Open Source Software is used by DevOps practitioners in a large number of organizations, big and small. Leadership teams within these organizations are being required to answer questions about the integrity of software artifacts and require establish provenance at each stage. For engineering teams who report to them and who write, build, and maintain software – security and compliance is paramount.

Recent evidence of these changing requirements can be found here:

[1] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf
[2] https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

Secure Open Source Supply Chains are crucial to those involved in creating and distributing open source software.
Those engineers, engineering managers, and program managers who are responsible for delivering software that is or consumes open source software are under increasing scrutiny to establish provenance of their software artifacts.

This talk will demonstrate the impact of adopting various projects of the OpenSSF within software supply chains. Various tools and techniques using open source projects to generate SBOMs, improve SLSA levels, and introduce signed builds.

The projects demonstrated will be Cloud Native Buildpacks, kpack, and cosign — all of which are fully open source.