Securing the Container Supply Chain Workshop
Workshop 👥
English 🇬🇧
Tuesday, 1:30 – 3:30 PM
Length: 120 minutes
Room: Workshop B
Abstract
“Software supply chain” is a term describing everything that happens to code from the time it leaves the developers fingers until it runs in production. The code needs to be compiled, tested, packaged and deployed, and these steps take place in a variety of systems and use lots of complex third party solutions. Our apps also depend on an increasing number of third party libraries and frameworks that we often know next to nothing about. Several initiatives have been started in an attempt to address the issues surrounding supply chain integrity, the most noticeable one being Supply chain Levels for Software Artifacts - SLSA. SLSA aims to be vendor neutral and is backed by major players like the Cloud Native Computing Foundation and Google in addition to startups such as Chainguard. Cosign - Sigstore is a Linux Foundation project which is developing Cosign, a container signing, verification and storage in an Open Container Initiative (OCI) registry, making signatures invisible infrastructure. Kyverno - Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. In this workshop we will make a practical approach to securing your container applications and verify that the container has not been tampered with since it was built.
Prerequisites
Laptop GitHub account Docker Local Kubernetes cluster * https://kubernetes.io/docs/tutorials/hello-minikube/ * https://kind.sigs.k8s.io/ * https://github.com/abiosoft/colima Full workshop install guide: https://github.com/nais/salsa-workshop/blob/main/labs/lab-0/README.md
Day & time
Tuesday, 1:30 – 3:30 PM
Intended audience
Security Proffesionals, Architects, Tech Leads
Hans Kristian Flaatten
Platform Engineering at the Norwegian Labour and Welfare Administration (NAV) responsible for the NAIS platform. NAIS is an application platform built to increase development speed by providing our developers at NAV with the best possible tools to develop and run their applications.
Jan-Kåre Solbakken
Developer with occasional strays to the security side for 20+ years, for the most part on the JVM.
Youssef Bel Mekki
Platform/Devops developer at NAV. I have a pretty short career. I've started my journey late, learning development in university in an age of 30. Been working in NAV ever sense, never regretted my decision towards programming. I love working with people and with the combination of programming to come up with cleaver and user friendly solutions.