February 1-2, 2023 | Seattle, WA
View More Details | Registration Information

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for CloudNativeSecurityCon North America 2023 to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Pacific Standard Time (PST), UTC -8. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

The schedule is subject to change.
Back To Schedule
Thursday, February 2 • 3:50pm - 4:25pm
Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore - Zachary Newman, Chainguard, Inc. & Marina Moore, New York University

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
It’s easy to think that because more developers are signing software, the consumers of that software are necessarily more secure. However, a signature is only useful if verified correctly. One common failure mode is to verify that some software was signed, but not check who signed it. This means that you’ll treat a signature from evil@hacker.com the same as a signature from yourself! We want to check that software came from the right person, but how do we know who that is? In this talk, Marina Moore and Zachary Newman will show how you can answer that question, securely. First, use Sigstore to make signing easy. Then, use CNCF projects The Update Framework (TUF) and in-toto to concretely improve security of open source package repositories, internal container registries, and everything in between. Cut through the hype and see how to sign software in order to increase security. Learn what signing can do—and what it can’t. With this knowledge, you can design appropriate verification policies for your project or organization. You’ll also learn how the open source software repositories you depend on are adopting these techniques to ensure that the code you download comes from the authors you expect.

avatar for Zachary Newman

Zachary Newman

Software Engineer, Chainguard, Inc
Zack is passionate about developer tooling, supply chain security, and applied cryptography. After 4 years as a software engineer and tech lead on Google Cloud SDK, he moved to MIT CSAIL to research authenticated data structures and Tor network performance. Now, as a software engineer... Read More →
avatar for Marina Moore

Marina Moore

PhD Candidate, NYU
Marina Moore is a PhD candidate at NYU Tandon’s Secure Systems Lab focusing on secure software updates and software supply chain security. She is a maintainer of TUF, a CNCF graduated project, as well as Uptane, the automotive variant of TUF. She contributed to the updated TAG Security... Read More →

Thursday February 2, 2023 3:50pm - 4:25pm PST
Room 612
  Supply Chains