We’re excited to be in Detroit next week for KubeCon + CloudNativeCon NA 2022! Find us at Booth SU48 throughout the week where we’ll have demos of Chainguard Enforce and Chainguard Images, a #Chaingourd pumpkin contest, swag and convos with our experts on all things software supply chain, cloud native and open source security. We’ll also be sponsoring the first-ever SigstoreCon co-located day and speaking during Cloud Native SecurityCon.
The fun doesn’t stop there. We’re partnering up with our friends at Defense Unicorns, Acorn Labs, and VivSoft to host PartyCon. Join us at the International Banquet & Conference Center for arcade games, Detroit-style pizza and maybe even a little SLSA (salsa!) dancing on Wednesday, October 26 at 8pm! RSVP here.
Here’s where you can find Chainguardians throughout the week:
Talks @ Cloud Native SecurityCon
Monday, October 24
1:25pm - 1:55pm EST
Building Images for the Secure Supply Chain: Chainguard Product Manager Adrian Mouat (@adrianmouat) will talk about the latest tools and practices for building secure images for your software supply chain. He’ll cover everything from how to improve your SLSA level, the benefits of minimal container images, and how to use apko to build images with SBOMs from the start.
Tuesday, October 25
11:35am - 11:45am EST
Source Attestations with Gitsign: Chainguard Staff Software Engineer Billy Lynch (@wflynch) will go over attaching attestations to source code with Git. The talk will also show how data can be stored verifiably alongside commits, how attestations can be modeled to describe SLSA source requirements, and how tools like Gitsign can make this easy to add to your CI/CD pipelines.
Talks @ SigstoreCon
Tuesday, October 25
9:25am - 9:30am EST
Signing Git Commits with Gitsign (Sponsor keynote): Chainguard software engineer and member of Sigstore’s Technical Steering Community Priya Wadhwa’s (@priyawadhwa16) keynote will highlight Sigstore's newest tool, gitsign, and how you can get started signing and verifying git commits with gitsign today.
1:30pm - 1:55pm EST
Life of a Sigstore Signature: Chainguard’s Zachary Newman, Software Engineer, and Jed Salazar (@sys_call), Security Architect, will break down the Kubernetes SIG-release announcement and explain how the adoption of Sigstore code signing by official Kubernetes container images protects the supply chain of millions of downstream users. They will cover what this process entails from encountering keyless code signing to configuring admission controller as a signing security policy for your clusters.
Talks @ KubeCon
Wednesday, October 26
11:00am - 11:35am EST
How SIG Release Cooks Trustworthy Artifacts From Raw Source Code: Chainguard Staff Software Engineers Carlos Panato (@comedordexis) and Adolfo García Veytia (@puerco) will sit down with other industry leaders from Microsoft and RedHat for a Kubernetes Special Interest Group (SIG) Release update to provide a quick overview of the latest SIG Release, highlight recent accomplishments, share an updated roadmap and discuss their continued efforts to move toward full SLSA (Supply-chain Levels for Software Artifacts) compliance.
11:55am - 12:30pm EST
Securing the IaC Supply Chain: Chainguard Engineer Jason Hall (@ImJasonH) and Autodesk Senior Principal Engineer Jesse Sanford will discuss how many of the same threats posed to software supply chains are also threats to our IaC ecosystems. This talk will cover the application of software supply chain security principles to modern IaC pipelines.
5:25pm - 6:00pm EST
Kubernetes SIG CLI: Intro And Updates: Join Chainguard Software Engineer Eddie Zaneski (@eddiezane), Google Software Engineer Sean Sullivan and Shopify Senior Staff Software Developer of Production Engineering Katrina Verey for a special panel Q&A and presentation on the SIG CLI, the special interest group for the command line tooling of the Kubernetes project. They will share the work done over the past year and an introduction to the kuberc KEP for defining user preferences.
Thursday, October 27
11:00am - 11:35am EST
“Why Can’t Kubernetes Devs Just Add This New Feature? Seems So Easy!": Chainguard Staff Software Engineer Carlos Panato (@comedordexis) and VMware Staff Engineer Ricardo Katz will present how a new feature gets into Kubernetes and, most importantly, why the timeline is the way it is. Viewers will take away some simple scenarios to understand what this review process is, what problems were caught in some real life feature requests reviews, and also other examples of features that were promoted and now became a problem to try to understand why they reached this status.
3:25pm - 4:00pm EST
Hack Back; Let's Learn Security with CTFs!: Chainguard Security Architect Lewis Denham-Parry (@denhamparry) and Natalie Reka Ivanko, Security Engineer at Isovalent will discuss a framework for your own internal CTF events, with Red and Blue Team assessments, as a best practice for improving security in your organization through a hands-on, live walkthrough of the top 3 state-of-art attack scenarios as CTF exercises using common open source projects like Simulator and Tetragon.
5:25pm - 6:00pm EST
It’S Complicated: Relationships Between Objects In OCI Registries: Chainguard Software Engineer Josh Dolitsky and Microsoft Principal Group Engineering Manager Sajay Antony will discuss how the limitations of the current OCI spec are causing people to come up with all sorts of wild hacks to connect objects in a registry. For example, tools like cosign push image signatures to the registry using a long, cryptic tag suffixed with “.sig”. To solve this issue, all of the major registries have come together to form the OCI Reference Types Working Group, which is tasked with determining how to describe and query relationships between objects stored in an OCI registry. They will describe the ways in which the OCI plans to address these topics with backwards compatibility in mind and share details about various challenges and techniques used within the working group to successfully bring people together to agree on changes to a critical spec that hasn’t been modified for years.
Friday, October 28
11:00am - 11:35am EST
Understanding the Future of Ingress-nginx: Chainguard Lead Solution Architect James Strong (@strongjz) and VMware Staff Engineer Ricardo Katz will present the survey results from the latest Ingress-nginx community survey. The survey's goal was to know what the group should be doing for future releases and how to prioritize features, bugs, or other issues important to the community. This talk will examine the current status of the stabilization project and invite community members and users to join us to discuss the future of the ingress-nginx project.
2:00pm - 2:35pm EST
What Data Tells Us About Software Supply Chain Security & What To Do About It: Join Chainguard’s Head of Open Source Tracy Miranda (@tracymiranda) and other industry leaders for an all-star panel of experts who will examine a number of key data points from recent surveys and reports and provide immediate, actionable steps organizations and projects can take to improve the security of their software. Session attendees will gain insights that can be used to make a business case or to implement critical projects to secure their software supply chain.
See Chainguard in action!
We’ve been busy over the last few months building out our product portfolio and community-driven resources for securing the software supply chain. Our belief is that you don't fix a weak link in a chain by bolting a strong link on after it. Securing the software supply chain begins with developers and permeates every link of the chain through to production.
Come to our booth for demos of Chainguard Enforce, our comprehensive software supply chain risk management solution for organizations that allows you to define and administer policies to protect your Kubernetes environments from supply chain threats. We’ll also show hands-on demos of Chainguard Images, our set of distroless, minimal container images that are secure by default: signed by Sigstore, and include SBOMs and provenance information, thanks to Wolfi—our Linux (un)distro built for the software supply chain. Our images come with enterprise-grade support for easy compatibility and vulnerability patching SLAs to save time when dealing with scan results.
Chainguard Images and Chainguard Enforce represent two of critical links in the software supply chain (the first and last), which we have cast to be incredibly strong endpoints of this chain, and we will build on these strong foundations to strengthen each and every link end-to-end. Don’t miss this opportunity to see them in action at our Booth SU48.
Educating the community and industry on best practices and tooling for software supply chain and open source security is a big part of our mission to make the software supply chain security by default. That’s why we recently launched Chainguard Academy, the first open source and interactive educational platform designed for software supply chain security. This growing and comprehensive education platform will deliver all the resources developers and technology leaders need to get up to speed with software security tooling and recommendations. Visit our booth to learn how you can get started with Chainguard Academy courses and more!
To get in touch with our team ahead of KubeCon to set something up, reach out here. We’ll also have a dedicated channel:#6-kubecon-chainguard on the CNCF's slack during KubeCon where you can ask all your Chainguard questions or share your feedback!
Can’t wait to see everyone in person and virtually next week!