In-person + Virtual
October 24-28
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Eastern Daylight Time (UTC -4). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.
Back To Schedule
Thursday, October 27 • 11:00am - 11:35am
It's Dangerous To SLSA Alone Out There! Take This Artifact Knowledge Graph! - Mihai Maruseac, Google & Michael Lieberman, Independent

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

By now, we’re getting bored of hearing the “am I affected by X vulnerability?” question. However, as supply chain attacks become more sophisticated, answering just this question is insufficient. Instead, we need to think about: “If TravisCI was compromised, which software is affected? With a bad actor in your supply chain, what's the blast radius?” There is a ton of information today in SBOMs, in-toto/SLSA attestations, etc. However, these documents observed individually provide limited information, but when put together and related, super-additively expand the knowledge base of our software supply chain. We built a supply chain knowledge graph tool to help better understand the relationships between artifacts and their metadata/identities. Through this high-fidelity graph, we not only answer the hard questions posed earlier, but also make new discoveries. For example, we found that most build-systems rely not only on obvious dependencies like gcc, but often overlooked projects like libpcre and sed.

avatar for Michael Lieberman

Michael Lieberman

Co-founder and CTO, Kusari
Michael Lieberman is a technologist focused on cybersecurity transformations. Recently he has been focused on work within the software supply chain security space. He is an OpenSSF SLSA steering committee member, and tech lead for the CNCF Security Technical Advisory Group (STAG... Read More →
avatar for Mihai Maruseac

Mihai Maruseac

Staff SWE, Google
Mihai Maruseac is a member of Google Open Source Security team (GOSST), working on Supply Chain Security, mainly on GUAC. Before joining GOSST, Mihai created the TensorFlow Security team after joining Google, moving from a startup to incorporate Differential Privacy (DP) withing Machine... Read More →

Thursday October 27, 2022 11:00am - 11:35am EDT
420 AB
  Security + Identity + Policy