DevOps Meetup #89: Software Supply Chain Security
Details
Talk
Securing the Software Supply Chain in a Cloud Native World: From CI/CD Pipelines to SLSA
Summary
This talk provides a focused overview of modern software supply chain security through three interconnected lenses: CI/CD pipeline hardening, cloud native-specific risks, and the SLSA framework. It explores how attackers target build systems, dependencies, and delivery pipelines, and outlines practical defenses such as artifact signing with Sigstore and Cosign, least-privilege access in GitHub Actions and Tekton, and securing containerized workloads against base image vulnerabilities and untrusted Helm charts. The session then introduces SLSA as an incremental, adoptable blueprint for achieving tamper-proof provenance and verifiable build integrity, giving attendees a clear mental model and actionable steps to immediately begin raising the security bar across their development lifecycle
Speaker
Carlos Nogueira
Maria's Father, Alessandra's Husband, DevOps na Praia Meetup Co-Organizer and #engineeringsessions host.
Agenda
18:30 - 19:00 Opening
19:00 - 19:45 Securing the Software Supply Chain in a Cloud Native World: From CI/CD Pipelines to SLSA
19:45 - 20:30 Networking
Location
COCUS - Sitio
Av. da República 1363, 3º A
4430-192 Vila Nova de Gaia
Where to find us
Web: devopsporto.com
LinkedIn: linkedin.com/company/devopsporto
X: x.com/DevOpsPorto
Slack: devopsporto.slack.com
Calls
Organizers: tinyurl.com/callfororg
Proposals: tinyurl.com/callforprop
