Loading…
November 12, 2024 | Salt Lake City, Utah
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for SigstoreCon Supply Chain Day 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Mountain Standard Time. To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

The schedule is subject to change.
or to bookmark your favorites and sync them to your phone or calendar.
strong>Any [clear filter]
arrow_back View All Dates
Tuesday, November 12
 

9:30am MST

Trends and Ecosystem Dynamics in Sigstore - Chinenye Okafor, Purdue University
Tuesday November 12, 2024 9:30am - 10:00am MST
Sigstore has witnessed significant adoption since its launch, becoming a big player in software supply chain security. Research has primarily focused on identity verification and transparency log witnessing (i.e.,verifying log consistency). However, the semantics security (i.e., the content) of log entries remains largely unexplored. Given generic witnessing solutions are not one-size-fits-all, we analyze the dynamics of Rekor log entries to gain insights to enable better misbehavior detection and stronger identity verification. Our analysis answers these questions: * What are the trends in Sigstore adoption over time? * What are the patterns in certificates, and generated signatures? * What kinds of identities are involved in signing? * What actors are performing these signing actions?
Speakers
avatar for Chinenye Okafor

Chinenye Okafor

Research Assistant, Purdue University
Chinenye is a Ph.D. student at Purdue University’s Electrical and Computer Engineering department in the Trustworthy Software Ecosystems Lab, where she works on securing software supply chains
Tuesday November 12, 2024 9:30am - 10:00am MST
Alpine

4:45pm MST

Sigstore-Powered Hunting: Uncovering North Korean APT Attacks on the OSS Supply Chain - Poppaea McDermott, Stacklok
Tuesday November 12, 2024 4:45pm - 5:15pm MST
Attackers are increasingly exploiting the trust-based, interconnected nature of the open source supply chain, with malware being distributed through package ecosystems, often hidden within the complexity of upstream dependencies. In this talk, we will showcase how Sigstore provenance can serve as a powerful source of truth for verifying package proof-of-origin. The absence of clear provenance, combined with other metadata signals, can act as a strong indicator of potential malicious intent. As a case study, we will discuss a recent spike in DPRK state-sponsored attacks hosted on NPM, where APT groups aimed to harvest cryptocurrencies and establish backdoors on developer machines. Attendees will gain valuable insights into the critical role Sigstore plays in supply chain threat detection, and understand how its broader adoption can help protect the entire ecosystem. By promoting stronger provenance verification, the community can more effectively distinguish between legitimate packages and harmful imitations.
Speakers
avatar for Poppaea McDermott

Poppaea McDermott

Security Researcher, Stacklok
Poppaea is a Security Researcher at Stacklok. She focuses on using data-driven techniques to hunt for threats in the open source supply chain. Prior to joining Stacklok, she was a Senior Threat Hunter in WithSecure’s Managed Detection and Response capability.
Tuesday November 12, 2024 4:45pm - 5:15pm MST
Alpine
  Technical Deep-dives or Research
  • Company Any
  • Session Slides Attached Yes
 
  • Filter By Venue
  • Filter By Type
  • Company
  • Session Slides Attached
  • Timezone

Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Filtered by Date -