Open Source Summit Europe 2024

In the evolving landscape of software development, ensuring the integrity of build artifacts like container images is crucial. In this talk, we'll demonstrate how to use GitHub's Build Provenance API to generate SLSA attestations and create robust policies for your artifacts, verifying their origin and authenticity. We'll examine the contents and significance of these attestations and discuss how to integrate them into your CI/CD pipelines. Additionally, we'll explore using Minder to monitor and enforce these policies across your repositories, ensuring these attestation practices do not degrade over time. We’ll also show how combining these tools can safeguard even in the event of someone else gaining access and pushing a malicious image to your container registry. By the end of this session, you'll have a good understanding of how open source tools like Sigstore, in-toto, SLSA, TUF, and Minder can collectively strengthen the security of the software supply chain. You'll gain practical insights into setting up artifact attestations with GitHub's API and establishing tailored policies with Minder to protect your development processes against vulnerabilities.

When considering open source software that you include in your products, engaging with your upstream is a more robust and resilient way to gauge your security risks than relying on outsourcing your trust modeling to metrics and GitHub stars. Becoming a partner to your upstream community helps you build more secure software and create the relationships you'll need if there's ever an attack. Plus community engagement has a lot of follow-on benefits for the way your company makes use of open source. This talk covers how to keep surprises to a minimum by engaging with your upstream communities. We'll look at several ways to gracefully go from "who the heck is in charge of that code" to being an open source insider that always knows what’s going on with your upstream partners. We'll also look at how to identify red flags at projects that you may not want to rely on.

We won! Open source software is everywhere... so now what? Shifting left starts at the beginning – ensuring the security of open source software requires careful evaluation, use, and contribution. This talk will cover some important challenges in securely consuming open source software. Attendees will learn to evaluate projects based on active maintenance, patch cycles, and vulnerability management. We will explore the role of project documentation, code contribution expectations, and community involvement in project maturity and code quality, as well as tools and community guidance. Walk away with the beginnings of a practical framework and checklist that you can mold to your own needs.

As modern platforms integrate an increasing array of tools, so too grows the complexity of software dependencies within your codebase. While mainstream dependencies like Docker images, Terraform and NPM packages are well-covered by existing solutions, what about the myriad obscure or custom tooling, perhaps even manually installed binaries lurking in your Dockerfiles? In this session, we'll unveil an Open Source solution designed to systematically extract data from diverse toolsets. Learn how to effectively catalog, track, and maintain these dependencies, eliminating blind spots and ensuring robustness in your development workflow.