In an era of rising software supply chain attacks, this talk explores how we implemented robust security practices in Fission, an open-source serverless framework for Kubernetes used by thousands globally. We will detail our implementation of SLSA(Supply chain Levels for Software Artifacts) specifications, addressing critical threats like compromised builds and unauthorized modifications through reproducible builds, signed artifacts, and secure dependency management.
We will demonstrate how we addressed these challenges through:
- Implementing reproducible builds to ensure build integrity
- Adopting signed artifacts and attestations for authenticity verification
- Securing our base images and dependency chain
- Establishing automated security scanning and verification pipelines
Through practical code examples, we'll show how organizations can implement these security practices in their CI/CD pipelines. We'll share our experiences, challenges faced during implementation, and lessons learned while securing a widely-used open-source platform.