can be used to enforce policies at different stages of the supply chain, including control plane, build time, and installation time.
- GitHub's dependency API and S-BOM API can benefit from artifact attestation to ensure the authenticity of dependencies and S-BOMs.
- Artifact attestation can be used to prove to third parties that S-BOMs are authentic and created without cheating or hiding vulnerabilities.
- Artifact attestation can be used for any kind of metadata, including static analysis tool results.