Details
You’ve started to shift security left in order to catch security issues earlier in development, but are you using trusted, verified open source software components when writing your code? Are you signing your code commits and image builds so deployment tooling and processes can verify authenticity with auditable components?
In this session, we discuss steps to trust – but verify – the same open source software packages you have come to rely on. You will see how to stay ahead of regulatory and compliance standards and leave this talk with a deeper understanding of how to access a curated content repository library with provenance and attestations that are maintained to SLSA standards and more!
Agenda
Identify source code transitive dependencies and vulnerabilities for both in-house and COTS applications from a local IDE
Digitally sign code commits as well as images, to store attestations of the build pipeline that can then be shared, reused.
Verify code commits for keyless git signing, with an immutable ledger to validate the artifact metadata
Manage, monitor and analyze relationships with your security metadata (SBOMs, VEXs)
Presenters:
Jesse Davis
Chief Technologist, DZone
Sudhir Prasad
Dir. Product Management, Red Hat
Brian Fox
TO and Co-Founder, Sonatype
Join Now for More Content & Events
For event and sponsorship inquiries, please email: sales@dzone.com
