Laurent Simon

Laurent is a security engineer in the Open Source Security Team (GOSST) at Google. His team works in collaboration with the open-source community and the OpenSSF on novel security solutions, such as Scorecards, Allstar, Sigstore, SLSA, OSS-Fuzz, OSV, etc.


Sessions

10-27
11:15
25min
Build your own SLSA 3+ provenance builder on GitHub Actions
Laurent Simon, Adam Korczynski

Supply chain attacks have increased YoY by more than 700%. High profile attacks like those against SolarWinds or Codecov have exposed the kind of supply chain integrity weaknesses. Supply-chain Levels for Software Artifacts (SLSA) is a set of incrementally adoptable guidelines to prevent tampering, improve integrity, and secure packages and infrastructure. SLSA v1.0 specifications were released in April 2023, and several commercial products are already available.

Writing a SLSA builder from scratch is, however, a tedious multi-month effort. In this talk, we will present the "Build Your Own Builder" (BYOB) framework for GitHub Actions: a set of APIs that empowers anyone to create a SLSA 3 compliant builder on GitHub in a matter of days. In particular, the BYOB framework makes it easy for GitHub Action maintainers to meet the highest SLSA Build L3 requirements. As a builder author, you don't need to worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework.

Main stage
10-27
15:15
25min
Secure packaging for AI models
Laurent Simon, Mihai Maruseac

AI models (especially LLMs) are now being released at a never seen before frequency. At the same time, supply chain attacks increase YoY by more than 700%. Coupling these two facts together reveals a shocking perspective: it is very possible for bad actors to infect unsuspecting host that want to benefit from the AI explosion. Fortunately, by drawing analogies between training AI models and building traditional software artifacts, we could build solutions to package ML models such that the majority of the supply chain security risks are alleviated.

Main stage