October 11, 2021
Los Angeles, California + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2021 - Los Angeles, CA + Virtual and add this Co-Located event to your registration to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Pacific Standard Time (PST), UTC -7. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

IMPORTANT NOTE: Timing of sessions and room locations are subject to change through Monday, September 13 due to schedule changes that will be made as speakers finalize whether speaking in person or virtually.
General Session [clear filter]
Monday, October 11

10:40am PDT

The State of SBOMs - Moderated by Dan Lorenc, Chainguard; Allan Friedman, US Government; Nisha Kumar, VMware & Frederick Kautz, LF Public Health
avatar for Dan Lorenc

Dan Lorenc

CEO, Chainguard
Dan has been working on and worrying about containers since 2015 as an engineer and manager.He started projects like MinikubeSkaffold, and Kaniko to make containers easy and fun, then got so worried about the state of OSS supply-chains he partnered up with Kim and others to f... Read More →


Nisha Kumar

Security Engineer, Oracle
Nisha is a Security Engineer at Oracle. She has been a DevOps engineer for embedded systems and a Radio Frequency Engineer in semiconductor manufacturing. She has been involved in Open Source for more than 15 years. You can follow her work on Twitter at @_ctlfsh
avatar for Frederick Kautz

Frederick Kautz

Co-Chair, KubeCon
Frederick collaborates on security and networking. He is on the SPIFFE Steering Committee, focusing on providing Zero Trust Workload Identity to compute workloads and resources. Frederick co-authored Solving the Bottom Turtle. He is a co-founder of OmniBOR and maintains the reference... Read More →
avatar for Allan Friedman, PhD

Allan Friedman, PhD

Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency
Dr. Allan Friedman is Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency. He coordinates the global cross-sector community efforts around software bill of materials (SBOM) and related vulnerability initiatives and works to advance their adoption... Read More →

Monday October 11, 2021 10:40am - 11:20am PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

11:20am PDT

Whose Sign Is It Anyway? - Marina Moore, NYU & Matthew Riley, Google
Code signing is the security foundation of the software supply chains we rely on every day. But if you let yourself think about it for too long -- like we have -- it starts to seem weird that we’re so sure a random download won’t steal our credentials or ransom our data just because someone, somewhere happened to choose a very special point on an elliptic curve.

In this talk, we will explore what a digital signature really means -- and what it doesn’t. We’ll look at the implications of policy choices around key handling, what gets signed, and when we call a signature "valid". And we’ll dive so deeply into the very idea of identity that you may begin to question the nature of your reality.

avatar for Marina Moore

Marina Moore

PhD Candidate, NYU
Marina Moore is a PhD candidate at NYU Tandon’s Secure Systems Lab focusing on secure software updates and software supply chain security. She is a maintainer of TUF, a CNCF graduated project, as well as Uptane, the automotive variant of TUF. She contributed to the updated TAG Security... Read More →
avatar for Matthew Riley

Matthew Riley

Software Engineer, Google
Matt works on Kubernetes security at Google. His previous work has involved various combinations of container infrastructure, platform security, code integrity, and applied cryptography.

Monday October 11, 2021 11:20am - 11:50am PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

11:50am PDT

Supply Chain Security with the Jenkins Templating Engine! - Steven Terrana, Booz Allen Hamilton
In this talk, Steven will provide a comprehensive introduction to DevSecOps. He'll help attendees get past the buzzwords and demystify the various kinds of software security scanning that teams can incorporate into their software delivery processes to shift-left security. Equally important - you'll then learn how to apply these principles at scale using the Jenkins Templating Engine to develop tool-agnostic pipelines that can be shared across teams.


Monday October 11, 2021 11:50am - 12:20pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

2:05pm PDT

An Overview on SLSA - Tom Hennen, Google & Joshua Lock, VMware
SLSA – Supply-chain Levels for Software Artifacts – introduces a comprehensive methodology to prevent tampering with the software supply chain.  To illustrate the impact of SLSA, we follow a few gremlins as they try to introduce malicious code into a container image used by thousands of projects.  At each step of the supply chain we show how SLSA controls raise the cost of attack, preventing the gremlins from causing any harm.

avatar for Joshua Lock

Joshua Lock

Open Source Architect, Verizon
Joshua is Open Source Architect in Verizon's Open Source Program Office where he leads efforts to improve consistency around how Verizon uses open source. As part of his work at Verizon he works upstream on software supply chain security standards and tools; he is a steering committee... Read More →
avatar for Tom Hennen

Tom Hennen

Software Engineer, Google
Tom is a maintainer of the Supply-chain Levels for Software Artifacts (SLSA) project.  He works at Google as a tech lead for their internal supply chain integrity team.  He previously worked in the defense industry where he was the Principal Investigator for a DARPA STAC red team... Read More →

Monday October 11, 2021 2:05pm - 2:35pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

2:35pm PDT

State of the Art Supply Chain Security (in-toto, TUF, and SigStore) - Trishank Karthik Kuppusamy, Datadog; Asra Ali, Google & Santiago Torres-Arias, Purdue University
In this talk, we’ll explore the complementary roles that TUF, in-toto, and SigStore play in creating a transparent hack-proof software supply chain that thwarts man-in-the-middle attacks anywhere between developers and end-users. The talk will build off the basics of using in-toto and TUF together to deliver hack-proof updates, especially how it was done for the first time in the industry at Datadog, and then going the extra mile with SigStore. We’ll see how SigStore’s transparent and auditable model holds publishers accountable in this system. Finally, we’ll see a real example of the whole stack in action for the first time with Datadog’s integration, and show just how easy it is to adopt yourself!

avatar for Trishank Karthik Kuppusamy

Trishank Karthik Kuppusamy

Staff Security Engineer / Engineering Manager, Datadog
Trishank Karthik Kuppusamy is a Staff Security Engineer / Engineering Manager at Datadog, where he designed and implemented the industry's first-known, publicly-verifiable Solarwinds-proof software supply chain for the Datadog Agent integrations in 2018. He has been and remains heavily... Read More →
avatar for Asra Ali

Asra Ali

Senior Software Engineer, Google
Asra is Software Engineer on the Google Open Source Security Team (GOSST) where she works on projects like Sigstore. She’s a maintainer of Sigstore’s Rekor, and The Update Framework’s go-tuf implementation. In previous times, she worked on Envoy, fuzzing, and privacy-preserving... Read More →
avatar for Santiago Torres-Arias

Santiago Torres-Arias

Assistant Professor of Electrical and Computer Engineering, Purdue University
Santiago is an Assistant Professor at Purdue's Electrical andComputer Engineering Department. His interests include binaryanalysis, cryptography, distributed systems, andsecurity-oriented software engineering. His current researchfocuses on securing the software development lifecycle... Read More →

Monday October 11, 2021 2:35pm - 3:05pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

3:50pm PDT

Cloud Native Supply Chain Security with Tekton and Sigstore - Priya Wadhwa & Christie Wilson, Google
If you build software on Kubernetes and want to learn more about how to do it in a secure way, then this talk is for you! In this talk, Christie Wilson and Priya Wadhwa will provide a hands on overview to creating a secure zero-trust supply chain on Kubernetes. We'll show you how to use tools like Tekton, Tekton Chains and sigstore together to protect your pipelines and generate provenance for your builds. We'll also cover how the audience can integrate these tools with other projects like In-Toto and SPIRE to securely build, sign and verify software components today.

avatar for Christie Warwick

Christie Warwick

Software Engineer, Google
Christie Wilson (Warwick) (she/her) is a software engineer with a passion for building quality software and having fun doing it. During her career she has worked in a wide range of domains from currency exchange to AAA games and is currently working on continuous delivery tools at... Read More →
avatar for Priya Wadhwa

Priya Wadhwa

Software Engineer, Chainguard
Priya Wadhwa is a software engineer at Chainguard, where she works on a variety of open source projects with the goal of improving software supply chain security. She is a member of the Sigstore TSC and a maintainer of the Tekton Chains project. She's passionate about making security... Read More →

Monday October 11, 2021 3:50pm - 4:20pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015

4:30pm PDT

Getting Started with Supply Chain Security is Easier Than You Think: Perspectives From a Highly Regulated Industry - Michael Lieberman & Timothy Miller, CitiBank
With the growing frequency of supply chain attacks and complexity of technology environments securing the software supply chain has never been more important, especially in highly regulated environments like banking. The road to a secure supply is long and challenging but getting started is easy. There are a series of practices that you can implement today to get you started on your supply chain security journey that will help you: better understand the technologies currently in your environments, establish provenance of source code, and help you audit and respond quickly in the event of supply chain vulnerabilities.

avatar for Timothy Miller

Timothy Miller

Director - Supply Chain Security, Citi

Monday October 11, 2021 4:30pm - 5:00pm PDT
Room 403AB + Online Los Angeles Convention Center - 1201 S. Figueroa Street, Los Angeles, CA 90015
  • Timezone
  • Filter By Venue Los Angeles, California, USA
  • Filter By Type
  • General Session
  • Keynote
  • Lightning Talk
  • Networking + Break
  • Talk Type

Filter sessions
Apply filters to sessions.