Building Trust Through Proactive Security - Key Parts of the Trusted Software Supply Chain
CVE/FIRST VulnCon 2025 · Main Stage
In an era of increasing supply chain attacks and software vulnerabilities, the concept of a "trusted software supply chain" has become paramount. This talk, delivered by Premaruski, also known as Rogue, a Principal Security Engineer at Red Hat, delves into the critical role of proactive security work in establishing and maintaining this trust. The presentation outlines a strategic shift from reactive vulnerability responses to a deeply integrated, preventative security posture throughout the software development life cycle (SDLC), highlighting Red Hat's practical implementation.
AI review
A competent, well-organized case study from a Red Hat principal engineer on how they've integrated proactive security tooling — SAST, SCA, policy gating, SLSA provenance — into their Conflux/Tekton-based build pipeline. The talk is honest about what's production versus PoC, and the AI-assisted SAST-to-CVE correlation work is a genuinely interesting idea even if it's embryonic. But this is ultimately a vendor architecture presentation dressed as research. The concepts (shift-left, SBOM, SLSA, policy-as-code) are well-established in the field, and Red Hat's specific implementation, while solid…