You Shall Not Pass! Unless You Are GUAC Verified…. - Parth Patel, Kusari & Dejan Bosanac, Red Hat

less than 1 minute read

Abstract

Having the most up-to-date information when you have to make a decision is always key. This statement is true for many real-world applications but is paramount for software supply chain security! To comply with the Executive Order 14028, we now have mountains of metadata from SBOMs, SLSA attestations, vulnerability information, and various in-toto ITE-6 attestations at our fingertips. With the introduction of projects like GUAC and Trustification, these can now be collected and analyzed successfully. Combining this information with policy engines, like OPA , we can create a policy that validates if a specific container or artifact is allowed to run in a cluster based on its security assessment. In this presentation, we will explain the concepts behind GUAC and Trustification projects. Next, we will demonstrate how OPA can be integrated with GUAC to create a policy that can answer the question: “Is the artifact allowed to be run in this environment?”.

Sched URL

Video

Twitter Facebook LinkedIn

About

Conferences

You Shall Not Pass! Unless You Are GUAC Verified…. - Parth Patel, Kusari & Dejan Bosanac, Red Hat

Abstract

Video

You May Also Enjoy

Living off the Land Techniques in Managed Kubernetes Clusters - Ronen Shustin & Shay Berkovich, Wiz

Leveraging OCI 1.1 for Enhanced SBOM Integration and Vulnerability Scanning in Harbor - Anais Urlichs, Aqua Security & Shengwen Yu, VMware

Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google

Kubernetes Security Blind Spot: Misconfigured System Pods - Shaul Ben Hai, Palo Alto Networks