Michael Lieberman
Co-founder and CTO of Kusari
Actions
Michael Lieberman is co-founder and CTO of Kusari where he helps build transparency and security in the software supply chain. Michael is an active member of the open-source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF’s Secure Software Factory Reference Architecture whitepaper. He is an elected member of the OpenSSF Governing Board and Technical Advisory Council along with CNCF TAG Security Lead and an SLSA steering committee member.
Awards
Production, Consumption, and the Data: The Open Source Security Sandwich
This talk will look at OpenSSF projects as well as other open source security projects involved in the production and consumption of software as well as the tools and frameworks for ingesting and analyzing the data around the secure production and consumption of software.
We will look at how software production focused tools and frameworks like SLSA, Scorecard, and SBOM generation tools can have their metadata ingested by tools like GUAC and Clomonitor which can then be used to prove compliance with security consumption frameworks like S2C2F.
The talk will then look at how building software supply chain security architectures and putting the pieces together are what are a key bit to building the open source security sandwich.
TAG Security Highlights
TAG Security brings together security experts in the cloud native community to improve the security of CNCF projects and provide security guidance. In this talk we will present highlights from our recent work including mapping open source tools to specific problems in the software supply chain, and our Security Pals initiative to start self-assessments for CNCF projects. We will discuss our outputs from each of these initiatives, and explore how you can get involved in cloud native security. Participants will learn about the work of TAG Security and how they can participate in these and other initiatives.
Mind the Gap: Bridging Supply Chain Policy with Git-less GitOps and GUAC
In a live supply chain attack demo, we demonstrate the latest security features of Flux CD and OpenSSF GUAC together in a hardened, wide-scale production scenario. When the next XZ or log4shell vulnerability lands, see how to assess, respond, and prevent proliferation before or after an attacker gets a foothold in your systems.
See how to defend against an assault on your dependency tree, prevent hostile insiders from escalating their privilege, and lock down your production environment to harden it against future threats.
We:
Use OCI-first Flux CD to remove network routes to Git servers from production
GUAC to manage dependency inventory and bring signal to the noise of CVE updates
Timoni to reliably patch, customise, and verify deployments before release
Flux Autopilot to roll out multi-tenancy lockdown, horizontal and vertical scaling, and persistent storage across fleets of clusters
It's not just about SBOMs: Perspectives on cloud native supply chain security
There's a lot fear, uncertainty, and doubt around software supply chain security, especially when it comes to cloud native and there being something new to update or be aware of every time you look. There's SBOMS, SLSA, VEX, CVEs, and dozens of other acronyms that can be hard to remember. In addition there are secure software factories, scorecards, best practices, and countless projects and concepts to keep track of. It seems even more intractable when you take into the velocity of cloud native.
Don't worry! It's not actually that complicated.
The panel of open source maintainers will discuss how the pieces to solve the supply chain security challenges are all there today. They will discuss straightforward approaches and simple security hygiene practices that can get you much of the way there, much of it in the CNCF like TUF, in-toto, or witness or in sibling organizations like OpenSSF with SLSA and GUAC. They will also provide insights into the future of supply chain security.
Improving Supply Chain Integrity with OpenSSF technologies
OpenSSF has been developing a series of technologies aiming at improving the security posture of open source and the software supply chain. This panel will give attendees a chance to hear from the very people involved in the development of these technologies what's behind names like SLSA, S2C2F, and GUAC, the status of these technologies and their implementations in the industry.
Attendees will leave the session with the latest info on what they can do to leverage these technologies and improve their security posture.
Improving the Software Supply Chain Security
OpenSSF and other organizations such as CNCF have been developing new technologies aiming at improving the security posture of open source and the software supply chain. This panel will give attendees a chance to hear from the very people involved in the development of some of these technologies and learn what's behind names like SLSA, S2C2F, and GUAC, the status of these technologies and how they relate to one another.
Fresh SLSA and GUAC starts with knowing your ingredients
Tens of millions of new open source code repos, and millions of new open source packages are created every year. The number of dependencies that any individual package has been increasing as well. How do you keep track of these packages? How do you know if they’re safe? How do you know if their dependencies are safe? This problem grows increasingly more complex as the transitive dependency complexity increases.
Learn the risks of packages and the transparency you should be looking for in the packages you use to understand how to de-risk your use of open source packages and better understand the transitive supply chain of those packages. Also learn how you can use open source tools, services, specifications, and best practices like GUAC, SLSA, OSV, SBOMs, S2C2F, deps.dev, scorecard, and others to track and apply this understating and make better informed decisions on the software you ingest and depend on.
Cutting Through the Fog: Clarifying CRA Compliance in Cloud Native
With the final release of the European Union’s Cyber Resilience Act, it would be fair to have concern about its implications to both the software you create and the resources you depend on. Much like London’s notorious fog, the hype and fear around the CRA have obscured the path our community is on.
In their role as leaders of CNCF’s Technical Advisory Group for Security and as maintainers of the OpenSSF Security Baseline, speakers Eddie Knight and Michael Lieberman are uniquely equipped to shed light on both the benefits and complexities of CRA.
This talk will be a light-hearted exploration of how cloud technology, open source projects, and end users can all benefit from the CRA— and how software creators can avoid falling on the wrong side of the law.
Eating the open source security sandwich with Skootrs
There seems to be an ever growing set of things to care about when we look to secure software, especially open source software. Securing builds through practices like SLSA, creating SBOMs like SPDX, signing software through tools like Sigstore, using VEX through specifications like OpenVEX, and so much more. Software developers are now being asked to add a deep understanding of cybersecurity to their never ending list of responsibilities. There is truly a "sandwich" of tools, practices, and data to produce, and consume, many of which are developed in the OpenSSF community.
How can we make eating this "sandwich" simple? Cybersecurity is only effective if people follow the practices and use the tools. This is easier to do when you do this at the start of a software project as opposed to retrofitting it.
Learn more about Skootrs (pronounced scooters), a new open source tool that makes adoption of these practices and tools, along with generation of security metadata easy through automation and guardrails.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top