Explore the challenges and solutions for securing open-source software (OSS) ingestion in enterprise environments through this 26-minute conference talk by James Holland from Citi. Learn about the limitations of package managers in security checking and the need for additional measures to ensure safe OSS usage. Discover the Continuous Secure Software Ingestion (CSSI) application, a policy-driven system built on Tekton and Open Policy Agent (OPA), designed to perform continuous secure ingestion from various sources, including Google AOS. Gain insights into the additional constraints placed on downstream enterprise Software Composition Analysis (SCA) tooling to handle the resulting data graph. Understand the importance of automated grooming of OSS artifacts and the implementation of robust security checks during the ingestion process and beyond.
Securing Open Source Software Supply Chain - Continuous Secure Software Ingestion
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Syllabus
How’s Your Supply Chain with Your Insecure OSS Ingestion? - James Holland, Citi
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
-
SLSA FRSCA Recipe for Secure Supply Chain
-
Secure Transport for Your Software Supply Chain with TUF
-
Securing Your Supply Chain with an Open Source Ecosystem
-
Securing the Open Source Software Supply Chain
-
Fight Back Against Cyber Risk in the Software Supply Chain - Secure DevSecOps Pipeline for Regulated Environments
-
Policy Compliance with Sigstore - From Signing Software to Validating the Whole Software Supply Chain
