SBOMs Aren't Enough. Secure Your Software Supply Chain End-To-End
You probably heard that SBOMs are helpful, but did you know that an SBOM only addresses a fraction of what can go wrong in your software supply chain? The SLSA (Supply Chain Levels for Software Artifacts) specification identifies 9 distinct threat areas, spanning from source code, all the way to package distribution. Most development teams address one or two of these and call it a day, leaving gaps that real-world attacks like SolarWinds and Log4J have already exploited. We understand that it is difficult to cover all aspects when it comes to the software supply chain.
How about we make this much easier? In this talk, we will present an overview of the modern software supply chain threat model, and show how you can provide integrity throughout the whole process of your software development life cycle. We will introduce an easy-to-setup, end-to-end open source stack, built from frameworks and tools within the CNCF/OpenSSF ecosystem.
We will cover:
- gittuf - A security layer for Git repositories
- in-toto - Cryptographically verifiable attestations that capture what actually happens during your build process
- SBOMit - Generate verifiable and accurate SBOMs that embed in-toto attestations
- TUF - A framework for securing package updates
This talk aims to demystify software supply chain security beyond SBOMs, and provide a more holistic view. Our live demo will show a pragmatic way to get started, aiming to lower the entry barrier for open source maintainers and adopters alike.