Session 2.7e Tutorial: Sigstore - A New Standard for Software Supply-chain Security in Defence Environments
Tracks
Wednesday, November 15, 2023 |
2:30 PM - 3:30 PM |
Sutherland Theatre |
ㅤ
Managing software supply-chain risks is critically important for Defence environments. Software supply-chain compromise presents a credible vector for intrusion into Defence networks and is being increasingly targeted by cyber threat actors - reporting from 2022 indicates that the number of software supply-chain attacks has increased by 742% year-on-year.
Software signing and attestation is a core component of software supply-chain security. It helps organisations like Defence satisfy critical information requirements about software - who created this software, and how was it created? Historically software signing has been difficult to access for organisations, requiring a deep understanding of software cryptography and concepts like non-repudiation to distribute signed and validated software.
Sigstore is an open-source project designed to make software signing and attestation more accessible for all organisations, including Defence projects and Small and Medium Enterprises (SMEs). It achieves this by providing a set of common services and standards, such as a tamper-resistant ledger of software metadata that can be independently audited, and keyless signing services. This session will look at a practical introduction to Sigstore and how Defence projects and SMEs can use Sigstore to better understand and manage supply-chain risks.
Speaker/s
Mr Shane Boulden
Principal Solution Architect
Red Hat
Shane Boulden is a Red Hat Principal Solution Architect and enables Australian and New Zealand organisations to better manage risk, from public cloud environments to the edge. He has a background in military intelligence and supports bringing open source innovation to security problem sets.