We’re excited to be in Seattle next week for CloudNativeSecurityCon NA 2023. Find us at Booth S12 on February 1 and 2 for a personalized demo of Chainguard Enforce and Chainguard Images, or chat with our experts on all things software supply chain, cloud native, and open source security.
We’ll also be hosting a special meet and greet at our booth next week.. Stop by to meet the team and ask all your burning questions about SBOMs, cloud-native and container security, software supply chain tools, and more.
Here’s a look at where you can find the Chainguard team at scheduled conference talks and sessions.
Chainguard Talks @ CloudNativeSecurityCon
Wednesday, February 1
1:55 - 2:30 PM PST
Cloud Native Security Landscape: Myths, Dragons and Real Talk
Chainguard Co-Founder and Head of Product Kim Lewandowski, @kimsterv, will participate in a panel with industry leaders from Google, Sysdig, and Snyk where they will take a look at the fast-paced landscape and discuss where you should pay attention, what's real now, and what's coming in the future. Topics will include:
View the recording here.
2:15 PM PST
Lighting Talk! Securing Your Source Repositories: 5 Tips to Get Started!
Chainguard Staff Software Engineer Billy Lynch, @wflynch, will give a lighting talk covering source repositories and how they are a critical piece of your software supply chain. Learn about the key basics for getting started with securing repositories, how you can enable them in your own organizations, and next steps you can take.
View the recording here.
3:50 - 4:25 PM PST
Who Are You? I Really Want to Know What's Behind OICD
Open ID Connect, or OIDC, is a mechanism for identity authentication. It is built on top of OAuth 2.0 and is used to establish and verify the identity of a user or service. OIDC is used throughout the cloud native community for workload identity federation. In this talk, learn from Chainguard Software Engineer Eddie Zaneski, @eddiezane, the ins and outs of how OIDC works. The talk will also show examples of what's possible with OIDC from open source projects like Kubernetes, SPIFFE/SPIRE, and Sigstore.
View the recording here.
Thursday, February 2
3:50 - 4:25 PM PST
Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore
It’s easy to think that because more developers are signing software, the consumers of that software are necessarily more secure. However, a signature is only useful if verified correctly. One common failure mode is to verify that some software was signed, but not check who signed it. We want to check that software came from the right person, but how do we know who that is? In this talk, Marina Moore and Chainguard’s Zachary Newman will show how you can investigate, securely, using tools like Sigstore to make signing easy and CNCF projects The Update Framework (TUF) and in-toto to concretely improve security of open source package repositories, internal container registries, and everything in between.
View the recording here.
4:40 - 5:15 PM PST
"Keyless" Code Signing Without Fulcio
Sigstore's certificate authority Fulcio has popularized the idea of "keyless" signing. The keyless method makes signing hassle free by removing the need to manage private keys. Do you need to run Fulcio yourself if you want the same convenient signing flow, but you want your own trust root? No! In this talk, Chainguard Software Engineer Nathan Smith will walk through what keyless signing really means and how to configure existing PKI solutions like Vault and stepca to use it.
View the recording here.
Reach out to our team to learn more or to schedule a conversation ahead of CloudNativeSecurityCon.
We can’t wait to see everyone there!
