Loading…
October 25, 2022 | Detroit, Michigan
View More Details & Registration Information
 

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2022 - Detroit, MI + Virtual and add this Co-Located event to your registration to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Eastern Daylight Time (EDT), UTC -4. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

The schedule is subject to change.
Back To Schedule
Tuesday, October 25 • 10:30am - 10:55am
Who's Verifying Your Signatures? Approaching Private Container Image Signing - Ethan Lowman, Datadog

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
By some estimates, the rate of software supply chain security attacks has more than doubled in recent years, leading to renewed demand for software integrity defenses, especially for popular open source projects. In response to this demand, healthy competition has emerged between signing technologies like Sigstore and Notary v2 to set a new standard for secure delivery of open source container images. But how do these technologies fare when applied to private container image signing? While building integrity controls for their internal Kubernetes software supply chain, Datadog's security team has found that signing and verifying images internally is subtly different than in an open source setting. This talk will compare the unique challenges of signing container images internally versus in open source, and discuss how the leading open source signing frameworks meet those challenges at scale.

Speakers
avatar for Ethan Lowman

Ethan Lowman

Senior Software Engineer, Datadog
Ethan Lowman is a senior software engineer at Datadog, working on software supply chain security, including container image signing and verification. He is a maintainer of go-tuf, an implementation of The Update Framework which is being used to bootstrap the root of trust for Sigstore... Read More →



Tuesday October 25, 2022 10:30am - 10:55am EDT
Room 430 A