diff --git a/posts/devops-finland-practical-software-supply-chain-security.md b/posts/devops-finland-practical-software-supply-chain-security.md new file mode 100644 index 0000000..ec36e33 --- /dev/null +++ b/posts/devops-finland-practical-software-supply-chain-security.md @@ -0,0 +1,57 @@ +--- +type: Event +title: A practical take on Software Supply Chain Security +subheading: A talk at DevOps Finland on the SLSA framework, SBOM (Software Bill of Materials) and the current state of software supply chain security in general. +authors: +- mvainio +tags: +- devsecops +date: 2024-06-19 +image: "/static/blog/devops-finland-meetup-practical-software-supply-chain-security-talk/devops-finland-practical-software-supply-chain-security.png" +featured: false +--- + +**A talk at DevOps Finland on the SLSA framework, SBOM (Software Bill of Materials) and the current state of software supply chain security in general.** + +## Abstract + +A practical take on the SLSA framework, SBOM (Software Bill of Materials) and the current state of software supply chain security in general. Instead of a deep dive, this talk focused on why should you care about supply chain security and what concrete steps can be taken to improve your security posture. + +## What’s covered? + +- Current state of software supply chain security +- SBOM (Software Bill of Materials) +- SLSA framework (Supply-chain Levels for Software Architects) +- Example of Provenance and Signing with GitHub Actions + + +

Oops! Your browser does not support PDFs. Download the slides instead. +

+ +Download presentation. + +## Links + +[DevOps Finland meetup](https://www.meetup.com/devops-finland/) + +[Software Supply Chain Best Practices by CNCF](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) + +[9th Annual State of the Software Supply Chain by Sonatype](https://www.sonatype.com/state-of-the-software-supply-chain/Introduction) + +[Supply Chain Threats, SLSA](https://slsa.dev/spec/v1.0/threats-overview) + +[SLSA Provenance, SLSA](https://slsa.dev/spec/v1.0/provenance) + +[Sigstore - signing, verification and provenance checks](https://www.sigstore.dev/how-it-works) + +[Google Cloud Build Build Provenance](https://cloud.google.com/build/docs/securing-builds/view-build-provenance) + +[GUAC](https://github.com/guacsec/guac) + +--- + +If you need help optimising your software development and continuous delivery processes, don’t hesitate to [**get in contact with us!**](https://verifa.io/contact/) diff --git a/static/blog/devops-finland-meetup-practical-software-supply-chain-security-talk/devops-finland-practical-software-supply-chain-security.pdf b/static/blog/devops-finland-meetup-practical-software-supply-chain-security-talk/devops-finland-practical-software-supply-chain-security.pdf new file mode 100644 index 0000000..cb619c1 Binary files /dev/null and b/static/blog/devops-finland-meetup-practical-software-supply-chain-security-talk/devops-finland-practical-software-supply-chain-security.pdf differ diff --git a/static/blog/devops-finland-meetup-practical-software-supply-chain-security-talk/devops-finland-practical-software-supply-chain-security.png b/static/blog/devops-finland-meetup-practical-software-supply-chain-security-talk/devops-finland-practical-software-supply-chain-security.png new file mode 100644 index 0000000..afcbcbd Binary files /dev/null and b/static/blog/devops-finland-meetup-practical-software-supply-chain-security-talk/devops-finland-practical-software-supply-chain-security.png differ