Speaker:
Christopher Nuland
Red Hat

Abstract:

In the aftermath of the transformative 2020Solarwinds breach, securing software supply chains has surged to the forefrontof modern software development concerns. This incident underscored theimperative for innovative approaches to ensure software artifacts' integrityand authenticity. The Supply Chain Level for Software Artifacts (SLSA)framework emerged as a response, emphasizing secure software developmentprocesses for supply chains. As compliance standards, notably enforced by theNational Institute of Standards and Technology (NIST), intensify the call forrobust security measures, the convergence of open-source technologies presentsa compelling solution.

In the contemporary landscape of distributedsystems, like Kubernetes, the significance of signing critical artifacts, suchas container images and builds, cannot be overstated. These signaturessubstantiate the origin and unaltered state of the artifacts, rendering themresistant to tampering or unauthorized access. Yet, with the escalating complexityof software supply chains, bolstered by the proliferation of distributedtechnologies, ensuring trustworthy artifact provenance becomes more formidable.

This challenge is where SigStore, aninnovative technology solution, steps in. SigStore enables cryptographicsigning and verification of software artifacts, offering a robust mechanism toestablish the authenticity of these components. By leveraging transparency logtechnologies, SigStore enhances the trustworthiness of the supply chain,creating a formidable barrier against malicious alterations.

This talk will discuss the populartechnologies in the industry that are utilizing a zero trust software supplychain. Why this type of supply chain is important, and outline the differenttechnologies used in conjunction with SigStore to create zero-trust supplychains within the software development and deployment lifecycle.

About:

Christopher Nuland has been involved withcontainer technology since 2010, when he worked with Oak Ridge Labs andPurdue's CdmHub on containerizing their simulations with OpenVZ. He joined RedHat in 2018 as a container specialist in the infrastructure and applicationdevelopment space for primarily Fortune 100 companies across the U.S. His workhas focused mainly on cloud-native migrations into k8s-based platforms, anddeveloping secure cloud-native zero-trust supply chains for the healthcare,life sciences, and defense sectors.

The weekly security seminar has been held every semester since spring of 1992. We invite personnel at Purdue and visitors from outside to present on topics of particular interest to them in the areas of computer and network security, computer crime investigation, information warfare, information ethics, public policy for computing and security, the computing "underground," and other related topics. More info