Episode 73 – Sign of the Times with Google/Sigstore's Dan Lorenc
Dan Lorenc is a Software Engineer at Google and lead for Project Sigstore a Linux Foundation project. Dan talks about his history at google with projects such as skaffold and minikube which inspired his work currently with Project Sigstore. Dan currently works on a cloud native project called Sigstore which is a non-profit, public good software signing & transparency service. Software supply chains are exposed to multiple risks. Users are susceptible to various targeted attacks, along with account and cryptographic key compromise. Keys in particular are a challenge for software maintainers to manage. We talk Software Supply Chain Security and Software Supply Chain Devops along with our mutual love of our home of Upstate NY. Dan provides some valuable advice on how to protect your software supply chain and this is a very fun episode!
On June 18th 2021 – we will be holding our first Root Key ceremony on June 18th at 2pm Eastern on June 18th at 2pm Eastern on CloudNative.tv (CNCF twitch). Please join us more details at this link: https://blog.sigstore.dev/a-new-kind-of-trust-root-f11eeeed92ef
Timeline/Topic
00:00 — Sigstore Key Ceremony June 16th 2021 – EXCLUSIVELY on CloudNative.tv
00:15 — POPCAST Opener (Like and Subscribe and leave a comment!)
00:23 — Introduction to Dan Lorenc Google Software Engineer and lead for Sigstore
01:00 — “Lorenc” pronounced like “LAWRENCE”
01:46 — the Dan’s talk Upstate NY / Freihofer’s Bakery but specifically Cookies
04:33 — Dan’s Journey to Google
08:36 — Dan talks Skaffold
11:09 — Dan talks Minikube
13:08 — Secure Software Supply Chain… whats the problem we need to solve?
15:43 — Dan provides some advice on how to Secure Software Supply Chain
21:22 — How a company’s culture can help shape better security.
23:43 — Sigstore / Cosign – what is it and why you need it.
27:44 — What a Sigstore Key Signing Cermony is (a full explanation)
34:20 — what work are you most proud of?
Please leave a comment if you enjoyed the episode! it helps the show!
Brought to you by:
***Teleport***
Teleport allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. You can download Teleport at https://goteleport.com
***Sysdig***
Run Confidently with Secure DevOps Security for containers, Kubernetes, and cloud
***COCKROACH LABS***
Discover @CockroachDB the most highly evolved distributed SQL database on the planet.
Kubernetes-native and built from the ground up to help companies of all sizes including Bose,
Comcast, and Equifax scale fast, survive anything, and thrive everywhere.
Sign up for a free 30-day trial and get a free t-shirt at https://cockroachlabs.com/popcast
***Styra***
Learn how to operationalize Open Policy Agent at scale with Styra: https://hubs.ly/H0Pnkm20
***CIVO***
Civo is an alternative to the big hyperscale cloud providers.
They’ve launched world’s first managed Kubernetes service powered by K3s.
With sub 90 second cluster launch times, a simplified Kubernetes experience,
and predictable billing, Civo is on a mission to create a better developer experience.
Get $250 free credit to get started. Sign up today at https://civo.com/popcast
Episode Links
Sigstore – https://sigstore.dev/
Sigstore Root Key Ceremony Blog Post – https://blog.sigstore.dev/a-new-kind-of-trust-root-f11eeeed92ef
Ken Thompson Paper – https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
Dan’s Malware with Falco blog – https://dlorenc.medium.com/hunting-for-malware-with-falco-834b19b398c9
POPCAST SHOW DETAILS
YouTube: https://bit.ly/3xgmmCj
Audio Podcast (Apple, Spotify, and others): http://bit.ly/35MXfte
Follow us on (Twitter): https://twitter.com/PopcastPop
Follow us on (Linkedin): https://www.linkedin.com/company/the-popcast-with-danpop
source by The POPCAST
linux foundation
