SupplyChainSecurityCon 2021 took place October 11 in co-location with KubeCon 2021. It was the most popular co-located event. There were so many great talks. Here’s the list with a short description.
Keynote
Keynote: Project Trebuchet: How SolarWinds is Using Open Source to Secure Their Supply Chain in the Wake of the Sunburst Hack
Speaker: Trevor Rosen, SolarWinds
SolarWinds was hit in December 2020 with a sophisticated supply chain attack perpetrated by nation-state actors. In the months since, they’ve been working to create an entirely new build system based on a number of CNCF and CDF projects. In this talk, you’ll learn about what they’re building, why it’s necessary, and what it’s like to be on the inside when the unthinkable happens.
▶️ Watch the SolarWinds Keynote
Talks
The State of SBOMs
Speakers: Dan Lorenc, Chainguard (Moderator), Allan Friedman, US Government; Nisha Kumar, VMware & Frederick Kautz, LF Public Health
Find out why Software Bill of Materials (SBOMs) is a thing now, what the challenges for shipping SBOMs for Cloud Native things are and tips to start producing it for your applications.
Whose Sign Is It Anyway?
Speakers: Marina Moore, NYU & Matthew Riley, Google
This talk explores what a digital signature really means—and what it doesn’t. The speakers share the implications of policy choices around key handling, what gets signed, and when we call a signature “valid.” The talk is such a deep dive into the very idea of identity that you may begin to question the nature of your reality.
▶️ Watch Whose Sign Is It Anyway
Supply Chain Security with the Jenkins Templating Engine!
Speaker: Steven Terrana, Booz Allen Hamilton
A comprehensive introduction to DevSecOps. The talk gets past the buzzwords and demystifies the various kinds of software security scanning that teams can incorporate into their software delivery processes to shift-left security. Equally important – you’ll then learn how to apply these principles at scale using the Jenkins Templating Engine to develop tool-agnostic pipelines that can be shared across teams.
▶️ Watch Supply Chain Security with the JTE
An Overview on SLSA
Speakers: Tom Hennen, Google & Joshua Lock, VMware
SLSA means Supply-chain Levels for Software Artifacts – introduces a comprehensive methodology to prevent tampering with the software supply chain. To illustrate the impact of SLSA, the talk follows a few gremlins as they try to introduce malicious code into a container image used by thousands of projects. At each step of the supply chain, see how SLSA controls raise the cost of attack, preventing the gremlins from causing any harm.
State of the Art Supply Chain Security (in-toto, TUF, and SigStore)
Speakers: Trishank Karthik Kuppusamy, Datadog; Asra Ali, Google & Santiago Torres-Arias, Purdue University
Explore the complementary roles that TUF, in-toto, and SigStore play in creating a transparent hack-proof software supply chain that thwarts man-in-the-middle attacks anywhere between developers and end-users. Including real examples!
▶️ Watch the State of the Art Supply Chain Security talk
Cloud Native Supply Chain Security with Tekton and Sigstore
Speakers: Priya Wadhwa & Christie Wilson, Google
If you build software on Kubernetes and want to learn more about how to do it securely, then this talk is for you! Get a hands-on overview of creating a secure zero-trust supply chain on Kubernetes. Learn to use Tekton, Tekton Chains and sigstore together to protect your pipelines and generate provenance for your builds and how to integrate these tools with other projects like In-Toto and SPIRE to securely build, sign and verify software components today.
▶️ Watch the Cloud Native Supply Chain Security talk
Getting Started with Supply Chain Security is Easier Than You Think: Perspectives From a Highly Regulated Industry
Speakers: Michael Lieberman & Timothy Miller, CitiBank
Learn about practices you can implement to start your supply chain security journey. These will help you: better understand the technologies currently in your environments, establish provenance of source code, and help you audit and respond quickly in the event of supply chain vulnerabilities.
▶️ Watch to get started with Supply Chain Security
Lightning Talks
5G and Challenges with Software Supply Chain Security
Speaker: Fatih Degirmenci, Ericsson
A short overview of the next generation telecommunications networks, highlight the challenges, and talk about the opportunities to tackle them collaboratively.
▶️ Watch to learn about 5G and its challenges
PyPI Supply Chain Security
Speaker: Dustin Ingram, Python Software Foundation
This talk reviews recent supply-chain attacks and how they relate to Python Package Index (PyPI) specifically. It also shows some in-progess projects to make PyPI more resilient, secure and sustainable.
Finding Your Way: A Survey of Supply Chains
Speaker: Aeva Black, Microsoft
This talk shares a few maps of the open source supply chain landscape and gives viewers a sense of the breadth and depth of the challenges ahead. Watch this talk to learn to identify a few essentials for your supply chain security journey.
Vulnerability Supply Chains
Speaker: Art Manion, CERT Coordination Center
Learn about the types of vulnerabilities, how they flow down and affect supply chains.
Full Playlist
Watch all the talks in the SupplyChainSecurityCon 2021 playlist
