Open Source Secure Software Supply Chain in action

How can you trust the open-source code that makes up your application? This talk demonstrates a verifiable chain of trust using tools like Sigstore and Tekton.

#1about 2 minutes

Understanding the rising threat to software supply chains

The dramatic increase in supply chain attacks necessitates new security standards and government regulations to mitigate risk.

#2about 2 minutes

Exploring the core domains of supply chain security

Securing the supply chain involves understanding software composition with SBOMs, continuous scanning, content signing, and runtime policy enforcement.

#3about 5 minutes

Using open source tools to secure the entire SDLC

A suite of open source tools like Sigstore, Tecton, and Clair can be used to prevent malicious code, safeguard build systems, and monitor deployments.

#4about 2 minutes

Defining key standards and terminology in supply chain security

Understanding critical concepts like SALSA levels, CVEs, provenance, attestation, and SBOMs is essential for implementing robust security.

#5about 3 minutes

Building a secure and opinionated CI/CD pipeline

A secure pipeline can be constructed using Tecton for SALSA compliance and Sigstore for keyless signing of commits and artifacts.

#6about 4 minutes

Comparing a generic vs a security-augmented workflow

A security-augmented workflow integrates checks like local dependency scanning, commit signature verification, and SALSA compliance into the standard development process.

#7about 4 minutes

Demo: Initiating a secure code update for an application

The demonstration begins by scaffolding a microservice from a secure software template and making a code change to update inventory.

#8about 3 minutes

Demo: Scanning and remediating vulnerabilities locally in the IDE

Using an IDE extension, transitive dependencies are scanned for vulnerabilities, which are then fixed by updating the framework and base image versions.

#9about 4 minutes

Demo: Triggering the secure pipeline with a keyless signed commit

The developer uses keyless signing with an OIDC provider to sign the commit, which automatically triggers a secure pipeline that verifies the signature and generates an SBOM.

#10about 3 minutes

Demo: Verifying deployment and monitoring runtime security

The demo concludes by showing the successfully deployed application and using a security dashboard to check for runtime policy violations and visualize network traffic.