In this episode of the Virtual Coffee with Ashish edition, we spoke with Luke Hinds (Luke's Twitter) the open source Sigstore project and how it is helping with software signing and protecting the software supply chain
Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv
Host Twitter: Ashish Rajan (@hashishrajan)
Guest Twitter: Luke Hinds (Luke's Twitter)
Podcast Twitter - @CloudSecPod @CloudSecureNews
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
- Cloud Security News
- Cloud Security Academy
Spotify TimeStamp for Interview Questions
(00:00) Ashish's Intro to the Episode
(01:39) https://snyk.io/csp
(05:21) What is the software supply chain and why is it important?
(08:20) Common supply chain attacks in Kubernetes
(09:53) Codecov attack
(11:14 )Kubernetes and API
(14:10) Vulnerability scanning tools
(16:38) Explaining the importance of supply chain security
(19:19) What is a signing service
(19:56 )The SLSA framework
(20:42) Importance of signing service
(23:35) What is Sigstore?
(27:57) What is Lets Encrypt
(31:48) The aim of sigstore
(34:39) What is Co-Sign
(36:40) Co-Signing and non-repudiation
(46:29) Where to start
