Kubernetes Supply Chain Security: The Software Factory - Andrew Martin, Control Plane

less than 1 minute read

Abstract

The original supply chain attack was described by Ken Thompson 35 years ago, in Reflections on Trusting Trust. As the SUNBURST attacks abuse the same implicit trust relationship between consumers and vendors today, we ask ourselves: does cloud native have the answer? Based on work from the US Air Force and DoD, we present a Kubernetes Software Factory approach that can defend against supply chain risks. But can we mitigate the risk entirely? What about consuming closed source and binary artefacts? Is there a silver bullet for this producer-consumer problem, that impacts supply chain relationships at all levels of industry and technology? In this talk we: - Showcase work to build a Kubernetes Software Factory with Tekton - Deep dive on signing and verification approaches to securely build software with in-toto, TUF, SPIFFE, SPIRE, and sigstore - Review lessons learned from the SUNBURST attacks - Detail future cloud native solutions to harden Kubernetes, builds, and infrastructure

Sched URL

Video

Twitter Facebook LinkedIn

About

Conferences

Kubernetes Supply Chain Security: The Software Factory - Andrew Martin, Control Plane

Abstract

Video

You May Also Enjoy

You Shall Not Pass! Unless You Are GUAC Verified…. - Parth Patel, Kusari & Dejan Bosanac, Red Hat

Living off the Land Techniques in Managed Kubernetes Clusters - Ronen Shustin & Shay Berkovich, Wiz

Leveraging OCI 1.1 for Enhanced SBOM Integration and Vulnerability Scanning in Harbor - Anais Urlichs, Aqua Security & Shengwen Yu, VMware

Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google