Come see us at CloudNativeSecurityCon in Seattle Feb 1-2!

Sarah O'Rourke, Communications Director
January 27, 2023

We’re excited to be in Seattle next week for CloudNativeSecurityCon NA 2023. Find us at Booth S12 on February 1 and 2 for a personalized demo of Chainguard Enforce and Chainguard Images, or chat with our experts on all things software supply chain, cloud native, and open source security. 

We’ll also be hosting a special meet and greet at our booth next week.. Stop by to meet the team and ask all your burning questions about SBOMs, cloud-native and container security, software supply chain tools, and more. 

  • Thursday, February 2 @ 12:15 - 1:15 PM PST: Stop by the booth for an in-person meet and greet with Chainguard Founders Kim Lewandowski, Matt Moore and Ville Aikas. Learn about what’s new at Chainguard and where we’re headed in 2023.

Here’s a look at where you can find the Chainguard team at scheduled conference talks and sessions. 

Chainguard Talks @ CloudNativeSecurityCon

Wednesday, February 1 

1:55 - 2:30 PM PST

Cloud Native Security Landscape: Myths, Dragons and Real Talk

Chainguard Co-Founder and Head of Product Kim Lewandowski, @kimsterv, will participate in a panel with industry leaders from Google, Sysdig, and Snyk where they will take a look at the fast-paced landscape and discuss where you should pay attention, what's real now, and what's coming in the future. Topics will include:

  • From design-time to run-time: security is a multi-layer concern. All along the software development lifecycle, progress is being made in securing cloud-native, what are the most important projects to know about?
  • It's about the people, naturally: we're being told to "shift left" security focus to the developer, but are we ready for it? What are the challenges of connecting the security teams to developers and architects, and what really works?
  • What is real, what is myth? The field is full of hot takes, from grand ideas that won't take off, to draconian policies that throw the baby out with the bathwater. Where are the real risks, and how do you deal with the myths and the scares?

View the recording here.

2:15 PM PST

Lighting Talk! Securing Your Source Repositories: 5 Tips to Get Started!

Chainguard Staff Software Engineer Billy Lynch, @wflynch, will give a lighting talk covering source repositories and how they are a critical piece of your software supply chain. Learn about the key basics for getting started with securing repositories, how you can enable them in your own organizations, and next steps you can take.

View the recording here.

3:50 - 4:25 PM PST

Who Are You? I Really Want to Know What's Behind OICD

Open ID Connect, or OIDC, is a mechanism for identity authentication. It is built on top of OAuth 2.0 and is used to establish and verify the identity of a user or service. OIDC is used throughout the cloud native community for workload identity federation. In this talk, learn from Chainguard Software Engineer Eddie Zaneski, @eddiezane, the ins and outs of how OIDC works. The talk will also show examples of what's possible with OIDC from open source projects like Kubernetes, SPIFFE/SPIRE, and Sigstore.

View the recording here.

Thursday, February 2 

3:50 - 4:25 PM PST

Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore

It’s easy to think that because more developers are signing software, the consumers of that software are necessarily more secure. However, a signature is only useful if verified correctly. One common failure mode is to verify that some software was signed, but not check who signed it. We want to check that software came from the right person, but how do we know who that is? In this talk, Marina Moore and Chainguard’s Zachary Newman will show how you can investigate, securely, using tools like Sigstore to make signing easy and CNCF projects The Update Framework (TUF) and in-toto to concretely improve security of open source package repositories, internal container registries, and everything in between. 

View the recording here.

4:40 - 5:15 PM PST

"Keyless" Code Signing Without Fulcio

Sigstore's certificate authority Fulcio has popularized the idea of "keyless" signing. The keyless method makes signing hassle free by removing the need to manage private keys. Do you need to run Fulcio yourself if you want the same convenient signing flow, but you want your own trust root? No! In this talk, Chainguard Software Engineer Nathan Smith will walk through what keyless signing really means and how to configure existing PKI solutions like Vault and stepca to use it.

View the recording here.

Reach out to our team to learn more or to schedule a conversation ahead of CloudNativeSecurityCon.

We can’t wait to see everyone there!

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.