Loading…
October 11, 2021
Los Angeles, California + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2021 - Los Angeles, CA + Virtual and add this Co-Located event to your registration to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Pacific Standard Time (PST), UTC -7. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.


IMPORTANT NOTE: Timing of sessions and room locations are subject to change through Monday, September 13 due to schedule changes that will be made as speakers finalize whether speaking in person or virtually.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, October 11
 

9:00am PDT

Welcome and Kickoff! - Dan Lorenc, Chainguard
Speakers
avatar for Dan Lorenc

Dan Lorenc

CEO, Chainguard
Dan has been working on and worrying about containers since 2015 as an engineer and manager.He started projects like MinikubeSkaffold, and Kaniko to make containers easy and fun, then got so worried about the state of OSS supply-chains he partnered up with Kim and others to f... Read More →


Monday October 11, 2021 9:00am - 9:10am PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015
  Keynote

9:10am PDT

Keynote: Approaching the SBOM: Best Practice for Software Supply Chain Security - Daniel Nurmi, Anchore
The software bill of materials (SBOM) has quickly become a critical foundation for software supply chain security. Gaining the ability to see and process the full picture of all software components included in your applications is the first step in preventing vulnerabilities and malware from reaching production systems.

The recent United States Executive Order on Improving the Nation's Cybersecurity details the need for software producers to supply SBOMs, as well as maintaining controls on the provenance of software components and tools. The U.S. NTIA has subsequently released minimum elements for a compliant SBOM. This highlights the important role of an SBOM for open source projects, whether they are incorporated in software applications or used as part of the development toolchain.

Multiple Linux Foundation and CNCF projects including SPDX, In-Toto, and SigStore are providing critical frameworks and specifications designed to advance the security of the software supply chain.

This session will explore best practices for generating SBOMs for both open source projects and software producers, we will share insights and lessons learned from creating SBOMs for CNCF projects using Syft, an open source SBOM generator, and predict ways that we see the role of the SBOM in securing software supply chains evolving over time.

Speakers
DN

Daniel Nurmi

CTO, Anchore Inc.



Monday October 11, 2021 9:10am - 9:20am PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015
  Keynote

9:20am PDT

Keynote: Software Supply Chains for Devops - Aysylu Greenberg, Google
Several recent high-profile security incidents were due to compromised software supply chains. Software Supply Chain is a collective term used to describe the stages of software lifecycle from source to deployment through CI/CD pipelines, and all the static and dynamic analyses in between. In the world of microservices and cloud computing, trust in your company’s supply chain is critical, as most of the tooling and dependencies are from open source and vendor projects. When the code hits production, it’s essential to have enough observability to detect and investigate the problem and get to the root cause and mitigation as quickly as possible. With software supply chain attacks, not only is the newly deployed code under suspicion, but also all the tooling used to produce it becomes a potential attack vector, so an efficient and effective way to verify the integrity of the supply chain is paramount. This talk will discuss what information needs to be collected to allow DevOps to inspect and verify the integrity of the supply chain, the challenges of having the right level of detail to reduce mean-time-to-detection and mean-time-to-understanding, some of the existing solutions and open problems in this space.

Speakers
avatar for Aysylu Greenberg

Aysylu Greenberg

Senior Software Engineer, Google
Aysylu Greenberg is the Tech Lead of GCP Container Analysis, focusing on the software supply chain integrity and security. In her spare time, she ponders the design of systems that deal with inaccuracies, enthusiastically reads CS research papers, and paints.



Monday October 11, 2021 9:20am - 9:30am PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015
  Keynote

9:30am PDT

Keynote: Project Trebuchet: How SolarWinds is Using Open Source to Secure Their Supply Chain in the Wake of the Sunburst Hack - Trevor Rosen, SolarWinds
As you're no doubt aware, SolarWinds was hit in December 2020 with a sophisticated supply chain attack perpetrated by nation state actors. In the months since, they've been working to create an entirely new build system based on a number of CNCF and CDF projects. In this talk, you'll learn about what they're building, why it's necessary, and what it's like to be on the inside when the unthinkable happens.

Speakers
avatar for Trevor Rosen

Trevor Rosen

Principal Architect, SolarWinds
Trevor is a Principal Architect in the SaaS group at SolarWinds. He loves talking about containers, K8s, and infosec. Trevor lives in Austin with his family and too many electric guitars.



Monday October 11, 2021 9:30am - 10:10am PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015
  Keynote

10:10am PDT

BREAK
Monday October 11, 2021 10:10am - 10:30am PDT
403 Foyer Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

10:30am PDT

Keynote: Security of the Open Source Supply Chain, a Call to Action - Luke Hinds, Red Hat
Open source is everywhere and software is eating the world. However, we now face serious challenges within the security of our software and its supply chain from code commit to production. For this talk, Luke Hinds will outline the current immediate threats and what can be done by us as a community to address the risks we face by harnessing Open Source tooling and open transparent development models.

Speakers
avatar for Luke Hinds

Luke Hinds

Security Lead, Office of the CTO, Red Hat
Luke Hinds works in the Emerging Technologies department of the CTO office, where he leads a team of talented engineers focused on the development of cutting edge security technologies. He has worked in Open Source for 20 years, since the early days of ipfilter in the Linux Kernel... Read More →


Monday October 11, 2021 10:30am - 10:40am PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015
  Keynote

10:40am PDT

The State of SBOMs - Moderated by Dan Lorenc, Chainguard; Allan Friedman, US Government; Nisha Kumar, VMware & Frederick Kautz, LF Public Health
Moderators
avatar for Dan Lorenc

Dan Lorenc

CEO, Chainguard
Dan has been working on and worrying about containers since 2015 as an engineer and manager.He started projects like MinikubeSkaffold, and Kaniko to make containers easy and fun, then got so worried about the state of OSS supply-chains he partnered up with Kim and others to f... Read More →

Speakers
avatar for Nisha Kumar

Nisha Kumar

Senior Open Source Engineer, VMWare
Nisha is a Senior Open Source Engineer at VMware and the technical lead for container packaging and distribution. She has been a DevOps engineer for embedded systems and a Radio Frequency Engineer in semiconductor manufacturing. She has been involved in Open Source for more than 15... Read More →
avatar for Frederick Kautz

Frederick Kautz

AI Chief and Enterprise Architect, Anthem
Frederick Kautz is a leader in Open Source health care, connecting people and organizations to solve fundamental data sharing problems that strengthen security and patient privacy. He currently leads multiple cross-organizational teams to deliver on this vision. He is also a strong... Read More →
avatar for Allan Friedman

Allan Friedman

Senior Advisor and Strategist, CISA
Allan Friedman is the guy who won’t shut up about SBOM at the Cybersecurity and Infrastructure Security Administration. He coordinates the global cross-sector community efforts around software bill of materials (SBOM), and works to advance its adoption inside the US government... Read More →


Monday October 11, 2021 10:40am - 11:20am PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

11:20am PDT

Whose Sign Is It Anyway? - Marina Moore, NYU & Matthew Riley, Google
Code signing is the security foundation of the software supply chains we rely on every day. But if you let yourself think about it for too long -- like we have -- it starts to seem weird that we’re so sure a random download won’t steal our credentials or ransom our data just because someone, somewhere happened to choose a very special point on an elliptic curve.

In this talk, we will explore what a digital signature really means -- and what it doesn’t. We’ll look at the implications of policy choices around key handling, what gets signed, and when we call a signature "valid". And we’ll dive so deeply into the very idea of identity that you may begin to question the nature of your reality.

Speakers
MM

Marina Moore

PhD Student, NYU
Marina is a PhD student at NYU doing research on secure software updates and supply chain security. She works on putting these ideas into practice with projects like The Update Framework (TUF), Uptane, and more.
avatar for Matthew Riley

Matthew Riley

Software Engineer, Google
Matt works on Kubernetes security at Google. His previous work has involved various combinations of container infrastructure, platform security, code integrity, and applied cryptography.



Monday October 11, 2021 11:20am - 11:50am PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

11:50am PDT

Supply Chain Security with the Jenkins Templating Engine! - Steven Terrana, Booz Allen Hamilton
In this talk, Steven will provide a comprehensive introduction to DevSecOps. He'll help attendees get past the buzzwords and demystify the various kinds of software security scanning that teams can incorporate into their software delivery processes to shift-left security. Equally important - you'll then learn how to apply these principles at scale using the Jenkins Templating Engine to develop tool-agnostic pipelines that can be shared across teams.

Speakers


Monday October 11, 2021 11:50am - 12:20pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

12:20pm PDT

1:35pm PDT

5G and Challenges with Software Supply Chain Security - Fatih Degirmenci, Ericsson
The new technologies such as cloud, containers, virtual & cloud native network functions result in tremendous advances in the telecommunications industry.
With the help of these new technologies, the 5G networks that are currently being rolled out all around the world are developed rapidly in heavily disaggregated manner, allowing communications service providers to introduce new services to their users much faster than before.

However, the new technologies and resulting disaggregation is not without their challenges and the security of the software supply chain is one of them.
The components that are part of the 5G networks originate from multiple sources, including but not limited to vendors and open source communities with many integration points and deployed into different environments such as public and private clouds, increasing the risk of breaking the chain of trust.

This session will give a short overview of the next generation telecommunications networks, highlight the challenges, and talk about the opportunities to tackle them in a collaborative manner.

Speakers
avatar for Fatih Degirmenci

Fatih Degirmenci

Principal Developer, Ericsson Software Technology
Fatih specialises in automation, infrastructure, CI/CD, and DevOps and is currently involved in several CI/CD initiatives across Ericsson and within open source. He has previously served in the OPNFV Technical Steering Committee as a committer-at-large representative and has led the... Read More →



Monday October 11, 2021 1:35pm - 1:50pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

1:50pm PDT

PyPI Supply Chain Security - Dustin Ingram, Python Software Foundation
The Python Package Index (PyPI) is one of the oldest software repositories for a language ecosystem and the canonical place to publish Python code. It serves more than 2 billion requests a day, and is almost entirely supported by volunteers and the non-profit Python Software Foundation.

In this talk, we'll review some recent supply-chain attack and how they relate to PyPI specifically. In addition, we'll take a look at some in-progess projects to make PyPI more resilient, secure and sustainable.

Speakers
avatar for Dustin Ingram

Dustin Ingram

Director, Python Software Foundation



Monday October 11, 2021 1:50pm - 2:05pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

2:05pm PDT

An Overview on SLSA - Tom Hennen, Google & Joshua Lock, VMware
SLSA – Supply-chain Levels for Software Artifacts – introduces a comprehensive methodology to prevent tampering with the software supply chain.  To illustrate the impact of SLSA, we follow a few gremlins as they try to introduce malicious code into a container image used by thousands of projects.  At each step of the supply chain we show how SLSA controls raise the cost of attack, preventing the gremlins from causing any harm.

Speakers
avatar for Joshua Lock

Joshua Lock

Open Source Engineer, VMware
Joshua is a maintainer of The Update Framework (TUF) and Supply-chain Levels for Software Artifacts (SLSA) projects. He works at VMware as the security team lead in their Open Source Technology Center. In a past life he spent many years working on and with the Yocto Project. Joshua... Read More →
avatar for Tom Hennen

Tom Hennen

Software Engineer, Google
Tom is a maintainer of the Supply-chain Levels for Software Artifacts (SLSA) project.  He works at Google as a tech lead for their internal supply chain integrity team.  He previously worked in the defense industry where he was the Principal Investigator for a DARPA STAC red team... Read More →



Monday October 11, 2021 2:05pm - 2:35pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

2:35pm PDT

State of the Art Supply Chain Security (in-toto, TUF, and SigStore) - Trishank Karthik Kuppusamy, Datadog; Asra Ali, Google & Santiago Torres-Arias, Purdue University
In this talk, we’ll explore the complementary roles that TUF, in-toto, and SigStore play in creating a transparent hack-proof software supply chain that thwarts man-in-the-middle attacks anywhere between developers and end-users. The talk will build off the basics of using in-toto and TUF together to deliver hack-proof updates, especially how it was done for the first time in the industry at Datadog, and then going the extra mile with SigStore. We’ll see how SigStore’s transparent and auditable model holds publishers accountable in this system. Finally, we’ll see a real example of the whole stack in action for the first time with Datadog’s integration, and show just how easy it is to adopt yourself!

Speakers
avatar for Trishank Karthik Kuppusamy

Trishank Karthik Kuppusamy

Staff Security Engineer / Engineering Manager, Datadog
Trishank Karthik Kuppusamy is a Staff Security Engineer / Engineering Manager at Datadog, where he designed and implemented the industry's first-known, publicly-verifiable Solarwinds-proof software supply chain for the Datadog Agent integrations in 2018. He has been and remains heavily... Read More →
avatar for Asra Ali

Asra Ali

Software Engineer, Google
Asra is Software Engineer on the Google Open Source Security Team where she works on projects like Sigstore. In previous times, she worked on Envoy, fuzzing, and privacy-preserving technologies. She's passionate about making the world a more secure place.
avatar for Santiago Torres-Arias

Santiago Torres-Arias

Assistant Professor of ECE, Purdue University
To put things simply: I care about how people can product software, securely, and I care about how people can consume software, securely.Talk to me about anything in-toto, Sigstore, TUF, and beyond. I do software supply chain security research, and I try to work with open source... Read More →



Monday October 11, 2021 2:35pm - 3:05pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

3:05pm PDT

BREAK
Monday October 11, 2021 3:05pm - 3:20pm PDT
403 Foyer Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

3:20pm PDT

Finding Your Way: A Survey of Supply Chains - Aeva Black, Microsoft
With the explosion of interest in SBOMs, it's likely that you've just heard of a few projects for the first time -- even if those projects aren't new, they may be new to you, and you might be asking yourself, "how is X different from Y?" You might also be wondering which projects you should select in order to satisfy the requirements of the Executive Order!
As when starting out on any journey, before entering unfamiliar territory, it is important to understand the lay of the land, pack the right supplies, and get to know your traveling companions.
In this talk, a few maps of the open source supply chain landscape will be shared. Attendees will gain a sense of both the breadth and depth of the challenges ahead, and learn to identify a few essential types of tools for their journey.

Speakers
AB

Aeva Black

Open Source Hacker, Microsoft
Aeva Black is a dot-com veteran, an open source hacker, and a queer and non-binary geek. They work in the Azure Office of the CTO to improve the state of open source software supply chain security, and to support teams working on cloud security and digital privacy. Back in 2012, they... Read More →


Monday October 11, 2021 3:20pm - 3:35pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

3:35pm PDT

Vulnerability Supply Chains - Art Manion, CERT Coordination Center
If you've analyzed or responded to software vulnerabilities like BadAlloc, KRACK, or the PROTOS SNMP test suite from 2002, then you've encountered the intersection of vulnerabilities and supply chains. Without supply chain knowledge, multi-party coordinated vulnerability disclosure efforts are largely limited to manual investigation, one-offs, and guesswork. Follow-on activities like vulnerability management and risk assessment are also hindered. To what extent are vulnerabilities in upstream dependencies inherited? What happens when build tools have or create vulnerabilities? How might we effectively perform coordinated disclosure and share supply chain knowledge at scale? What part will SBOM (software bill of materials) play?

Speakers
avatar for Art Manion

Art Manion

Vulnerability Analysis Technical Manager, Carnegie Mellon University Software Engineering Institute
Art Manion is a senior member of the Vulnerability Analysis team in the CERT Program at the Software Engineering Institute (SEI), Carnegie Mellon University. Since joining CERT in 2001, Manion has studied vulnerabilities, coordinated disclosure efforts, and published advisories, alerts... Read More →


Monday October 11, 2021 3:35pm - 3:50pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

3:50pm PDT

Cloud Native Supply Chain Security with Tekton and Sigstore - Priya Wadhwa & Christie Wilson, Google
If you build software on Kubernetes and want to learn more about how to do it in a secure way, then this talk is for you! In this talk, Christie Wilson and Priya Wadhwa will provide a hands on overview to creating a secure zero-trust supply chain on Kubernetes. We'll show you how to use tools like Tekton, Tekton Chains and sigstore together to protect your pipelines and generate provenance for your builds. We'll also cover how the audience can integrate these tools with other projects like In-Toto and SPIRE to securely build, sign and verify software components today.

Speakers
avatar for Christie Wilson

Christie Wilson

Software Engineer, Google
Christie Wilson (she/her) is a software engineer at Google and co-creator of the Tekton project. Over the past decade+ she has worked in the mobile, financial, and video game industries. Prior to working at Google she built load testing tools for AAA video game titles, and founded... Read More →
avatar for Priya Wadhwa

Priya Wadhwa

Software Engineer, Google
Priya Wadhwa is a software engineer on Google's Open Source Security team, where she works on projects like Sigstore and Tekton. In her free time she enjoys playing the drums and eating desserts!



Monday October 11, 2021 3:50pm - 4:20pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

4:20pm PDT

BREAK
Monday October 11, 2021 4:20pm - 4:30pm PDT
403 Foyer Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

4:30pm PDT

Getting Started with Supply Chain Security is Easier Than You Think: Perspectives From a Highly Regulated Industry - Michael Lieberman & Timothy Miller, CitiBank
With the growing frequency of supply chain attacks and complexity of technology environments securing the software supply chain has never been more important, especially in highly regulated environments like banking. The road to a secure supply is long and challenging but getting started is easy. There are a series of practices that you can implement today to get you started on your supply chain security journey that will help you: better understand the technologies currently in your environments, establish provenance of source code, and help you audit and respond quickly in the event of supply chain vulnerabilities.

Speakers
avatar for Timothy Miller

Timothy Miller

Director - Supply Chain Security, Citi



Monday October 11, 2021 4:30pm - 5:00pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

5:00pm PDT

Closing Remarks - Dan Lorenc, Chainguard
Speakers
avatar for Dan Lorenc

Dan Lorenc

CEO, Chainguard
Dan has been working on and worrying about containers since 2015 as an engineer and manager.He started projects like MinikubeSkaffold, and Kaniko to make containers easy and fun, then got so worried about the state of OSS supply-chains he partnered up with Kim and others to f... Read More →


Monday October 11, 2021 5:00pm - 5:05pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015
  Keynote

5:00pm PDT

CNCF-Hosted Co-located Events Happy Hour
Join us onsite for drinks and appetizers with fellow co-located attendees from Monday's CNCF-hosted Co-located Events.  Network with attendees from:
  • Cloud Native eBPF Day North America hosted by CNCF
  • EnvoyCon North America hosted by CNCF
  • Production Identity Day: SPIFFE + SPIRE North America hosted by CNCF
  • PromCon North America hosted by CNCF

The CNCF-hosted Co-located Events Happy Hour on Monday evening will be held at the JW Marriott, Gold Ballroom Foyer - a short 7 minute walk from the LACC.  
To access the Happy Hour, please follow the directions below:
  • 1. From the LACC please proceed out the West Lobby exit, take a left and proceed NE around the Staples Center to Chick Hearn Court.
  • 2. Cross Chick Hearn Court and continue NE on Georgia St. one block. 
  • 3. Take a right on West Road and continue a half block until you see the JW Marriott entrance on your left, between Savoca and The Mixing Room.  
  • 4. Upon arrival at the JW Marriott, walk through the lobby to the escalators behind the lobby bar and take them to level 3. Take a right to enter the Skybridge where you will need to show your badge with your Monday vaccination approval. 
  • 5. Once your badge is verified you will be directed down another set of escalators to the Gold Ballroom Foyer. You've arrived!


Monday October 11, 2021 5:00pm - 6:30pm PDT
JW Marriott Gold Ballroom Foyer
 
  • Timezone
  • Filter By Venue Los Angeles, California, USA
  • Filter By Type
  • General Session
  • Keynote
  • Lightning Talk
  • Networking + Break
  • Talk Type