Deep Datta
Community Product Manager
Actions
Deep Datta is a Product Manager with JFrog managing ChartCenter, GoCenter, and ConanCenter - Central Repositories for the Community. He loves encouraging diversity in tech and he has a passion for helping people join open source communities. Before JFrog he helped build and manage open source programs at Indeed and Benetech.org. Outside of work, Deep likes to travel the world, go to live music events, learn Golang, and find beautiful places to go hiking.
Links
Security of Go Modules and Vulnerability Scanning in GoCenter
Golang developers care a lot about security and as Go modules become more widely used, they need more ways to assure these publicly shared packages are safe.
One unique feature included with Golang version 1.13 is the foresight that went into authentication and security for Go modules. When a developer creates a new module or a new version of an existing module, a go.sum file included there creates a list of SHA-256 hashes that are unique to that module version. That go.sum file is then sent to Google’s official checksum database where it is stored and used to verify that modules haven’t been tampered with when accessed later by a GOPROXY. This helps keep the integrity of packages intact. In this talk, we’ll go over the behavior of the checksum database, how it protects Go modules, and how the merkle-tree works.
Now, while the checksum authentication feature helps create trust among developers, it isn’t fully tamperproof. If a vulnerability is introduced in the original module’s files, the gosumdb will only be able to indicate that the module wasn’t changed later. This doesn’t solve the problem of malicious code being introduced in the very first commit.
Luckily, GoCenter can now tell you when any Go module has a known vulnerability. We’ve brought the power of JFrog Xray’s security scanning to this reliable repository of Go modules for the Golang developer community.
Go 1.13 introduced important security features to Go Modules including a checksumdb. We’ll explain how this works and provide info on other tools that keep modules secure. GoCenter now has vulnerability scanning capabilities so developers can check for security issues.
How Helm Charts Create Reproducible Security
As more tools become available to automate security in Helm, a great next step that JFrog’s Community team is taking is to host a webinar around Helm security and how charts protect Kubernetes applications. During the meetup, we’ll even show you ChartCenter’s free vulnerability scanning feature and how chart maintainers can use our new “mitigation notes” YAML file to engage with end users about vulnerabilities in their chart dependencies.
During the meetup, you’ll get a really strong understanding of the power of Helm charts in the Kubernetes security ecosystem and the new tools being used with Helm 3. You’ll get to see how Helm chart applications can be deployed and get hands-on with how to inspect container processes, control your application state, and manage reproducible security in your builds. We’ll also dive into:
- Why use trusted registries such as ChartCenter
- Vulnerabilities and mitigation in your chart’s dependencies
- More details around RBAC and cluster roles
- Brief intro to certificates, signatures, and verification in Helm 3
- Secrets management best practices and more!
Join today
You may have heard that there’s a new super cool central Helm charts repository that was built for the community with one of the co-founders of Helm: Rimas Mocevicius: https://jfrog.com/blog/launching-jfrog-chartcenter-helm-chart-repository/
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top