Docker x Cloudsmith | State of the Union: Modern Security Approaches for the Software Supply Chain

Topics: Docker, Software Supply Chain Security, SBOMs, Attestations, Artifact Lifecycle, Signatures

Get expert guidance on cutting-edge security strategies for blocking software supply chain attacks such as SolarWinds, XZ Utils, and Log4Shell. Join Michael Donovan (VP of Product, Docker), Ralph McTeggart (Principal Engineer, Cloudsmith), and Jack Gibson (Senior Software Engineer, Cloudsmith) as they discuss what it takes to maintain a secure software artifact lifecycle. Learn how Cloudsmith and Docker Hardened Images can significantly lower risk. They discuss approaches, including SBOMs, Enterprise Policy Management, SLSA, Cosign, and Zero Trust security, to verify software attestation and provenance and expose malicious interference.

0:12 Welcome and introduction

2:39 Setting the agenda

3:30 Wake-up calls to shift the emphasis on supply chain security

7:20 Docker and supply chain risk priorities

8:41 Is shift left security the solution?

10:25 Introducing SBOMs and their role in reducing risk

12:24 What's in an SBOM and how does it identify risk?

15:12 Docker Hardened Images for attestations and provenance

17:06 Acting on threats using Enterprise Policy Management

18:27 The secure artifact lifecycle, Docker Hardened Images, and SLSA level 3

21:14 Exploring the lifecycle - processes and issues

26:10 Closing thoughts and poll results

28:34 Questions - Attestation, VEX creation, SLSA and SBOMs, policy enforcement

👉 Don’t forget to like, subscribe, and hit the bell to stay updated on future security deep dives!

#Docker #Cloudsmith #SoftwareSupplyChain #SBOM #ContainerSecurity #DevSecOps #ZeroTrust #Attestations #OpenSourceSecurity #SLSA #Sigstore