Cloud computing adoption is increasing, and organizations have an increasing need to secure their access to cloud resources. Traditional access control mechanisms such as access tokens, while still widely used, are insufficient to protect against modern threats. Even if the least-privilege principles are preserved, these tokens could leak and expose your infrastructure.

Identity tokens, such as OpenID Connect (OIDC), have emerged as a popular alternative for authentication and authorization in cloud environments. Even though major CI/CD platforms are now supporting these tokens - GitHub Actions, GitLab CI, CircleCI, etc. - it isn't widely adopted yet.

In this session, we'll explore the advantages of leveraging OIDC (OpenID Connect) for artifact registries, setting up artifact registries to accept OIDC tokens, and integrating OIDC-based authentication and authorization into popular artifact registry systems. Additionally, we'll showcase practical demonstrations of OIDC-based authentication and authorization in action.

Join us as we delve into secure software releases, focusing on the real-world scenario of implementing the SLSA (Supply-Chain Levels for Software Artifacts) v1.0 standard in popular CI/CD systems such as GitHub and Azure Pipelines. In the face of growing threats to packages, distributions, releases, and dependencies from software supply chain attacks, SLSA offers a crucial standard to secure artifacts.
We will explore SLSA in detail, the differences the v1.0 standard offers comparing its predecessor, and understand how SLSA would have helped mitigate previous software supply chain attacks.
Then we dive into the implementation of SLSA and show how to apply it to secure builds done in popular systems, such as GitHub and Azure Pipelines, including a live demo of how to generate and use SLSA to secure a containerized software release in an OCI registry.