safeguarding-cloud-native-supply-chain-chang-chi-duo-tu-ju-tao-daels-xia-re-zha-yi-zha-microsoft-mostafa-radwan-cloudroads.pdf

1、Safeguarding Cloud Native Supply Chain Notary Project Intro&Whats NextYi Zha,Senior Product Manager,MicrosoftMostafa Radwan,Principal Consultant,CloudRoadsAbout usYi ZhaSr Product Manager at MicrosoftMaintainer at CNCF project Notary ProjectCloud Native Supply Chain Security and EcosystemMostafa Rad

2、wanPrincipal Consultant at CloudRoadsCNCF Chicago Community Group OrganizerAgenda-Background-Notary Project Overview-Features&Milestones-User Stories-Demo-Q&ABackground 91%of Organizations experienced software supply chain attacks last year The Security Magazine,February 2024 There has been a 742%av

3、erage annual increase in software supply chain attacks over the past 3 years The State of Software Supply Chain Report 2023 Software supply chain attacks have impacted 62%of organizations surveyed The Software Supply Chain Security Report 2022Understand The ProblemDeveloperPushTriggerSource ControlB

4、uild SystemDependencies/LibsBuildContainer ImageStoreContainer RegistryPullDeployPullSigning Container ImagesDeveloperPrivate KeySignPushSigned Container ImageCertificate Authority(CA)CertificateDeployContainer RegistryTrustVerified?PullYesNotary Project-Our Missionhttps:/notaryproject.devSecuring s

5、oftware supply chains by using authentic container images and artifacts.Acquire imagesCatalog imagesBuild imagesDeploy imagesRun imagesAuthenticity and IntegrityThe Benefits of Notary ProjectSmooth PKI Integration:Ensures security,privacy,and data compliance.Extensibility:KMS Support:Azure Key Vault

6、,AWS Signer,Alibaba Cloud Secret Manager plugin,and Hashicorp Vault.Custom Plugins:Allows for the integration of custom plugins for signing and verification workflowSignature Portability:Compatible with OCI v1.1Signature Formats:JWS and COSE.Fine-tuned Trust Policies:Operates on