►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
thank
you.
Everyone
for
joining
us
welcome
to
today's
cncf
live
webinar,
secure
software
Factory,
adding
s
bombing
code,
signing
to
your
security
checks,
I'm,
Libby,
Schultz
and
I'll
be
moderating
today's
webinar
I'm
going
to
read
our
code
of
conduct
and
then
hand
over
to
Ariel
super
engineering,
product
manager
at
Cisco,
and
shy
simbaum
senior
developer
at
Cisco
a
few
housekeeping
items
before
we
get
started
during
the
webinar.
You
are
not
able
to
speak
as
an
attendee,
but
there
is
a
chat
box
on
the
right
hand.
A
Sidebar
of
your
screen,
please
feel
free
to
drop
all
your
questions
for
Ariel
and
shy
there
we'll
get
to
as
many
as
we
can.
At
the
end.
This
is
an
official
webinar
of
the
cncf
and,
as
such
is
subject
to
the
cncf
code
of
conduct.
Please
do
not
add
anything
to
the
chat
or
questions
that
would
be
in
violation
of
that
code
of
conduct
and
basically,
please
be
respectful
of
all
of
your
fellow
participants
and
presenters.
A
Please
also
note
that
the
recording
and
slides
will
be
posted
later
today
to
the
cncf
online
programs,
page
at
community.cncf.io
under
online
programs.
They
are
also
available
via
your
registration
link
and
the
recording
will
be
available
on
our
online
programs.
Youtube
playlist
with
that
I
will
hand
things
over
to
Ariel
and
shy
to
kick
off
today's
presentation.
B
Thank
you.
Thank
you
very
much
and
welcome
everyone
to
our
webinar,
and
we
won't
talk
about,
of
course,
the
Hot
Topic
of
security
software
Factory.
So
we'll
talk
about
something
on
the
supply
chain:
security
where
it
started
the
big
things
around.
It
always.
A
B
We'll
talk
about
the
different
we're
going
to
use
them
and
then
we'll
put
a
special
focus
on
some
open
source
tools
that
are
dedicated
for
their
runtime
aspect
of
the
supply
chain,
security.
Let's
first
start
we
talk
about
like
what
it
is
or
why
we
are
all
concerned
from
software
supply
chain
recently.
So
I
think
you
know
software
supply
chain.
Security
was
always
an
issue.
It
was
always
kind
of
something
that
people
can
temporary.
B
Also
like
a
rumor
that
things
can
go
wrong
and
things
can
change
and
in
Docker
Hub
there
are
many
kind
of
Malaysia
things,
but
they
you
know
container
images,
but
I
think
the
turning
point
was
towards
the
end
of
2020.
When
the
solo
win
Attack,
you
know
took
place,
it
was
a
massive
attack
that
you
know
started
somewhere
in
2018
and
it
took
almost
15
months
just
to
discover
this
attack
and
soil
wins
is
a
software
manufacturer
that
was
breached
and
malicious
actors
manipulated
their
software
update
that
it
produces.
B
They
added
malicious
code
into
the
update
while
they,
but
it
was
built.
So
when
the
software
was
delivered
to
all
the
18
000
solarwind
customer,
it
was
signed
and
verified,
but
no
one
and
no
one
even
considered
the
fact
that
solving
was
bridging
in
such
a
way
that
someone,
you
know
inserted
the
malicious
code
and
consequently,
all
the
18
000
custom.
B
You
know
four
wheel:
customers
were
infected
and
got
hit
by
this
attack,
which
was
you
know,
super
sophisticated
and
that's
why
it
took
like
almost
15
months
to
discover
the
special
command
and
control
protocol
and
mechanism
was
really
impressive,
but
nevertheless
there
was
the
most
the
first
most
significant
supply
chain
attack,
which
had
a
huge
monetary
consequences
for
solarwinds
and
all
the
other.
You
know
customer
that
been
using
their
system
now,
I'm
calling
it
a
turning
point.
B
B
Do
you
see
the
amount
of
attacks
is
just
you
know
really
increasing
significantly.
So,
yes,
software
becoming
Target
made
easy
to
Target.
Some
software
really
use
I
mean
code
curved.
You
can
see
here
in
the
middle
there's
another
famous
like
that,
had
a
huge
impact
on
a
lot
of
customers
in
the
understanding
that
it's
much
easier
to
penetrate
users
through
the
software
they
consume
became
a
noticeable
fact
that
you
know
today
is
one
of
the
facto
popular
risks
and
attack
that
need
to
be
considered
now.
B
Obviously,
there's
also
some
more
standards
and
regulation
that
which
are
emerging
so
I
think
the
most
notable
one
was
the
presidential
order
that
anyone
who
wants
to
sell
to
the
US
government
needs
to
stand
there
or
provide
proof
to
the
to
the
software
supply
chain
that
it
produce,
but
much
beyond
that
there
is
a
salsa
which
is
an
open
ssf
project
that
aiming
to
provide
secure
software,
secure,
open
source
software,
Denise
generated
their
code
of
conduct
and
their
recommendation
on
how
to
secure
software
supply
chain
Microsoft.
B
That
is
initiative,
and
even
the
cncf
as
a
reference
architecture.
In
the
diagram
of
the
best
practices
to
secure
so
definitely
there's
a
Hot
Topic
different.
A
lot
of
you
know
most
regulations
standards.
You
know
even
just
recommendation
which,
with
no
you
know
super
power
but
again
there's
a
proliferation
of
recommendation
and
document
that
trying
to
address
this
aspect.
B
So
let's
talk
about
what
it
is
and
what
do
we
secure
so
sort
of
supply
chain
process?
You
know
that
covered
your
that
cover
your
code,
development.
It
starts
when
developer
code
when
the
code
is
built
and,
of
course,
when
the
code
is
is
running
in
any
you
can
temper
and
you
can
modify
if
your
managers
code
now,
obviously,
as
you
can
see
from
this
diagram,
all
those
like
small
icons
of
hackers.
B
So
yep,
let's
talk
about
those
are
the
amount
of
attacks
which
I
mentioned
the
standards,
different
standards
and,
let's
talk
about
you,
know
the
supply.
So
thank
you.
Libby
and
I
apologize
through
this
for
stop
sharing.
Just
before
the
beginning
of
the
show,
I
didn't
mind,
it
I'm
keep
sharing
my
screen,
I'm.
Sorry
for
that.
So
when
you
look
about,
you
know
the
supply
chain,
you
look
about.
You
know
where
you
can
hack
the
code
to.
Obviously
you
can
see
those
small
icons
of
hackers.
B
You
know
with
the
hoodie
should
be
also
black
but
never
mind.
You
can
see
it
usually
being
you
know,
being
sent
to
build
a
system
in
the
build
system
with
the
dependencies
when
it's
into
you
know
to
the
to
the
different
register
before
it's
being
pushed
to
deployment,
even
the
post
deployment.
Those
are
the
places
where
you
know
the
code
can
be
changed
and
modified
so
through
the
entire
life
cycle
of
the
code.
B
From
the
time
that
the
developer
wrote,
the
com
wrote
the
code
and
all
the
way
until
the
time
that
the
code
is
running,
those
are
the
areas
the
potential
locations
where
people
where
malicious
actors
can
intercept
the
code,
modify
change
and
er
either
malicious
packages.
B
Now
the
biggest
Focus
area
is,
you
know
on
the
build
process,
because
this
probably
where
you
generate
the
most
amount
s
and
a
part
of
which
focusing
on
you
know
how
you
making
sure
that
you're
getting
the
build
provenance.
And
how
do
you
do?
You
know,
maintain
the
Version,
Control
and
authentication
of
the
build
and
how
every
step
can
be
auditable
and
the
Integrity
of
the
different
steps
and
probably
the
most
tough
recommendations,
I'll
use,
making
sure
that
the
build
is
hermetic
and
it's
reproducible.
B
So
if
you
can
run
into
a
parallel
build
system,
they
will
reproduce
the
same
exact
you
know
artifacts.
So
all
those
aspects
are
targeting
the
build
environment
and
making
sure
that
the
build
process
by
itself
is
secure
and
is
not
tempered,
which
makes
perfect
sense.
But
we
need
to
understand
that
just
securing
the
build
is
not
enough
right
and
well.
You
can
argue
and
say
that
when
developer
is,
you
know,
writing
this
code,
it's
probably
inside
the
organization,
whether
it's
you
know
inside
they're
kind
of
connected
to
the
network.
B
When
the
code
is
running,
it
also
can
be
tempered,
and
there
is
also
a
play
that
can
be
changed
and
need
to
be
taken
into
consideration,
and
the
purpose
of
this
talk
today
is
to
really
focus
on
these
aspects.
On
how.
C
B
So
when
you
talk
about,
you
know,
building
blocks
in
software
supply
chain.
So
one
of
the
the
first
item
is
the
software
bill
of
material
right
or
what's
known
as
sbone,
and
the
reason
why
the
S1
generates
so
much
interest
and
a
lot
of
probably
heard
it
a
lot
and
in
many
places
it's
because
it
offers
some
transparency
level
into
the
the
executable
that
you're
running.
So,
if
I'm
getting
the
next
equal
and
I'm
running
it,
I
have
no
idea
what's
coming
in.
B
If
I
get
the
software
bill
of
material
and
SEO
all
different,
you
know
libraries
and
dependencies
and
everything
which
the
code
is
built
from
I
get
better
visibility,
I
get
better
transparency
into
what
I'm,
using
which,
of
course,
is
super
important.
When
there
are
some
you
know
critical
vulnerabilities,
but
even
without
it
it
we
have
some
foreign.
B
Fact
table
of
this
software,
and
this
is
what
as
one
can
provide-
and
why
is
it
good
because
give
you
some
indication
on
the
maturity
level
of
the
security
program
of
the
software,
the
software
State
as
it
maintain?
Is
it
usable
supported
you
know?
Is
it
outdated
or
not?
It
also
give
you
a
very
important
information
about
vulnerabilities
level.
B
So
vulnerabilities
are
based
on
packages
and
if
you
get
the
full
list
of
the
packages
you
can
see
which
one
of
them
is
vulnerable
and
vulnerable
to
what
and
also
from
compliance
perspective,
there's
the
information
about
the
licenses,
the
open
source,
which
are
you
can
get
yourself
or
at
least
get
the
compliance
fulfilled
with
understanding
if
all
the
packages
you're
using
our
compliant
with
the
organization
policies.
B
Now,
as
well
as
different
formats,
the
spdx
and
Cyclone
DX,
okay,
the
spdx
is
pushed
by
the
links
Foundation
the
sound
links
by
the
oasp,
while
the
spdx
is
more
focused
on
licenses
View
and
seeing
what
licenses
are
being
used.
The
second
digs,
in
my
opinion,
is
much
more
impressive.
It's
security
oriented
so
there's
a
lot
of
good
security
metadata
in
the
s-bomb
that
produces
with
the
second
DX
format.
So
if
you
look
about
tcves
and
exploitability-
and
you
know,
remedies
really
very
useful
information,
it
also
supports
all
the
advanced
programming
languages.
B
You
know
it's
extensible,
you
can
extend
it.
It's
pretty
proof.
It's
really,
at
least
in
my
opinion,
it's
a
very
impressive
format
or
provide
that
good,
useful
information
now
generating
as
well,
is
typically
something
you
do
in
your
CI,
okay,
because
this
is
where
you
produce
your
software,
but
generating
as
boom
of
your
runtime
environment.
B
Some
significant
advantages,
I
think,
probably
all
the
audience
recall
the
look
for
J
fire
drill,
and
if
you
really
want
to
get
an
accurate
snapshot
of
all
the
effective
cves
and
wearing
your
environment,
you
have
you
know
critical
items
like
log4j,
then
it's
really
good
to
know
what's
running
in
your
environment,
also
exploitation,
insights
right!
B
So
just
look
for
everybody
was,
you
know,
rushing
to
replace
it,
but
there
are
many
places
in
which
the
local
is
not
even
exploitable,
and
then
it
was
replacing
and
and
bringing
down
those
services
so
that
it's
good
to
understand
and
to
see
the
context
of
words
run
where
you
have
it,
and
also
if
you
want
to
get
again
a
good
compliance
to
the
policy
of
the
open
source
policies
that
in
your
organization,
it's
good
to
know
what
is
running
in
your
environment
in
the
cube
Clarity.
B
This
is
this:
like
beautiful
icon,
you
know
on
the
top,
is
an
open
source
tool
that
is
coordinated
and
contributed
to
the
to
the
community,
a
generate
dynamic
s-bomb
in
kubernetes
clusters.
B
Earth,
sorry
for
that,
okay,
so
this
is
the
cube
Clarity,
dashboard
I
run
it
in
my
kubernetes
cluster.
So
I
have
a
simple
conversation:
cluster
running
on
gke
I
I
deployed
a
few
containers
as
a
deployment.
I
use
the
the
stock
shop
demo
application
in
order
to
get
and
I'm
just
running
this.
You
know
this
dashboard,
which
is
connected
to
my
cluster
and
doing
a
port
forwarding
for
my
cluster
into
this
localhost.
B
In
order
to
start
seeing
everything
in
in
the
dashboard,
you
need
to
start
scan,
so
you
can
schedule
the
scan.
You
can
select
the
namespace
that
you
want
to
what
names
in
the
cluster.
B
You
can
see
all
the
list
of
the
namespace
that
you
have
in
the
cluster
and
you
can
select
which
of
them
I
select
the
default
namespace
and
the
sock
shop
name
says
you
can
decide
if
you
want
Docker,
CIS
benchmark
or
not
we'll
turn
it
off
because
now
part
of
the
s-bomb
and
you
can
decide
if
you
want
to
do
Twitter
or
no,
you
click
save
you
can
and
then
you
can
start
scanning
and
then
immediately
it
will
start
scanning
a
scanner
environment.
B
Then
you
can
filter
everything
based
on
those
skins.
Now,
once
we
have
this
scanning
I
already
ran
this
can
before
you
can
see
it
by
the
way.
It's
a
very
fast
camera.
Just
you
know
already
done
it
before
you
get
this.
The
dashboard
is
start
populating
you're
getting
to
see.
You
know
all
the
the
cumulative
number
of
vulnerabilities,
how
much
of
them
hsfix.
You
can
see
different
packages
per
license,
so
you
can
I
can
show
what
how
many
GPA
licenses
I
have
MIT
licenses
or
if
I
want
something
else.
B
I
can
see
the
package
breakdown
based
on
programming
languages.
I
can
see
how
many
applications
I
have
resources
packages,
and
here
I
can
start
playing
with
applications.
I
can
start
playing
with
the
top
one
of
all
resources
or
or
even
the
top
ownable
packages
that
they
have,
and
it's
sorted
out
by
this
very
not
by
the
code
number,
but
but
how
many
you
know
based
on
the
severity
of
the
vulnerabilities,
then
I
can
start
going
into
the
nice
thing.
I
can
check
start
searching
for
vulnerability.
B
You
know
based
on
the
package,
it
exists,
or
vice
versa.
I
can
look
at
the
different
packages
that
are
there
and
try
to
try
to
find
you
know
specific.
You
can
see
who's
using
those
packages
and
then
I
can
again
check
all
the
different
resources.
I
know
they've
been
used,
so
it's
very
useful
for
me
to
get
a.
C
B
B
So
this
is
a
cube
Clarity.
It's
part
of
it's
available
on
GitHub
in
the
open,
Clarity
report.
Where
Cisco
is,
you
know,
Computing
all
the
open
source
tools,
the
cloud
native,
open
source,
Tool
and
we'll
be
happy
for
people
to
start
using
it
more
and
more.
B
So
this
is
Cube
Clarity,
and
this
allows
you
to
address.
You
know
s-poma
aspects
in
runtime,
but
let's
talk
about
something
else,
so
as
always
important,
but
it's
not
enough.
We
also
want
to
make
sure
there
is
a
code.
Integrity
also
mean
code
Integrity,
so
core
Integrity
is,
of
course
we
want
to
make
sure
that
the
code
isn't
tempered,
isn't
modified,
isn't
change
one.
B
It
was
built
right
and
it's
not
only
in
the
build
phase,
but
also
Beyond,
because
code
contemporate
I
can,
if
I
have
access
to
your
registry
or
if
I
have
access
to
your.
Where
you
keep
where
you
store
your
your
potato,
even
if
I
have
access
to
your
cluster
I
can
temper
or
change
doesn't
have
to
be.
Kubernetes
can
be
also
into
your
cloud
account.
It
could
be
into
virtual
machines
and
give
it
to
your
serverless
functions
and
the
way
the
code
signing
works.
B
Is
you
know
you,
you
sign
the
code
when
you
produce
it
with
you
know
a
cryptographic.
Signature
then
part
of
it
is,
you
know,
store
the
private
key
or
the
private
signature
is
stored
with
the
code
and
it's
pushed
to
the
registry
together
with
the
concept
kind
of
a
metadata.
That's
it
push
with
the
code
and
then
I
have
the
public
key,
which
is
then
used
to
validate
so
in
the
validation
phase.
B
I'm
matching
the
product
in
the
public
and
I
can
see
if
it
matches
or
if
the
code
is,
was
tempered
and
changed.
Now.
One
of
the
more
interesting
things
that
I
think
today
is
existing
is
the
sixth
store.
Six
store
is
an
open
source
security
framework
that
creates
a
new
standards
for
signing
verifying
for,
and
it
really
it's
an
open
source
where
they
can
use
it
and
really
aim
to
increase
the
security
level
of
final
software
production.
So
it's
part
of
the
open
ssf,
the
open
source
security.
B
And
it's
really
a
a
great
contribution.
Security
of
software
in
general
and
one
of
the
the
the
the
the
interesting
thing
they
introduce
is
the
unique
structure
for
keyless
signing.
So
one
of
the
challenges
in
keyless
in
in
keys
or
the
classical
code
signing
is
that
you
have
long
lasting
keys
that
can
get
discovered
and
you
can
then
you
know
temper
them,
but
when
using
keyless,
this
is
much
safer
approach
and
then
it's
primarily
focused
on
container
images
and
they
can
sign
the
amino
with
signing.
B
And
then
you
can
use
any
admission
controller,
so
six
or
its
own
automation
controller.
But
you
can
use
any.
You
know
Opa
or
key
fairy.
Nobles
there's
also
submission
controllers,
then
they
can
divide
it
at
only
signed
in
the
verified.
Images
are
being
deployed
in
the
cluster
which
again
is
is
a
great
tool
that
provide
in
a
higher
level
which
are
running
in
the
cluster.
B
But
here
we
want
to
discuss
not
just
containers.
We
also
want
to
discuss
serverless
functions
and,
while
sixthor
is
really
focusing
on
containers,
serverless
functions
as
a
larger
security
challenge,
because,
unlike
containers
instead
of
structure,
there
is
no
sha.
There
is
no
hash
that
can
be
used
in
order
to
verify,
and
even
if
you
try
to
do
it,
you
know
different
deployment.
Frameworks
has
different
way
to
calculating
and
different
things.
They
include
in
the
in
the
zip
file.
So
it's.
A
B
Hard
to
get
a
unified
standard
just
like
we
have
a
shot
for
an
image,
and
even
if
there
was
like
a
unified
hash,
there's
no
validation,
so
we're
still
missing
the
validation
option.
Now,
I'm
saying
still
talk
about
most
of
the
clouds
AWS
has
their
code.
Sign,
which
you
know
is
a
great
service
code
sign.
Allow
you
to
sign
functions.
So
once
this
function
is
uploaded,
you
can
use
the
function.
You
can
sign
it.
B
You
can
add
a
signing
profile
that
to
tell
you
what
to
do
if
something
doesn't
match
and
then
you
can
select
which
Lambda
will
get
which
profile
and
then
before
the
Lambda
is
executed
code
designed
to
verify
the
function
hash.
That
was
not
changed,
so
this
is
great,
but
it's
only
post
deployment
and
remember.
We
want
to
make
sure
that
the
entire
chain
is
covered
and
it's
slightly
cumbersome
or
slightly
hard
to
configure,
and
ideally
we
would
like
to
have
the
same
concept
as
six
door.
Keyless
signing
also
enabled
for
serverless
functions.
B
So
for
that
we
created
function,
Clarity
and
again
it's
an
open
source
tool
that
sees
the
community
for
serverless
functions.
It's
extending
the
six
door
concept
also
to
service
functions,
so
it
allows
users
to
sign
the
functions
which
is
great,
I
mean
you
can
do
it
without
it,
but
it
you
know
added
the
missing
point
of
the
validation
functions.
You
can
really
validate
those
functions
in
any
Cloud
environment
and
you
can
get
it
making
sure
that
only
functions
which
were
not
tempered
are
being
used
in
the
cloud
moment.
Now.
B
How
does
the
work
so
when
you
write
your
service
function
and
you're
doing
after
doing
your
testing
before
you
do
making
the
deployment
we
are
inserting
a
step
into
your
CI
Pipeline
and
then
the
size
using
cosine.
In
order
to
find
the
image
you
can
use
it
with
key
pair,
but
you
can
see
that
with
keyless,
so
you
can
create
identity.
Get
an
entity
from
Full.
Co
use
this
identity.
You
know
upload
an
entity
to
the
to
the
record
or,
if
you're,
using
a
key
pair,
then
you
can.
B
You
know
upload
the
the
public
key
to
the
cloud
account
and
then
in
every
cloud
accounting.
When
you
want
to
install
Cube
Clarity,
there
is
like
the
infrastructure
that
first
we
need
to
listen
to
the
events
we
get.
The
notification
about
an
update
or
a
change
or
a
new
function
was
accredited
which
trigger
a
dedicated
validating
Lambda.
So
this
Lambda
this
on
the
either
check
versus
record
or,
if
you're,
using
public,
you
get
the
public
key
and
verify
it
with
the
private
key
of
the
function
and
then
allow
you
to
perform
actions.
B
So
if
you
to
decide,
if
you
want
to
get
alert,
if
you
want
to
get
a
block,
if
you
want
to
get
notified
or
on
the
consequent
action
that
post
the
validation,
so
the
function
is
voted
in
silence,
correct
thumbs
up,
you
can
move
ahead.
If
the.
If
the
function
is
not
or
it's
tempered,
then
you
know
you
can
decide
what
you
want
to
do
with
it.
So
this
is
function.
B
B
A
A
A
C
So
what
I'm
going
to
show
here
in
this
demo
is
I'm
going
to
first
of
all,
the
the
project
is
not
yet
released,
so
we
are
going
to
be
published
in
this
in
several
weeks
and
what
I'm
going
to
show
is
how
you
can
assign
a
piece
of
code
in
your
in
your
own
environment,
and
then
you
after
you
sign
it
you
what
we
actually
do
is
we
generate
an
identity
for
this
code
and
then
we
sign
the
identity
and
we
upload
the
certificate
or
the
signature
depending
if
it's
a
keyless
solution
or
if
you
decided
to
use
key
pair.
C
So
yes,
we
upload
the
the
the
signed
code,
the
signed
code
into
your
cloud
account
at
the
moment
we
support
AWS.
So
this
will
be
also
the
context
of
the
demo
and
I
will
show
how
I
deploy
two
functions,
one
on
top
of
the
signed
code
and
the
another
one
which
is
not
signed,
and
then
I
will
show
how
the
the
the
function
Clarity
is
triggered
and
then
it
realizes
that
the
sign
code
is
okay,
but
the
function
with
the
unsigned
code
is
is
is
was
not
verified
by
function.
C
Clarity,
and
in
this
case
we
have
several
options.
I
will
show
how
we
block
the
function
and
we
also
send
a
notification
in
AWS
context.
We
send
it
to
an
SNS
queue
and
I
did
some
a
cool
integration
where
it
will
send
me
an
email
that
will
notify
me
that
an
unrecognized
function
try
to
be
created
and
it
was
blocked.
C
C
So
what
happens
in
in
keyless
is
that
you
are
authenticating
yourself
using
one
of
these
three
options.
C
This.
This
is
the
way
you
claim
to
be
who
you
are,
and
once
you
do,
that
we
use
the
certificate.
It
was
produced
from
the
six-store
keyless
project
and
we
signed
the
code,
and
this
is
the
certificate
who
signed
the
code
and
it
is
registered
somewhere
at
the
record
and
fulsio.
C
The
other
one
with
the
code
which
is
not
signed
and
the
after
I
do
that
now
the
functions
are
created
at
the
AWS.
So
this
is
a
process
that
can
take
maybe
a
minute
or
two
where
the
we
have
in
AWS.
The
solution
is
to
use
cloud
trail
that
sends
all
the
events
to
cloudwatch
and
we
send
those
Cloud
those
log
events
into
our
own,
a
verifier
Lambda
and
once
the
our
Lambda
is
triggered,
then
it
will
process
the
the
function
that
was
created
and
it
will
check
if
the
function
is
is
verified.
C
It
will
take
the
function,
it
will
download
its
code
in
this
case
and
it
will
sort
of
reverse
engineer,
create
the
identity
and
then
we'll
seek
for
a
appropriate
certificate
or
a
signature
that
the
code
was
signed
with
and
if
it
will
find
it,
it
will
try
to
open,
of
course,
the
signature
using
the
the
signature
or
the
certificate.
And
if
it's
successful,
then
we
are
okay
and
if
not,
then
several
options
here.
C
So
you
know
minute
we'll
see
if
the,
if
the,
if
the
events
were
already
picked
up
by
the
our
Lambda
and
then
we
can
see
the
results
so.
B
C
Case
that
the
the
code
is
verified,
we
will,
for
example,
a
add
the
tag
to
the
function
that
states
that
the
function
was
verified
by
function,
clarity
and
let's
Wait
Another,
Minute
and
in
case
it
was
not
signed
by
us.
Then
we
will
see
that
in
this
case,
I
chose
to
block
the
function,
we'll
see
how
the
function
is
blocked
from
running
meaning
in
the
in
case
of
AWS.
It's
throttling
the
function
here.
As
you
can
see,
the
function
is
throttled,
meaning
we
reduce
its
concurrency
to
zero,
and
you
can
see
that
now.
C
C
We
see
that
just
we
just
tagged
it
and
said:
okay,
this
function
was
verified
by
function,
Clarity
and
it's
okay,
it's
more
informative
and
now
I
can
also
do
some
cool
stuff,
for
example,
if
in
this
in
the
function
that
inside,
if
you
try,
for
example,
to
just
change
in
the
function
at
runtime,
then
an
update
function
event
should
be
triggered
and
then
again
it
would
maybe
take
a
minute
or
so,
and
then
you
can
see
how
this
function
now
that
we
got
the
update
function
event.
We
do
this
process
again.
C
We
try
to
understand
whether
this
code
is
signed
by
function,
Clarity
and
if
not,
we
will
want
to
in
this
case.
Since
the
user
chose
to
block
the
function,
we
will
block
this
one
as
well.
So
let's
wait
a
minute
or
so,
and
if
someone
has
questions
in
the
meanwhile
then
feel
free
to
ask.
A
C
So
how
can
you
be
notified,
so
we
have
several
options
of
post
verification
actions,
so
one
of
the
we
have
at
the
moment
detect,
which
means,
let's
tag
the
function.
C
We
have
a
block
that
states,
let's
block
the
function,
and
besides
that
we
have
the
options
to
send
a
notification
to
a
predefined
queue
and
from
that
point
on,
the
user
can
decide
whatever
he
wants
to
do.
It
can
integrate
with
this
queue
and
do
whatever
you
want
in
the
case
of
a,
for
example,
on
a
verified
function.
C
I
hope
this
answers.
The
question.
C
So
here
you
can
see
that
now
the
function
that
was
signed,
the
event
was
picked
up
and
now
where
the
function
was
stopped
and
we
had
a
a
relevant
targets
where
that
function
is
not
signed,
and
you
can
see
here
that
I
got
of
course
another
event
now
that
the
function
is
is
now
blocked
as
well.
Is
that
someone
changed
the
code
without
signing
it?
First
I
see
that
another
question:
if
I'm
showing
is,
does
it
work
for
images
as
well?
So
yes,
the
the
new.
C
The
new
thing
we
brought
in
this
project
is
the
the
code
signature,
but
we
also
support
image
signature
which
harness
six
store
cost
time
and
we
use
it
to
sign
images
as
well
in
case
of
image,
signing
the
the
signature,
let's
say
or
the
the
code.
The
the
signature
of
the
signed
image
is
re
lies
in
the
repository
itself,
where
the
image
exists.
So
this
is
how
it
seeks
to
work
when
signing
images.
C
B
Perfect
I
was
trying
to
talk
so
I'm,
saying
that's
the
end
of
our
webinar,
so
I
have
no
more
slides,
we'll
be
happy
to
go
for
questions
so
if
I
just
want
to
summarize
I'll
just
try
to
summarize
what
you
know
what
we
saw.
So
we
talk
about
you
know,
generating
runtime
S1
Shai
also
did
as
a
demo
of
how
you
create
signatures.
How
you're
making
sure
your
code
Integrity
is
not
tempered
and
we
show
it
on
serverless,
which
is
a
very
special
use
cases.
A
Nothing
for
mine
have
we
worked
through.
It
looks
like
we
have
worked
through
all
the
questions
in
the
chat.
Does
anyone
have
anything
else
to
add.
A
A
B
Yes,
absolutely
so
definitely
I
would
love
to
share
here.
The
open,
Clarity
so
follow
our
repo
function.
Clarity
Cube
Clarity
is
their
function.
Clarity
is
going
to
be
there
shortly
and
we,
of
course,
would
love
to
get
users
to
address
it.
You
know
hear
about
it
and
hear
this.
You
know
for
sure
that
will
open
source
project
would
be
great.
A
A
All
right,
let's
see
here,
is
a
question
to
address
to
the
audience:
does
anyone
have
a
requirement
to
expose
their
s-bomb?
Let
me
guess
anyone
in
the
audience
feel
free
to
respond
to
that
in
the
chat.
A
B
No
I
think
you
know
recovery.
Thank
you,
Libby.
Thank
you
shy.
We
do
want
to
make
sure
that
people
are
keeping
their
environment
secure
and,
just
you
know,
using
open
source
free,
simple
tools
that
can
keep
them
much
more
secure
than
before.
That's
all
from
my
side,
anything
from
your
side
shy
and
nope.
A
A
I
really
appreciate
it
well,
like
I
said
this
will
all
be
up
on
the
website
shortly
and
be
sure
to
look
for
another
webinar
or
online
program
from
cncf
this
week,
and
thank
you,
everyone
for
joining
us.
So
much.