13:40 - 14:40 


Talk (60 min)

Part 1/2: Securing Container Supply Chain Workshop

“Software supply chain” is a term describing everything that happens to code from the time it leaves the developers fingers until it runs in production. The code needs to be compiled, tested, packaged and deployed, and these steps take place in a variety of systems and use lots of complex third party solutions. Our apps also depend on an increasing number of third party libraries and frameworks that we often know next to nothing about.


Several initiatives have been started in an attempt to address the issues surrounding supply chain integrity, the most noticeable one being Supply chain Levels for Software Artifacts - SLSA. SLSA aims to be vendor neutral and is backed by major players like the Cloud Native Computing Foundation and Google in addition to startups such as Chainguard.

Cosign - Sigstore is a Linux Foundation project which is developing Cosign, a container signing, verification and storage in an Open Container Initiative (OCI) registry, making signatures invisible infrastructure.
Kyverno - Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies.

In this workshop we will make a practical approach to securing your container applications and verify that the container has not been tampered with since it was built.

* Setting up automated container builds
* Signing containers using sigstore/cosign
* Verifying signed containers using Kyverno
* Working with Kyverno policy reports at scale

Hans Kristian Flaatten

Platform Engineering at the Norwegian Labour and Welfare Administration (NAV) responsible for the NAIS platform. NAIS is an application platform built to increase development speed by providing our developers at NAV with the best possible tools to develop and run their applications.

Previously Chief Consultant and DevOps Practice Lead for TietoEVRY where I drove culture and competency building for DevOps, Site Reliability Engineering (SRE) and Cloud Native practices internally and for customers in public government, telecom, banking and insurance sectors.

Open Source, DevOps, and Cloud Native evangelist. Member of the Node.js Foundation where I manage test and release of official Node.js versions and the official Docker Image for Node.js with 10M+ downloads.

Organiser of DevOps Bergen, Bergen NoSQL User Groups, and Co-Organiser of the DevOps Days Oslo Conference. I speak at various other local, and national, user groups and conferences on Open Source, open data, Cloud Native, and other new and exciting technologies and practices.

Jan-Kåre Solbakken

Developer with occasional strays to the security side for 20+ years, for the most part on the JVM.

Youssef Bel Mekki

I have a pretty short career. I’ve started my journey late, learning development in university in an age of 30. Been working in NAV ever sense, never regretted my decision towards programming. I love working with people and with the combination of programming to come up with cleaver and user friendly solutions.