In-person + Virtual
October 24-28
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Eastern Daylight Time (UTC -4). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.
Back To Schedule
Wednesday, October 26 • 11:55am - 12:30pm
Securing the IaC Supply Chain - Jesse Sanford, Autodesk & Jason Hall, Chainguard

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Secure software supply chain practices have begun to permeate all aspects of software development. But what about the orchestration of our infrastructure? With the proliferation of infrastructure as code, many of the same threats posed to software supply chains are also threats to our IaC ecosystems. IaC provides clear advantages to platform teams, bringing uniformity and productivity to developers, but with the great power bestowed to it, it also presents a juicy target for supply chain attacks, often while no one is looking. It's only a matter of time before our Site Reliability Engineers will need to defend against the same attack vectors as their Software Engineer counterparts. How can DevSecOps practitioners learn from the patterns and practices being developed by projects like SLSA? Can IaC pipelines build on tooling like Sigstore and in-toto? This talk covers the application of software supply chain security principles to modern IaC pipelines. Jesse and Jason discuss design changes to the Crossplane package management system and it’s forthcoming integration with Sigstore, enabling IaC provenance and attestations. Finally, a demo showcasing the equivalent of “admission control” for IaC will provide inspiration for further work on Secure IaC Supply Chains.

avatar for Jesse Sanford

Jesse Sanford

Senior Principal Engineer, Autodesk
Jesse is a lifelong software engineer focused on site reliability and Infosec. Currently architecting the juncture of platform engineering and security/compliance for Autodesk's Developer Enablement team. When not in front of a computer, he is a backpacker, sailor and continuously... Read More →

Jason Hall

Engineer, Chainguard
Jason contributes to various projects related to container image construction, security and performance. He has never heard a joke about his name and the JavaScript Object Notation that didn't elicit a polite chuckle. He lives in Brooklyn with his wife and kids, and enjoys naps and... Read More →

Wednesday October 26, 2022 11:55am - 12:30pm EDT
420 AB
  Security + Identity + Policy