Open Source Summit Japan 2022

FRSCA (pronounced Fresca) is an OpenSSF project (https://github.com/buildsec/frsca) that secures the software supply chain by helping secure the build pipeline. FRSCA is an implementation of the CNCF's Secure Software Factory Reference Architecture. FRSCA is both a suite of build, signing, identity, and other tools as well as a set of abstractions intended to make secure build pipelines simple and straightforward to create. It follows common security standards and frameworks like SLSA (https://slsa.dev) and NIST's SSDF. It also makes it easy to generate attested metadata like software bill of materials (SBOM) and SLSA attestations. In this talk Michael will explore how the Secure Software Factory Reference Architecture was designed to protect against supply chain compromise coming from your build pipeline. He will show some common supply chain attacks, and how they can be used to compromise downstream software you build, distribute, and operate. Afterwards he will show how you can use FRSCA to prevent, react to, and audit these attacks.