The State of Your Supply Chain - Andrew Martin

NUUG

Container security often focuses on runtime best-practices whilst neglecting delivery of the software in the supply chain. Application, library, and OS vulnerabilities are a likely route to data exfiltration, and emerging technologies in the container ecosystem offer a new opportunity to mitigate this risk. Treating containers as immutable artefacts and injecting configuration allows us to "upgrade" images by rebuilding and shipping whole software bundles, avoiding configuration drift and state inconsistencies. This makes it possible to constantly patch software, and to easily enforce governance of artefacts both pre- and post-deployment. In this talk we detail an ideal, security-hardened container supply chain, describe the current state of the ecosystem, and dig into specific tools. Grafeas, Kritis, in-toto, Clair, Micro Scanner, TUF, and Notary are covered, and we demo how to gate container image pipelines and deployments on cryptographically verified supply chain metadata. Recorded at the OWASP Norway Day by NUUG

lastet opp 10. des. 2018
Nyeste videoer fra NUUG

NUUG 22.03.2025 - Linux installasjonsfest av Debian 13 - Doble levetiden på PC-en

lastet opp 5. mai 2025
© 2009 - 2025 Foreningen Frikanalen