Talks

Description Securing the software supply chain can feel overwhelming, especially with dynamic frameworks like SLSA (Supply-chain Levels for Software Artifacts). This beginner-friendly session on software supply chain security explores practical strategies to secure your software from build to runtime. We will utilize GitHub Actions, implement Cosign for seamless artifact signing without managing keys, and apply Kyverno for enforcing runtime policies. Additionally, you will learn how to use in-toto and Kubescape to verify and maintain artifact integrity effectively. To further bolster security, we will briefly explore integrating Hardware Security Modules (HSMs) into your workflow, providing a robust layer for key management. ...

Description Navigating the complexities of supply chain security might seem intimidating, especially with evolving frameworks like SLSA (Supply-chain Levels for Software Artifacts). This talk introduces beginners to the foundational practices required to secure software from build to runtime using CNCF tools. We’ll explore how GitHub Actions can automate build processes, integrate with Cosign for keyless artifact signing, and use Kyverno for runtime policy enforcement. Additionally, we’ll discuss how tools like in-toto and Kubescape help manage and verify artifact integrity, providing a holistic view of SLSA compliance in the Kubernetes ecosystem. ...