The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered forCloudNativeSecurityCon North America 2024 to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.
Please note: This schedule is automatically displayed in Pacific Daylight Time (PDT), UTC -7. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."
For decades, we’ve been building things with open source library dependencies, but most of the time, **we’re not 100% certain where those components actually originate** or how they were built. Over the past two years, GitHub has been working hand-in-hand with the open source community to attack this problem. In this talk, we’ll take you inside the effort to build a brand-new capability that is now in public beta for all repos on GitHub: Artifact Attestations. Thanks to hard work from Hubbers and contributors to projects like Sigstore, SLSA, and in-toto, creators of open source software can create an unforgeable paper trail for anything they build on GitHub, verifiable anywhere via the gh CLI tool. Learn all about the work that GitHub has done to create a new signing authority for the OSS world and the impact that we intend to have in bringing about a much-needed cultural shift towards always knowing where your software comes from.
Trevor Rosen is the founder of the Package Security team at GitHub, focused on improving supply chain integrity. He has extensive experience in practical information security with a particular focus CI/CD systems. A veteran of the SolarWinds attack and subsequent response, Trevor... Read More →
