Session: Reflections on Supply Chain Trust: the Software Factory

The original supply chain attack was described in Reflections on Trusting Trust 35 years ago. As attacks from SUNBURST to REvil abuse the same implicit trust relationship between consumers and vendors today, we ask ourselves: does cloud native have the answer?

We live demo supply chain compromises against containers and open source software, then detail a Kubernetes Software Factory approach, based on work from the US Air Force and DoD, to sign, seal, and deliver potentially hostile code safely to production.

In this talk we:

  • Demo assorted supply chain attacks against cloud native systems
  • Showcase work to build a Kubernetes Software Factory with Tekton
  • Deep dive on signing and verification approaches to securely build software with in-toto, TUF, SPIFFE, SPIRE, and sigstore
  • Detail future cloud native solutions to harden Kubernetes, builds, and infrastructure

Presenters: