Explore the critical topic of Kubernetes supply chain security in this 36-minute conference talk by Andrew Martin from Control Plane. Dive into the concept of a Software Factory approach for defending against supply chain risks, based on work from the US Air Force and DoD. Learn about the original supply chain attack described by Ken Thompson 35 years ago and how it relates to modern threats like the SUNBURST attacks. Discover how cloud native technologies can address these challenges through a showcase of building a Kubernetes Software Factory with Tekton. Gain insights into signing and verification approaches using tools such as in-toto, TUF, SPIFFE, SPIRE, and sigstore. Examine lessons learned from recent attacks and explore future cloud native solutions for hardening Kubernetes, builds, and infrastructure. Understand the complexities of the producer-consumer problem in supply chain relationships across various levels of industry and technology.
Kubernetes Supply Chain Security - Building a Secure Software Factory
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Syllabus
Intro
About Control Plane
Agenda
Supply Chain Security
What is a Supply Chain
Software Supply Chain
Post Bare Metal
Software Factory
Supply Chain
Attack
Danger Zone
Supply chain compromises
How do we attack
Salsa
Reverse Shell
Trivia Scan
Signing
Container Images
Chain Guards
Reference Architecture
Entoto
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
-
Kubernetes Security: Implementing Supply Chain Security
-
Cloud Native Supply Chain Security with Tekton and Sigstore
-
In-Toto: Attestations and Software Supply Chain Security
-
Achieving End-to-End Software Supply Chain Security with in-toto
-
Putting the Supply Chain Pieces Together: A Deep Dive into the Secure Software Factory
-
State of the Art Supply Chain Security - In-toto, TUF, and SigStore
