Your Kubernetes cluster seems bulletproof: network policies, mTLS, no external API access, GitOps workflows, and automated CI/CD. But you're still vulnerable.

This talk follows a real-world attack where a hacker bypasses traditional defenses through supply chain exploits: poisoned commits, tainted build tools, malicious images, and backdoored dependencies. A diligent DevOps engineer struggles to keep up.

But this isn’t just a tale of doom. Each attack vector is met with a practical counter using OpenSSF projects: Sigstore for image signing. SLSA attestations for build security, OpenVEX/SBOM for dependency protection, gittuf for source control

This session highlights how hardening the supply chain transforms into defense-in-depth without burdening the developer.

Takeaways include:
-How supply chain attacks bypass secure K8s setups
-Actionable implementation and enforcement of OpenSSF tooling, coordinated through the OSPS Baseline
-Practical CI/CD and GitOps integrity improvements