Natale Vinto

Open Source Secure Software Supply Chain in action

How can you trust the open-source code that makes up your application? This talk demonstrates a verifiable chain of trust using tools like Sigstore and Tekton.

Open Source Secure Software Supply Chain in action
#1about 2 minutes

Understanding the rising threat to software supply chains

The dramatic increase in supply chain attacks necessitates new security standards and government regulations to mitigate risk.

#2about 2 minutes

Exploring the core domains of supply chain security

Securing the supply chain involves understanding software composition with SBOMs, continuous scanning, content signing, and runtime policy enforcement.

#3about 5 minutes

Using open source tools to secure the entire SDLC

A suite of open source tools like Sigstore, Tecton, and Clair can be used to prevent malicious code, safeguard build systems, and monitor deployments.

#4about 2 minutes

Defining key standards and terminology in supply chain security

Understanding critical concepts like SALSA levels, CVEs, provenance, attestation, and SBOMs is essential for implementing robust security.

#5about 3 minutes

Building a secure and opinionated CI/CD pipeline

A secure pipeline can be constructed using Tecton for SALSA compliance and Sigstore for keyless signing of commits and artifacts.

#6about 4 minutes

Comparing a generic vs a security-augmented workflow

A security-augmented workflow integrates checks like local dependency scanning, commit signature verification, and SALSA compliance into the standard development process.

#7about 4 minutes

Demo: Initiating a secure code update for an application

The demonstration begins by scaffolding a microservice from a secure software template and making a code change to update inventory.

#8about 3 minutes

Demo: Scanning and remediating vulnerabilities locally in the IDE

Using an IDE extension, transitive dependencies are scanned for vulnerabilities, which are then fixed by updating the framework and base image versions.

#9about 4 minutes

Demo: Triggering the secure pipeline with a keyless signed commit

The developer uses keyless signing with an OIDC provider to sign the commit, which automatically triggers a secure pipeline that verifies the signature and generates an SBOM.

#10about 3 minutes

Demo: Verifying deployment and monitoring runtime security

The demo concludes by showing the successfully deployed application and using a security dashboard to check for runtime policy violations and visualize network traffic.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Mitigating supply chain attacks with DevSecOps practices
04:45 MIN

Mitigating supply chain attacks with DevSecOps practices

Security Pitfalls for Software Engineers

Implementing and enforcing supply chain policies
02:25 MIN

Implementing and enforcing supply chain policies

Securing your application software supply-chain

Building a foundation for pipeline security
03:50 MIN

Building a foundation for pipeline security

Walking into the era of Supply Chain Risks

Taking responsibility for your software supply chain
10:01 MIN

Taking responsibility for your software supply chain

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

Understanding the risks of the modern software supply chain
06:19 MIN

Understanding the risks of the modern software supply chain

Overcome your trust issues! In a world of fake data, Data Provenance FTW

The scale and challenge of securing open source
04:14 MIN

The scale and challenge of securing open source

How GitHub secures open source

Defining the modern software supply chain
02:53 MIN

Defining the modern software supply chain

Securing your application software supply-chain

Securing container images and the software supply chain
01:52 MIN

Securing container images and the software supply chain

Security Challenges of Breaking A Monolith

Featured Partners

Related Videos

See all videos
Securing your application software supply-chain
28:27

Securing your application software supply-chain

Niels Tanis

Overcome your trust issues! In a world of fake data, Data Provenance FTW
26:41

Overcome your trust issues! In a world of fake data, Data Provenance FTW

Jon Geater

DevSecOps culture
16:00

DevSecOps culture

Ali Yazdani

Organizational Change Through The Power Of Why - DevSecOps Enablement
26:50

Organizational Change Through The Power Of Why - DevSecOps Enablement

Nazneen Rupawalla

Stranger Danger: Your Java Attack Surface Just Got Bigger
1:58:59

Stranger Danger: Your Java Attack Surface Just Got Bigger

Vandana Verma Sehgal

Securing Secrets in the GitOps era
58:57

Securing Secrets in the GitOps era

Alex Soto

Supply Chain Security and the Real World: Lessons From Incidents
24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

How GitHub secures open source
25:28

How GitHub secures open source

Joseph Katsioloudes

Related Articles

View all articles
Andre Braun, GitLab
Now is the time for industrialized software development
Now is the time for industrialized software development Recently, I received a letter from my car’s manufacturer alerting me to a recall. They had discovered a defective part and wanted to replace it. It was easily fixed, and I might have forgotten a...
Now is the time for industrialized software development
Christina Schaireiter
Why Attend a Developer Event?
Modern software engineering moves too fast for documentation alone. Attending a world-class event is about shifting from tactical execution to strategic leadership. Skill Diversification: Break out of your specific tech stack to see how the industry...
Why Attend a Developer Event?

From learning to earning

Jobs that call for the skills explored in this talk.

DevSecOps

DevSecOps

Schwarz Corporate Solutions
Barcelona, Spain

Senior
Bash
Azure
Linux
Kafka
DevOps
+10