DevOps Meetup #89: Software Supply Chain Security

Talk
Securing the Software Supply Chain in a Cloud Native World: From CI/CD Pipelines to SLSA

Summary
This talk provides a focused overview of modern software supply chain security through three interconnected lenses: CI/CD pipeline hardening, cloud native-specific risks, and the SLSA framework. It explores how attackers target build systems, dependencies, and delivery pipelines, and outlines practical defenses such as artifact signing with Sigstore and Cosign, least-privilege access in GitHub Actions and Tekton, and securing containerized workloads against base image vulnerabilities and untrusted Helm charts. The session then introduces SLSA as an incremental, adoptable blueprint for achieving tamper-proof provenance and verifiable build integrity, giving attendees a clear mental model and actionable steps to immediately begin raising the security bar across their development lifecycle

Speaker
Carlos Nogueira
Maria's Father, Alessandra's Husband, DevOps na Praia Meetup Co-Organizer and #engineeringsessions host.

Agenda
18:30 - 19:00 Opening
19:00 - 19:45 Securing the Software Supply Chain in a Cloud Native World: From CI/CD Pipelines to SLSA
19:45 - 20:30 Networking

Location
COCUS - Sitio
Av. da República 1363, 3º A
4430-192 Vila Nova de Gaia

Where to find us
Web: devopsporto.com
LinkedIn: linkedin.com/company/devopsporto
X: x.com/DevOpsPorto
Slack: devopsporto.slack.com

Calls
Organizers: tinyurl.com/callfororg
Proposals: tinyurl.com/callforprop