BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//HasGeek//NONSGML Funnel//EN
DESCRIPTION:Empower DevOps to do security
X-WR-CALDESC:Empower DevOps to do security
NAME:SLSA masterclasses
X-WR-CALNAME:SLSA masterclasses
REFRESH-INTERVAL;VALUE=DURATION:PT12H
SUMMARY:SLSA masterclasses
TIMEZONE-ID:Asia/Kolkata
X-PUBLISHED-TTL:PT12H
X-WR-TIMEZONE:Asia/Kolkata
BEGIN:VEVENT
SUMMARY:Practical SLSA for Developers and Application Security Professiona
 ls
DTSTART:20230825T120000Z
DTEND:20230825T125500Z
DTSTAMP:20260421T204315Z
UID:session/RkakPPWkCM3EAwjyer15gE@hasgeek.com
SEQUENCE:6
CREATED:20230823T092646Z
DESCRIPTION:Software supply chain integrity has been a hot topic for a few
  years now. Yet\, the 99% of AppSec professionals stop at basic SBOM/SCA a
 ctivities and call it done. Clearly\, that is not enough. SLSA\, despite b
 eing around 2+ years\, is yet to find widespread awareness\, let alone ado
 pton. \n\nThis session will introduce the ideas and concepts behind SLSA -
  discussing why it is needed\, what problems it solves at each "level" and
  how. \n\nThere is adequate tooling/support for SLSA use on popular platfo
 rms. Using this tooling\, the session will show how to generate SLSA prove
 nance and how this may be used by "consumers" of the software artifacts\, 
 to ascertain the trustworthiness/integrity of those artifacts.\n\nThis wil
 l be a practical approach session\; not an academic dissertation of SLSA a
 nd it's specification/documentation. 
LAST-MODIFIED:20230908T105856Z
LOCATION:Online
ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com
URL:https://hasgeek.com/rootconf/slsa-masterclasses/schedule/practical-sls
 a-for-developers-and-application-security-professionals-RkakPPWkCM3EAwjyer
 15gE
BEGIN:VALARM
ACTION:display
DESCRIPTION:Practical SLSA for Developers and Application Security Profess
 ionals in 5 minutes
TRIGGER:-PT5M
END:VALARM
END:VEVENT
BEGIN:VEVENT
SUMMARY:SLSA in Action Against Unauthorized Modifications to Source Code
DTSTART:20231006T120000Z
DTEND:20231006T130000Z
DTSTAMP:20260421T204315Z
UID:session/6UzytfYaY4fEajeoTXzhkX@hasgeek.com
SEQUENCE:4
CREATED:20230926T124244Z
DESCRIPTION:In the first masterclass\, we talked about the need for softwa
 re supply chain security\, introduced the core concepts of SLSA\, and show
 ed how an existing build platform (GitHub) enables this through a demonstr
 ation of provenance generation and verification.\n\nIn this second session
 \, we will take a closer look at a specific threat scenario - that of buil
 ding from a source code that has been unauthorizedly modifed in transit (T
 hreat C in SLSA documentation)\, or a compromised build process (Threat E 
 in SLSA documentation). We describe this attack and real-world examples br
 iefly in the introduction section.\n\nWe then show that without the proper
  security in place\, how the attack succeeds. Next we show that with SLSA 
 implemented properly\, the latter stages of the CI/CD pipeline detects the
  issue and aborts.\n\nThis would be a good guide to developers who want an
  example of “SLSA as intended”.
LAST-MODIFIED:20230926T124329Z
LOCATION:Online
ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com
BEGIN:VALARM
ACTION:display
DESCRIPTION:SLSA in Action Against Unauthorized Modifications to Source Co
 de in 5 minutes
TRIGGER:-PT5M
END:VALARM
END:VEVENT
END:VCALENDAR