YoVDO

The Road to SLSA4 - Applying the Sigstore Ecosystem in a Corporate Environment

Offered By: CNCF [Cloud Native Computing Foundation] via YouTube

Tags

Software Supply Chain Security Courses OpenID Connect (OIDC) Courses Sigstore Courses Cloud-Native Security Courses

Course Description

Overview

Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Explore the implementation of the Sigstore ecosystem in a corporate environment to enhance software artifact integrity and mitigate supply chain attacks. This conference talk delves into the challenges and solutions encountered while adopting Sigstore tooling across cloud-native, self-hosted, and on-premise environments. Learn about the trade-offs between self-hosting and using public instances of Rekor and Fulcio, implementing keyless commit signatures with gitsign, developing verification methodologies, utilizing SPIFFE/SPIRE for ephemeral build workload identities, and leveraging OIDC tokens for keyless signatures in various build environments. Gain valuable insights into the road to SLSA4 compliance and discover practical approaches to strengthen your organization's software supply chain security.

Syllabus

Intro
Agenda
Motivation? Sign Everything!
What is Fulcio
Hello (World) Signing
Hello (World) Commit Signing
Real-world scenario
Architecture - Pre Sigstore
Github Actions - Result
Gitlab Runner on K8s
Implementation
Insights
Takeaways


Taught by

CNCF [Cloud Native Computing Foundation]

Related Courses

Hardening Your Soft Software Supply Chain
Pluralsight DevOps with GitHub and Azure: Implementing Software Supply Chain Security with GitHub
Pluralsight Securing Your Software Supply Chain with Sigstore
Linux Foundation via edX GitHub Supply Chain Security Using GitGat
Linux Foundation via edX Kyverno - Deep Dive - Tech Talks
Mirantis via YouTube