#KEYMASTER: The Emerging Practices around Attestations and SBOMs
#KEYMASTER: The Emerging Practices around Attestations and SBOMs
2024-12-03
Building policy-driven and compliant software supply chains
Join Sven Rajala, the international PKI Man of Mystery from Keyfactor, and Miguel Martínez, Co-founder at Chainloop, as they explore the evolving landscape of supply chain security.
The secure software supply chain is advancing quickly, but there are still challenges in effectively integrating and utilizing metadata, such as SBOMs and attestations. It is important to utilize tools that allow you to leverage your existing resources while maintaining a straightforward approach to trust. This will help simplify your efforts to remain secure and compliant in your software delivery pipelines.
Watch the KEYMASTER episode here:
Here are the key points discussed in this #KEYMASTER session:
The Shift in Supply Chain Security
Modern software delivery now involves more stakeholders (compliance and security teams) bringing additional requirements for vulnerability and license management.
Attestations play a critical role as standardized metadata to ensure software trustworthiness across the supply chain.
The Role of SBOMs
SBOMs (Software Bill of Materials) provide detailed context about software packages, licenses, and dependencies.
They are becoming increasingly significant due to regulatory requirements and help with compliance, vulnerability management, and transparency.
Defined as metadata in a standardized format, attestations capture information about software development steps, such as unit testing, Git commits, and build processes.
Tools like SigstoreCosign and Keyfactor EJBCA and SignServer ensure attestations are cryptographically signed for authenticity and integrity.
Challenges in Adoption
While the building blocks like SBOMs and attestations are in place, the challenge lies in effectively consuming and using this data.
Distribution and integration of metadata remain unsolved areas, though standards like SPDX and CycloneDX are helping progress.
Chainloop's Role
Chainloop provides an "evidence store,” a centralized system for managing, signing, and analyzing metadata for secure software delivery.
It aims to simplify adoption and standardization while adapting to evolving tools and standards.
Chainloop and Keyfactor have collaborated to create a PKI attestation and signing solution for the community.
Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey Solutions AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.
Manage your cookie-settings
Necessary cookies
Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.
Functional cookies
Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.
Cookies for statistics
For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.
Cookies for ad-tracking
To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.