About
You’ve started to shift security left in order to catch security issues earlier in development, but are you using trusted, verified open source software components when writing your code? Are you signing your code commits and image builds so deployment tooling and processes can verify authenticity with auditable components?

In this session, we discuss steps to trust – but verify – the same open source software packages you have come to rely on. You will see how to stay ahead of regulatory and compliance standards and leave this talk with a deeper understanding of how to access a curated content repository library with provenance and attestations that are maintained to SLSA standards and more!
Agenda
  • Identify source code transitive dependencies and vulnerabilities for both in-house and COTS applications from a local IDE
  • Digitally sign code commits as well as images, to store attestations of the build pipeline that can then be shared, reused.
  • Verify code commits for keyless git signing, with an immutable ledger to validate the artifact metadata
  • Manage, monitor and analyze relationships with your security metadata (SBOMs, VEXs)
Presenters
1695925213-b809c4128bad118b
Jesse Davis, Moderator
Chief Technologist, DZone
As the Chief Technologist @ DZone, Jesse is responsible for guiding the strategic direction of products and helping customers build the world’s largest, most engaging developer communities for companies like Disney, Amazon, SAP, Pixar, and Unity. Jesse has been building enterprise software and engineering teams for 25 years and is a respected executive, author, speaker, and coach. Jesse serves as a software industry advisor and, prior to Devada, Jesse developed the first data access for Java and served as an expert an innovator on industry data standards including JDBC, ODBC, and ANSI SQL.
1695926212-03acc4e253599e83
Sudhir Prasad
Dir. Product Management, Red Hat
Sudir Prasad’s current focus is to unburden developers and enterprises in managing the risk of their open source software dependency portfolio, reducing development time and cost. He does so by remediating issues earlier in the development cycle, with enterprise hardening of open source in applications.
1695926337-c769ad5acb6dc2b9
Brian Fox
TO and Co-Founder, Sonatype
A software developer, innovator and entrepreneur, Brian Fox is also an active contributor within the open source development community. Most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project, he is focused on building a platform for developers and DevOps professionals, helping them build high-quality, secure applications with open source components.
Register To Watch Recording
First Name*
Last Name*
Email Address*
Phone Number*
Street Address*
State/Province*
Postal/Zip Code*
Country*
Job Title*
Company*
Company Size*