Improve Vulnerability Management with OCI Artifacts – It Is That Easy! - Itay Shakury, Aqua Security & Toddy Mladenov , Microsoft
Abstract
In the past couple of years supply chain security rose to mainstream attention and the industry has been devoted to address related concerns. Managing vulnerabilities and software dependencies is an integral part of this process. One of the most dominant advancements was the popularization of standard SBOMs (Software Bill of Materials) as well as signed attestations. While SBOM generation and validation is a non-issue today, efficiently utilizing it at scale is still a challenge. It relies on custom solutions or proprietary integrations. OCI artifacts specification is a new specification, which solves this challenge in an elegant and efficient manner. With it, you can sign images, store and sign SBOMs, scan results and other important supply chain related attestations alongside the relevant artifacts in the registry. In this talk, the audience will learn how to improve their vulnerability management practices by employing the new registry capabilities and using open-source tools like Trivy, Notary and ORAS. Same practices could be utilized for any OCI artifact including WASM, packages, and libraries.