Leveraging Sigstore Capabilities in a Local Environment - Chad Coleman, Lockheed Martin
Leveraging Sigstore Capabilities in a Local Environment - Chad Coleman, Lockheed Martin
Open-source software has become an integral aspect of almost any system, enabling rapid development of capabilities by building on top of the work of others. This comes at a cost - each open source component can have unique licensing, dependencies, and vulnerabilities. But where there is an open-source challenge, there is also an open-source solution. At Lockheed Martin, we are integrating open-source solutions such as the Sigstore product suite to provide auditable evidence relating to how our software is built, including the provenance of dependencies. Our approach has been to create internal Kubernetes deployments of Sigstore utilities, using internal certificate authorities and a trust root within our identity providers. We leverage most of the built-in integrations like AWS Key Management Service for signing, and employ reusable Gitlab pipelines to both streamline interactions with an internal Oauth provider and simplify use of the cosign tool. This talk covers some of the reasons for our approach, unique details to our implementation, and what is on the immediate horizon in our efforts to meet the requirements of Executive Order 14028 in an affordable and robust manner.
Видео Leveraging Sigstore Capabilities in a Local Environment - Chad Coleman, Lockheed Martin канала OpenSSF
Open-source software has become an integral aspect of almost any system, enabling rapid development of capabilities by building on top of the work of others. This comes at a cost - each open source component can have unique licensing, dependencies, and vulnerabilities. But where there is an open-source challenge, there is also an open-source solution. At Lockheed Martin, we are integrating open-source solutions such as the Sigstore product suite to provide auditable evidence relating to how our software is built, including the provenance of dependencies. Our approach has been to create internal Kubernetes deployments of Sigstore utilities, using internal certificate authorities and a trust root within our identity providers. We leverage most of the built-in integrations like AWS Key Management Service for signing, and employ reusable Gitlab pipelines to both streamline interactions with an internal Oauth provider and simplify use of the cosign tool. This talk covers some of the reasons for our approach, unique details to our implementation, and what is on the immediate horizon in our efforts to meet the requirements of Executive Order 14028 in an affordable and robust manner.
Видео Leveraging Sigstore Capabilities in a Local Environment - Chad Coleman, Lockheed Martin канала OpenSSF
Комментарии отсутствуют
Информация о видео
29 апреля 2024 г. 22:21:50
00:13:18
Другие видео канала
