This session is designed to cover two questions: What are security fundamentals for distributed applications and How to apply and automate them.
Part slides and part demo, the broad areas of signing builds, applying policy, SBOM generation, SLSA levels for builds, security scorecards will all be explained in theory and demonstrated on sample infrastructure.
The talk will showcase several open source tools such as Sigstore, Cloud Native Buildpacks, Kyverno, Scorecards, and others. The aim is to introduce each of these tools and demonstrate how small steps can have a disproportionate impact on the security posture for applications in production.