Securing the Supply Chain with Sigstore Artifacts Signatures at Scale - Dmitry Savintsev & Yonghe Zhao, Yahoo

less than 1 minute read

Abstract

An exploration into Yahoo’s year-long integration journey of Sigstore, enhancing Supply Chain Security through verifiable “certificates of origin” for artifacts. Despite the challenges of scaling Sigstore in a high-traffic environment, the Paranoids — Yahoo’s information security organization — successfully secured around 60,000 daily builds, spanning 700 clusters and 100,000 pods. Join us as we: * Showcase the image signing and verification process, sharing insights from our experiences. Learn about the enhancements we implemented in Sigstore and cosign to achieve an “enterprise-grade” deployment at Yahoo’s scale. * Delve into how we adapted these components to Yahoo’s corporate environment where we have our own certificate authority and identity provider (Athenz). Attendees will leave this session with the knowledge to seamlessly implement Sigstore in their Continuous Integration (CI) pipelines, customized to their specific components and enterprise architecture.

Sched URL

Video

Twitter Facebook LinkedIn

About

Conferences

Securing the Supply Chain with Sigstore Artifacts Signatures at Scale - Dmitry Savintsev & Yonghe Zhao, Yahoo

Abstract

Video

You May Also Enjoy

You Shall Not Pass! Unless You Are GUAC Verified…. - Parth Patel, Kusari & Dejan Bosanac, Red Hat

Living off the Land Techniques in Managed Kubernetes Clusters - Ronen Shustin & Shay Berkovich, Wiz

Leveraging OCI 1.1 for Enhanced SBOM Integration and Vulnerability Scanning in Harbor - Anais Urlichs, Aqua Security & Shengwen Yu, VMware

Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google