Oh The Places You'll Sign.pdf

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

John Osborne
josborne@chainguard.dev
@CloudLvlMidnite
How Sigstore Accelerates a Software Supply Chain Journey
https://cha...

What Is Software Supply Chain Security?
“Software supply chain attacks occur when the
materials or processes of producing ...

Limited Visibility Into Our Dependencies
App
Your dependencies likely have CRITICAL CVEs (Source: deps.dev)

Limited Visibility Into Source and Build Requirements
“There’s currently no guarantee that a package on npm is built from ...

Building Transparency In The Software Supply Chain

Generate A Supply Chain Data Layer
Foundation for Supply Chain Transparency
Attestations
Signed metadata (typically
how ar...

sigstore
Making sure your software’s what it
claims to be
A new standard for signing, verifying and protecting
software.
G...

Sigstore, a new standard for signing, verifying and protecting software
● Key Pieces:
○ Cosign: sign things
○ Fulcio: sign...

Key Automation

Signing and Verifying
(also git commits - more later)
Images $ cosign sign josborne/myimage
Blobs $ cosign sign-blob ./myb...

cosign demo

What do signatures guarantee?
● Signatures give you evidence that:
○ What you signed hasn’t changed
○ It came from the pro...

Software Bill of Materials (and friends)
Component 1
Component 2
Component 3
License 1
AFFECTED NOT AFFECTED
FIXED
UNDER
I...

DENCE
Attestations
A software attestation is a signed statement (metadata)
about a software artifact
● Makes it possible t...

Common Attestations
How it was Built (Provenance)
ko attests to the fact that it built a
container image with digest
"sha2...

Sigstore Provides Integrity for Attestations
sign
sign & verify
continuous veriﬁcation
SLSA
NIST SSDF
CIS Benchmarks

SLSA Level 1
SLSA
SLSA Level 1
● Scripted Builds
● Provenance Available
SLSA Level 1 Attestation Example

SLSA Level 2
SLSA
SLSA Level 2 Attestation Example
Verify
SLSA Level 2
● Use a Build Service
● Sign & Verify Provenance
Si...

Verify Attestation
SLSA Level 3
SLSA
SLSA Level 3 Attestation Example
Verify
SLSA Level 3
● Build As Code
● Non-Falsiﬁable...

Verify
SLSA Level 4
SLSA
SLSA Level 4 Attestation Example
Verify
SLSA Level 4
● Reproducible Build
● Provenance of Transit...

Verify Kim
SLSA Level 4 Code Review
SLSA
Verify
Dan Signs
Kim Signs
Verify Dan

❏ Ensure veriﬁcation of signed commits for new changes before merging
❏ Ensure all artifacts on all releases are signed
❏ ...

Secure Software Development Framework NIST SSDF
❏ Evaluate tools’ signing capabilities to create immutable logs for audita...

Gitsign
“Keyless” git commit signing with Sigstore
● Sign with git commit -S
● Sign every commit by default (optional)
Mee...

gitsign demo

Let’s Make Informed Risk Management Decisions
Supply chain metadata allows you to make
policy decisions, events, alerts, e...

Free Sigstore Training
https://blog.chainguard.dev/get-started-with-sigstore-free-course/

Share SlideShare

Facebook
Twitter
LinkedIn

Embed

Size (px)

Show related SlideShares at end

WordPress Shortcode

Link

LinkedIn
Facebook
Twitter
Email

Replay

Top clipped slide

1 of 27 Ad

1 of 27 Ad