SLSA FRSCA Recipe For Secure Supply Chain - Parth Patel & Michael Lieberman, Kusari

less than 1 minute read

Abstract

There are multiple tools out in the ecosystem trying to deal with parts of the software supply chain threat but what does an end-to-end solution look like? The OpenSSF - FRSCA is an implementation of the CNCF best practices that aims to protect the build system, secure ingestion and enforce policy in the production environment to minimize the attack vectors associated with software supply chain. With the integration of Tekton Pipelines/Chains, Sigstore, SPIFFE/SPIRE, and Kyverno, we can create a holistic approach that can meet SLSA Level 3 from beginning to end. Utilizing CUE, admission controller and short-lived certificates, we can cryptographically and based on policy protect the cluster. Building off binary authorization, FRSCA can validate the signature and attestation to authorize until the next release cycle. FRSCA aims to be an implementable architecture that the open source community and end-user organizations can utilize to ingest and produce SLSA compliant artifacts.

Sched URL

Video

Twitter Facebook LinkedIn

About

Conferences

SLSA FRSCA Recipe For Secure Supply Chain - Parth Patel & Michael Lieberman, Kusari

Abstract

Video

You May Also Enjoy

You Shall Not Pass! Unless You Are GUAC Verified…. - Parth Patel, Kusari & Dejan Bosanac, Red Hat

Living off the Land Techniques in Managed Kubernetes Clusters - Ronen Shustin & Shay Berkovich, Wiz

Leveraging OCI 1.1 for Enhanced SBOM Integration and Vulnerability Scanning in Harbor - Anais Urlichs, Aqua Security & Shengwen Yu, VMware

Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google