Roger Ng
Roger Ng is a software engineer at Google based in London, United Kingdom. He mainly works on Certificate Transparency and transparency logs in Google Open Source Security Team.
Session
How can we be sure the open-source software we rely on hasn't been tampered with, or that critical internet infrastructure is behaving as expected? This talk introduces the fundamentals of transparency logs: accurate, immutable, publicly verifiable data. Building with tamper-evident logs means that you can cryptographically prove that the data hasn’t been unexpectedly changed.
We will discuss how this technology, famously used in Certificate Transparency, can be broadly applied to secure the open-source software supply chain with Sigstore, and Android Pixel binary transparency.
To illustrate these concepts, this talk also introduces Trillian Tessera, an open-source Go library for building tile-based transparency logs using these standard formats on both major cloud and on-premises infrastructure, together with TesseraCT, a readily deployable open-source solution for Certificate Transparency using Trillian Tessera.
Attendees will gain insights into a lightweight yet powerful library for building their own reliable and easily maintainable transparency solutions. We will showcase a concrete example of its application.
No background knowledge required.