Session Abstract: Between2020's SolarWinds hack and the Log4Shell bug of 2021, supply chain security has been one of the most discussed topics in the security business. While the SigStore project gets many of the headlines for making signing artifacts easy, what few realize is that both SigStore and the security of the supply chains used to produce and deploy systems are all built on identity management. SigStore uses PKI as the mechanism for verifying artifacts such as containers and Software Bills of Materials (SBOMs); but it uses identity to generate trust of those signatures.
This master class will walk attendees through identity as the foundation for trust in any supply chain. Attendees will participate in a lab that will create a GitHub action that will securely build and deploy a signed container, watch how identity is used to provide trust and assurance from building the container to deploying to AWS and updating a Kubernetes manifest using GitOps. When attendees leave the session, they’ll know how to talk to their security and DevOps teams about the identity infrastructure needed to support an enterprise’s secure supply chain. Attendees will need a laptop and GitHub account.