Securing the Supply Chain with Witness - A Framework for Supply Chain Security
Offered By: CNCF [Cloud Native Computing Foundation] via YouTube
Course Description
Overview
Learn about Witness, an open-source modular framework for supply chain security, in this 23-minute conference talk. Explore how Witness creates collections of attestations bound to the CI process, providing trusted sectors for policy enforcement. Discover the Witness trust model and its integration with cloud-native security tools like rekor, spire, cosign, and Kubernetes. Gain insights into SLSA Level 4 providence requirements, signer support, cryptographic document support, and policy verification. Examine use cases such as ensuring builds on approved infrastructure, verifying SAST testing, and handling upstream build system compromises. Watch a demonstration of implementing SLSA 3 for a major project using SPIRE.
Syllabus
Thank you to our Session Recording Sponsor
Witness Introduction
SLSA Level 4 - Providence Reqs
Witness' Trust Model
Signer Support
Cryptographic Document Support
Policy Verification
Use Case: Ensure all builds happened on approved infra
Use Case: Verify an artifact passed SAST testing
Use Case: IR - Upstream Build System Compromise
DEMO: SLSA 3 for a major project - SPIRE
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
Ketchup, Mustard, and Relish of Software Supply Chain Security - Panel DiscussionLinux Foundation via YouTube SLSA in Action: Securing the Software Supply Chain
Linux Foundation via YouTube Securing Your Supply Chain by Building with FRSCA
Linux Foundation via YouTube Open Tools for Secure Supply Chains in Kubernetes - From Release Engineering
Linux Foundation via YouTube Google SLSA and NIST SSDF - Emerging Software Supply Chain Security Best Practices
Linux Foundation via YouTube