Don't miss out! Join us at our next Flagship Conference: KubeCon + CloudNativeCon North America in Salt Lake City from November 12 - 15, 2024. Connect with our current graduated, incubating, and sandbox projects as the community gathers to further the education and advancement of cloud native computing. Learn more at kubecon.io
Enforceable Software Supply Chain Policies and Attestations Using in-Toto - Alan Chung Ma & Santiago Torres-Arias, Purdue University
The SUNBURST attack (of SolarWinds) from 2020 has become the poster child for the software community as to what could go wrong. To meet new cybersecurity regulations, software producers are capturing metadata that shows the integrity of their supply chain. CNCF projects like in-toto / Witness capture machine-verifiable attestations about software supply chain operations. Frameworks like SLSA provide guidance on the type of attestations to generate. However, the real value of such attestations comes from verifying them against strict security policies that enforce a consumer’s expectations about the integrity of their software supply chain. In this talk, we walk through specific policies that can defend against high-profile supply chain attacks. We dive into the TAG-Security catalog of supply chain attacks like SUNBURST and describe how in-toto can be configured to reduce the likelihood of such attacks. We also contextualize this with SLSA specifications and US/EU regulations.
8 апр 2024