It’s Not Just About SBOMs: Perspectives on Cloud Native Supply Chain Security - Michael Lieberman, Kusari; Dana Wang, OpenSSF - The Linux Foundation; Marina Moore, New York University; John Kjell, TestifySec; Arnaud Le Hors, IBM
Abstract
There’s a lot fear, uncertainty, and doubt around software supply chain security, especially when it comes to cloud native and there being something new to update or be aware of every time you look. There’s SBOMS, SLSA, VEX, CVEs, and dozens of other acronyms that can be hard to remember. In addition there are secure software factories, scorecards, best practices, and countless projects and concepts to keep track of. It seems even more intractable when you take into the velocity of cloud native. Don’t worry! It’s not actually that complicated. The panel of open source maintainers will discuss how the pieces to solve the supply chain security challenges are all there today. They will discuss straightforward approaches and simple security hygiene practices that can get you much of the way there, much of it in the CNCF like TUF, in-toto, or witness or in sibling organizations like OpenSSF with SLSA and GUAC. They will also provide insights into the future of supply chain security.