Protecting Ourselves from CNCFgate - Software Supply Chain Security at CNCF - Practices, and Tools

Explore the critical aspects of software supply chain security in cloud-native environments through this informative conference talk. Delve into the complexities of securing modern software systems with increasing dependencies and learn about industry consensus on baseline properties for a secure software supply chain. Discover why these measures may not be sufficient to protect against high-profile attacks and how to improve security practices. Gain insights from the CNCF SIG-Security Supply Chain Working Group's experience, focusing on the intricacies and challenges of maintaining a tightly-secured software supply chain. Learn about five main areas of concern, including securing source code, dependencies, and build pipelines. Understand the importance of reproducible builds and explore unresolved challenges in the field. Get guidance on navigating supply chain security in cloud-native environments and discover how to get involved in improving industry-wide security practices.

Intro
Why is Cloud Native Supply Chain a Problem?
Navigating Supply Chain Security in Cloud Native
Five Main Areas
Securing the Source Code Start with the basics...
Securing the Dependencies • Scan & Validate dependencies • Remember - CVE's are a trailing indicatorl Look for operational hygiene
Securing the Build Pipeline Step 1: Read the DoD DevSecOps Reference Paper
Reproducible Builds
Unresolved Challenges
Framework with common tools and templates
Get Involved