Loading…
Timezone
In-person + Virtual
October 24-28
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Eastern Daylight Time (UTC -4). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.
Back To Schedule
Thursday, October 27 • 11:00am - 11:35am
It's Dangerous To SLSA Alone Out There! Take This Artifact Knowledge Graph! - Mihai Maruseac, Google & Michael Lieberman, Independent

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Feedback form is now closed.
Video Stream


By now, we’re getting bored of hearing the “am I affected by X vulnerability?” question. However, as supply chain attacks become more sophisticated, answering just this question is insufficient. Instead, we need to think about: “If TravisCI was compromised, which software is affected? With a bad actor in your supply chain, what's the blast radius?” There is a ton of information today in SBOMs, in-toto/SLSA attestations, etc. However, these documents observed individually provide limited information, but when put together and related, super-additively expand the knowledge base of our software supply chain. We built a supply chain knowledge graph tool to help better understand the relationships between artifacts and their metadata/identities. Through this high-fidelity graph, we not only answer the hard questions posed earlier, but also make new discoveries. For example, we found that most build-systems rely not only on obvious dependencies like gcc, but often overlooked projects like libpcre and sed.
Speakers
avatar for Michael Lieberman

Michael Lieberman

Chief Technology Officer, Kusari
Michael Lieberman is a Chief Technology Officer at Kusari focused on technology transformation especially with regards to cloud native architectures, technologies and migrations. Most recently he has been focused on work within the software supply chain security space. He is co-chair... Read More →
avatar for Mihai Maruseac

Mihai Maruseac

Staff SWE, Google
Mihai Maruseac got a PhD in Differential Privacy (DP) from UMass Boston after which he worked at LeapYear incorporating ML and DP. He joined Google to drive TensorFlow Security forwards and, after 4 years, recently joined the Google OSS Security team (GOSST).

Thursday October 27, 2022 11:00am - 11:35am EDT
420 AB
  Security + Identity + Policy