During a session at ‘Security Champion Norge’, I presented on Software Supply Chain Hardening, focusing on the importance of signing containers and Git commits using cosign, and subsequent verification within a Kubernetes cluster using Kyverno and ArgoCD.
My presentation addressed the critical role of supply chain hardening in secure software development and deployment. I detailed the process of commit signing, outlining its benefits in maintaining code integrity and providing traceability, hence mitigating the risk of unauthorized or harmful alterations.
Through hands-on demonstrations, I showed the use of cosign for signing containers and Git commits, stressing its role in enhancing security and reliability during deployments. I further demonstrated the use of Kyverno and ArgoCD for signature verification within a Kubernetes cluster, contributing to the overall assurance of code integrity in the application environment.
A notable part of the presentation was the practical demonstration of ArgoCD’s functionality in verifying signed Git commits within the cluster, underscoring the method’s effectiveness in confirming the authenticity and integrity of the deployed code. This session encouraged a productive conversation on potential challenges and tactics for strengthening software supply chains, underscoring the imperative of incorporating security considerations throughout the software development and deployment process.