How’s Your Supply Chain with Your Insecure OSS Ingestion? - James Holland, Citi

less than 1 minute read

Abstract

OSS libraries can be used by anyone, but how does an enterprise secure what should, or more importantly, should not be used? The package/artifact managers are at best simple proxies, so security checking is mostly beyond them. Moreover, within enterprises, these tasks end up being manual. This talk will outline the additional checks that should/could be performed at ingestion and subsequently; continuous automated grooming of OSS artifacts. James will demonstrate the Continuous Secure Software Ingestion (CSSI) application, a policy driven system built on Tekton & Open Policy Agent (OPA), to perform continuous secure ingestion from any source, including Google AOS. He will also show the additional constraints that are placed on the downstream enterprise Software Composition Analysis (SCA) tooling to handle the data graph that this generates.

Sched URL

Video

Twitter Facebook LinkedIn

About

Conferences

How’s Your Supply Chain with Your Insecure OSS Ingestion? - James Holland, Citi

Abstract

Video

You May Also Enjoy

You Shall Not Pass! Unless You Are GUAC Verified…. - Parth Patel, Kusari & Dejan Bosanac, Red Hat

Living off the Land Techniques in Managed Kubernetes Clusters - Ronen Shustin & Shay Berkovich, Wiz

Leveraging OCI 1.1 for Enhanced SBOM Integration and Vulnerability Scanning in Harbor - Anais Urlichs, Aqua Security & Shengwen Yu, VMware

Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google