Natale Vinto

Open Source Secure Software Supply Chain in action

How can you trust the open-source code that makes up your application? This talk demonstrates a verifiable chain of trust using tools like Sigstore and Tekton.

Open Source Secure Software Supply Chain in action
#1about 2 minutes

Understanding the rising threat to software supply chains

The dramatic increase in supply chain attacks necessitates new security standards and government regulations to mitigate risk.

#2about 2 minutes

Exploring the core domains of supply chain security

Securing the supply chain involves understanding software composition with SBOMs, continuous scanning, content signing, and runtime policy enforcement.

#3about 5 minutes

Using open source tools to secure the entire SDLC

A suite of open source tools like Sigstore, Tecton, and Clair can be used to prevent malicious code, safeguard build systems, and monitor deployments.

#4about 2 minutes

Defining key standards and terminology in supply chain security

Understanding critical concepts like SALSA levels, CVEs, provenance, attestation, and SBOMs is essential for implementing robust security.

#5about 3 minutes

Building a secure and opinionated CI/CD pipeline

A secure pipeline can be constructed using Tecton for SALSA compliance and Sigstore for keyless signing of commits and artifacts.

#6about 4 minutes

Comparing a generic vs a security-augmented workflow

A security-augmented workflow integrates checks like local dependency scanning, commit signature verification, and SALSA compliance into the standard development process.

#7about 4 minutes

Demo: Initiating a secure code update for an application

The demonstration begins by scaffolding a microservice from a secure software template and making a code change to update inventory.

#8about 3 minutes

Demo: Scanning and remediating vulnerabilities locally in the IDE

Using an IDE extension, transitive dependencies are scanned for vulnerabilities, which are then fixed by updating the framework and base image versions.

#9about 4 minutes

Demo: Triggering the secure pipeline with a keyless signed commit

The developer uses keyless signing with an OIDC provider to sign the commit, which automatically triggers a secure pipeline that verifies the signature and generates an SBOM.

#10about 3 minutes

Demo: Verifying deployment and monitoring runtime security

The demo concludes by showing the successfully deployed application and using a security dashboard to check for runtime policy violations and visualize network traffic.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Selecting strategic partners and essential event tools
03:17 MIN

Selecting strategic partners and essential event tools

Cat Herding with Lions and Tigers - Christian Heilmann

Organizing a developer conference for 15,000 attendees
01:32 MIN

Organizing a developer conference for 15,000 attendees

Cat Herding with Lions and Tigers - Christian Heilmann

Establishing a single source of truth for all data
02:39 MIN

Establishing a single source of truth for all data

Cat Herding with Lions and Tigers - Christian Heilmann

Using content channels to build an event community
04:49 MIN

Using content channels to build an event community

Cat Herding with Lions and Tigers - Christian Heilmann

Increasing the value of talk recordings post-event
04:57 MIN

Increasing the value of talk recordings post-event

Cat Herding with Lions and Tigers - Christian Heilmann

Automating video post-production with local scripts
02:54 MIN

Automating video post-production with local scripts

Cat Herding with Lions and Tigers - Christian Heilmann

The future of recruiting beyond talent acquisition
03:15 MIN

The future of recruiting beyond talent acquisition

What 2025 Taught Us: A Year-End Special with Hung Lee

Breaking down silos between HR, tech, and business
03:39 MIN

Breaking down silos between HR, tech, and business

What 2025 Taught Us: A Year-End Special with Hung Lee

Featured Partners

Related Videos

See all videos
Securing your application software supply-chain28:27

Securing your application software supply-chain

Niels Tanis

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

How GitHub secures open source25:28

How GitHub secures open source

Joseph Katsioloudes

How your .NET software supply chain is open to attack : and how to fix it28:45

How your .NET software supply chain is open to attack : and how to fix it

Andrei Epure

Reviewing 3rd party library security easily using OpenSSF Scorecard25:48

Reviewing 3rd party library security easily using OpenSSF Scorecard

Niels Tanis

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Overcome your trust issues! In a world of fake data, Data Provenance FTW26:41

Overcome your trust issues! In a world of fake data, Data Provenance FTW

Jon Geater

Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together23:34

Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together

Stefania Chaplin

Related Articles

View all articles
AG
Andre Braun, GitLab
Now is the time for industrialized software development
Now is the time for industrialized software development Recently, I received a letter from my car’s manufacturer alerting me to a recall. They had discovered a defective part and wanted to replace it. It was easily fixed, and I might have forgotten a...
Now is the time for industrialized software development

From learning to earning

Jobs that call for the skills explored in this talk.

DevSecOps

DevSecOps

alvatross
Municipality of Vitoria-Gasteiz, Spain

Intermediate
API
DevOps
Python
Gitlab
Docker
+10