Skip to main content

SupplyChainSecurityCon – Talk Recordings Now Available

By November 10, 2021July 24th, 2023Blog, Staff

SupplyChainSecurityCon 2021 took place October 11 in co-location with KubeCon 2021. It was the most popular co-located event. There were so many great talks. Here’s the list with a short description.


Keynote: Project Trebuchet: How SolarWinds is Using Open Source to Secure Their Supply Chain in the Wake of the Sunburst Hack

Speaker: Trevor Rosen, SolarWinds

SolarWinds was hit in December 2020 with a sophisticated supply chain attack perpetrated by nation-state actors. In the months since, they’ve been working to create an entirely new build system based on a number of CNCF and CDF projects. In this talk, you’ll learn about what they’re building, why it’s necessary, and what it’s like to be on the inside when the unthinkable happens.

▶️ Watch the SolarWinds Keynote


The State of SBOMs

Speakers:  Dan Lorenc, Chainguard (Moderator), Allan Friedman, US Government; Nisha Kumar, VMware & Frederick Kautz, LF Public Health

Find out why Software Bill of Materials (SBOMs) is a thing now, what the challenges for shipping SBOMs for Cloud Native things are and tips to start producing it for your applications.

▶️ Watch the State of SBOMs

Whose Sign Is It Anyway?

Speakers: Marina Moore, NYU & Matthew Riley, Google

This talk explores what a digital signature really means—and what it doesn’t. The speakers share the implications of policy choices around key handling, what gets signed, and when we call a signature “valid.” The talk is such a deep dive into the very idea of identity that you may begin to question the nature of your reality.

▶️ Watch Whose Sign Is It Anyway

Supply Chain Security with the Jenkins Templating Engine! 

Speaker: Steven Terrana, Booz Allen Hamilton

A comprehensive introduction to DevSecOps. The talk gets past the buzzwords and demystifies the various kinds of software security scanning that teams can incorporate into their software delivery processes to shift-left security. Equally important – you’ll then learn how to apply these principles at scale using the Jenkins Templating Engine to develop tool-agnostic pipelines that can be shared across teams.

▶️ Watch Supply Chain Security with the JTE

An Overview on SLSA 

Speakers: Tom Hennen, Google & Joshua Lock, VMware

SLSA means Supply-chain Levels for Software Artifacts – introduces a comprehensive methodology to prevent tampering with the software supply chain. To illustrate the impact of SLSA, the talk follows a few gremlins as they try to introduce malicious code into a container image used by thousands of projects. At each step of the supply chain, see how SLSA controls raise the cost of attack, preventing the gremlins from causing any harm.

▶️ Watch the SLSA Overview

State of the Art Supply Chain Security (in-toto, TUF, and SigStore)

Speakers: Trishank Karthik Kuppusamy, Datadog; Asra Ali, Google & Santiago Torres-Arias, Purdue University

Explore the complementary roles that TUF, in-toto, and SigStore play in creating a transparent hack-proof software supply chain that thwarts man-in-the-middle attacks anywhere between developers and end-users. Including real examples!

▶️ Watch the State of the Art Supply Chain Security talk

Cloud Native Supply Chain Security with Tekton and Sigstore

Speakers: Priya Wadhwa & Christie Wilson, Google

If you build software on Kubernetes and want to learn more about how to do it securely, then this talk is for you! Get a hands-on overview of creating a secure zero-trust supply chain on Kubernetes. Learn to use Tekton, Tekton Chains and sigstore together to protect your pipelines and generate provenance for your builds and how to integrate these tools with other projects like In-Toto and SPIRE to securely build, sign and verify software components today.

▶️ Watch the Cloud Native Supply Chain Security talk 

Getting Started with Supply Chain Security is Easier Than You Think: Perspectives From a Highly Regulated Industry

Speakers: Michael Lieberman & Timothy Miller, CitiBank

Learn about practices you can implement to start your supply chain security journey. These will help you: better understand the technologies currently in your environments, establish provenance of source code, and help you audit and respond quickly in the event of supply chain vulnerabilities.

▶️ Watch to get started with Supply Chain Security

Lightning Talks

5G and Challenges with Software Supply Chain Security

Speaker: Fatih Degirmenci, Ericsson

A short overview of the next generation telecommunications networks, highlight the challenges, and talk about the opportunities to tackle them collaboratively.

▶️ Watch to learn about 5G and its challenges

PyPI Supply Chain Security

Speaker: Dustin Ingram, Python Software Foundation

This talk reviews recent supply-chain attacks and how they relate to Python Package Index (PyPI) specifically. It also shows some in-progess projects to make PyPI more resilient, secure and sustainable.

▶️ Watch PyPi talk

Finding Your Way: A Survey of Supply Chains

Speaker: Aeva Black, Microsoft

This talk shares a few maps of the open source supply chain landscape and gives viewers a sense of the breadth and depth of the challenges ahead. Watch this talk to learn to identify a few essentials for your supply chain security journey.

▶️ Watch to find your way

Vulnerability Supply Chains

Speaker: Art Manion, CERT Coordination Center

Learn about the types of vulnerabilities, how they flow down and affect supply chains.

▶️ Watch the talk

Full Playlist

Watch all the talks in the SupplyChainSecurityCon 2021 playlist