SLSA in Action Against Unauthorized Modifications to Source Code | 6 Oct at 5:30 PM The second SLSA masterclass session will be conducted on 6th October (instead of 29th September) at 5:30 PM. This session will be conducted by Sastry Tumulur… more
In today’s digital landscape, software development has become increasingly complex, with multiple layers and dependencies involved in creating and delivering software artifacts. Understanding and effectively managing the supply chain levels for software artifacts has become crucial for organizations to ensure efficient and secure software development practices.
This masterclass series aims to provide participants with comprehensive knowledge and practical insights into the supply chain levels pertaining to software artifacts.
From a high level overview of SLSA framework and requirements to setting up various attestation formats in SLSA and implementing them, getting to SLSA-1, 2, 3 and 4, and meeting “Source” requirements across all levels, each topic will be explored in detail, emphasizing their role in the software development lifecycle. Additionally, the series will delve into key considerations such as software supply chain security threats addressed by SLSA, regulatory compliance made easier, and what to expect in future SLSA upgrades.
Through a combination of expert-led sessions, case studies, and hands-on exercises, participants will gain a deeper understanding of supply chain management practices specific to software artifacts. By the end of the series, participants will be equipped with the necessary skills to optimize software artifact supply chains, enhance productivity, ensure security, and maintain compliance in their software development processes.
- Best practices for implementing software supply chain security controls.
- Techniques and design choices for reducing risk exposure in SDLC caused by use of external software and dependencies.
- Case studies, practical guidelines, and tried-and-tested experience from been-there, done-that practitioners.
- Security architects
- DevSecOps engineers
- Software developers
- Threat detection and incident response teams - engineers and analysts.
- DevOps and config management teams
- QA & release management teams
- Companies from different domains with different levels of scale.
If you are interested in conducting a masterclass, submit your talk idea here. Arjun BM - editor of the masterclass series - will review your talk idea and give feedback.
Guidelines for speaking are published here.
This masterclass series is curated by Arjun BM.
Arjun is Chief Security Architect at Finastra. He is an Information Security expert with two decades of experience in areas like application security, security architecture, and DevSecOps.
This master class series will be held online. Attendance is open to Rootconf members only. If you have questions about participation, post a comment here.
Sponsorship slots are open for:
- Tool providers.
- Companies seeking tech branding for hiring.
If you are interested in sponsoring, email firstname.lastname@example.org.
Practical SLSA for Developers and Application Security Professionals
Software supply chain integrity has been a hot topic for a few years now. Yet, the 99% of AppSec professionals stop at basic SBOM/SCA activities and call it done. Clearly, that is not enough. SLSA, despite being around 2+ years, is yet to find widespread awareness, let alone adopton.
This session will introduce the ideas and concepts behind SLSA - discussing why it is needed, what problems it solves at each “level” and how.
There is adequate tooling/support for SLSA use on popular platforms. Using this tooling, the session will show how to generate SLSA provenance and how this may be used by “consumers” of the software artifacts, to ascertain the trustworthiness/integrity of those artifacts.
This will be a practical approach session; not an academic dissertation of SLSA and it’s specification/documentation.