Last Friday, we had the pleasure of hosting a hands-on workshop on the most pressing concerns in modern software development: Software Supply Chain Security. With Red Hat’s Manuel Schindler, VSHN’s Aarno Aukia, and Thomas Philipona from Tim&Koko, participants explored the why and how of building trust in modern development pipelines.
Why Software Supply Chain Security Matters
The session began with an engaging introduction by Thomas Philipona, Co-founder of Tim&Koko, who brought the topic to life using a relatable analogy: preparing a meal. For example, a chef needs clean tools, fresh ingredients, and trusted assistants to create a safe and tasty dish. In contrast, software teams need verified code, secure infrastructure, and transparent processes to build and deploy trustworthy applications.
This framing helped participants grasp the core risks: today’s complex development workflows, heavy use of third-party dependencies, and automated build systems can all be vulnerable to tampering or supply chain attacks, often with catastrophic consequences.
Turning the Supply Chain into a Trusted One
Following the introduction, Manuel Schindler (Red Hat) took over to dive into the tools and techniques that make up a Trusted Software Supply Chain. He outlined key practices and standards to reduce risk, increase visibility, and enforce integrity:
- Software Bill of Materials (SBOMs): A detailed list of everything in your software, enabling traceability and vulnerability tracking.
- SLSA (Supply-chain Levels for Software Artifacts): A framework for securing build pipelines from provenance tracking to tamper-resistant builds.
- Artifact signing and attestation: Verifying that software components are authentic and unchanged.
- Immutable infrastructure and secure artifact repositories: Locking down production environments to prevent post-deploy tampering.
From Theory to Practice
The hands-on portion of the workshop showcased how Red Hat’s Trusted Software Supply Chain toolset brings these concepts into action. Attendees were guided through a real-world DevSecOps pipeline integrating:
- Red Hat OpenShift Pipelines & GitOps
- Red Hat Quay & Advanced Cluster Security
- Trusted Artifact Signer, Dependency Analytics, and Profile Analyzer
- Automated generation of SBOMs and SLSA-compliant metadata
A live demo walked participants through the full lifecycle of securely integrating third-party software components — from scanning and signing to deployment with full traceability.
Looking Ahead
As software ecosystems grow increasingly interconnected, establishing trust across the entire software lifecycle is no longer optional. We’re proud to have facilitated this session with expert contributions from Tim&Koko, Red Hat, and VSHN, and to empower teams to take practical steps toward supply chain resilience.
Contact us for help applying these principles in your environment, to dive deeper, or to get a copy of the presentation.
