John Kjell
Director of Open Source at TestifySec
Minneapolis, Minnesota, United States
Actions
John is responsible for open source at TestifySec, a software supply chain security startup. He is a maintainer for the Witness and Archivista sub-projects under in-toto. Additionally, John is an active contributor to CNCF's TAG Security and multiple projects within the OpenSSF. Before TestifySec, John was an engineering leader at VMware, helping to bring supply chain security features to the Tanzu Application Platform.
Awards
Area of Expertise
Topics
DEI for the OpenSSF Community
Join us for a panel discussion featuring key members of the Open Source Security Foundation (OpenSSF) DEI working group. This session will delve into the nuances of Diversity, Equity, and Inclusion within the OpenSSF community. Our panelists will explore a wide array of topics, beginning with their personal interpretations of diversity and its significance in open-source security. The conversation will extend to strategies for dismantling barriers to participation in OpenSSF projects, the benefits of education and outreach initiatives, and the critical role of diverse representation in leadership positions.
In closing, the discussion will pivot to accountability measures. How does the OpenSSF track and measure its progress in enhancing DEI? What unique challenges and opportunities does the foundation face in this journey? The audience will hear a call to action as stakeholders in the OpenSSF community to learn how they can contribute to and benefit from a more diverse and inclusive future.
Secure Release Processes with in-toto Policy Verification
Ensuring software releases adhere to expected processes is crucial for both open-source projects and enterprise software. The in-toto project offers a solution by creating attestations for each step, providing verifiable evidence of compliance. Over the past five months, community contributors have worked to enhance the definition and capabilities of in-toto layouts to enforce policies for these attestations. This presentation will showcase the results of this effort, demonstrating how to create flexible policies for any software development lifecycle (SDLC) process, from source code commit to production release. We will explore how to formulate policies that verify attestations for code reviews, SBOM integrity, testing, vulnerability scans, build provenance (such as SLSA), and more. Join us to learn how to ensure your software development process is compliant and secure.
Demystify Modern Signing: Keys, Certs, and Envelopes
Have you heard of projects like Sigstore’s Cosign, Notation, The Update Framework (TUF), or in-toto before? What’s one thing they all have in common? They cryptographically sign things. In this talk there will be no explanations of elliptic curves, discussion about what prime numbers have to do with cryptography, or modular exponentiation. Instead, we’ll talk about how the above tools work from a practical perspective covering key algorithms, signing envelopes, certificates, and verification.
First, we’ll take a brief look at the differences between signing and verification versus encryption and decryption. Building on this, we’ll look at the different design decisions made by Cosign, Notation, TUF, and in-toto’s Witness project. Finally, we’ll walk through the emerging trend of identity-based signing using short-lived keys and certificates, including verification of a signature using nothing besides the openssl and shasum CLI commands.
It's not just about SBOMs: Perspectives on cloud native supply chain security
There's a lot fear, uncertainty, and doubt around software supply chain security, especially when it comes to cloud native and there being something new to update or be aware of every time you look. There's SBOMS, SLSA, VEX, CVEs, and dozens of other acronyms that can be hard to remember. In addition there are secure software factories, scorecards, best practices, and countless projects and concepts to keep track of. It seems even more intractable when you take into the velocity of cloud native.
Don't worry! It's not actually that complicated.
The panel of open source maintainers will discuss how the pieces to solve the supply chain security challenges are all there today. They will discuss straightforward approaches and simple security hygiene practices that can get you much of the way there, much of it in the CNCF like TUF, in-toto, or witness or in sibling organizations like OpenSSF with SLSA and GUAC. They will also provide insights into the future of supply chain security.
A step closer to in-toto’lly secure: Using in-toto and OPA Gatekeeper to verify artifact integrity
Searching for faster development loops, consistency and security, most people automate their development processes from `git commit` to `kubectl apply`. From Jenkins pipelines to Github Actions jobs, this automation varies hugely. While each implementation's speed and consistency can certainly be debated, what about security?
While Github Actions pipelines can be argued more secure than ancient Jenkins scripts, all supply chains share similar risk of actors and processes breaking the expected consistency and injecting code that could wreak havoc at runtime. Given this could happen from `git commit` all the way up to `kubectl apply`, understanding what happened in the middle is crucial.
In-toto pioneer frameworks and tools so businesses and projects can secure the way in which software is developed, built, tested and packaged. This includes two in-toto subprojects, Witness and Archivista, that make it easy to verify artifact integrity no matter the supply chain and no matter the runtime.
In this talk, we will demonstrate an end-to-end flow for securely developing container images to run on Kubernetes using these tools with Open Policy Agent’s admission controller, Gatekeeper.
6 months in: (Building and) Using the OpenSSF Security Toolbelt
6 months ago, a small flock of motivated OpenSSF volunteers took flight and started the Security Toolbelt special interest group. Known as “Toolbelters”, their mission is to identify a set of personas, use cases, capabilities, threats, patterns that span the software supply chain to mitigate OSS security threats. These patterns align OpenSSF and other OSS security tools as they apply to various combinations of personas, use cases, capabilities, and threats. Along the way, toolbelters perform gap analysis against current tools available to mitigate threats and identify where investment and resources are needed to close gaps. The outcome is a documented toolbelt spanning the software supply chain advocating for what tools to use when, and where, in the supply chain.
At the end of this session, attendees will be able to identify tools from the OpenSSF toolbelt that apply to their area of interest in the Software Supply Chain. Attendees will also understand their participation opportunities to continue iterating on and building the toolbelt.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top