ContainerSecurity Logo
DKS
EventsBeyond SBOMs: The Future of Container Supply Chain Security

Beyond SBOMs: The Future of Container Supply Chain Security

When a single phished NPM maintainer led to 18 compromised libraries—including Chalk and Debug, downloaded billions of times weekly—it proved one thing: SBOMs alone aren’t enough. In this talk, I explore how modern supply-chain attacks unfold and how the next generation of tools—attestations, provenance, and signing—can prevent a repeat of the September 2025 NPM breach.

Invite Me to Speak
Beyond SBOMs: The Future of Container Supply Chain Security

Talk Deliveries

DevOpsDays Zurich 2026

May 6, 2026
Zurich, Switzerland
Details

How modern supply-chain attacks unfold and how the next generation of tools—attestations, provenance, and signing—can prevent a repeat of the 2025 NPM breach.

Key Takeaways

  • 🧠 Understand how the 2025 NPM supply-chain attack happened—and why traditional SBOMs couldn’t stop it.
  • 📦 Pin & lock dependencies to prevent malicious updates from sneaking in.
  • 🧱 Generate, sign, and verify attestations using Docker Scout + Cosign + Rekor.
  • 🔒 Adopt zero-trust build pipelines with SLSA levels + OCI 1.1 referrers.
  • 🧰 Defend proactively with seven practical strategies: block lifecycle scripts, use hardware keys, and continuously scan with Snyk / Trivy / Scout.
  • 🚀 Turn compliance into confidence by making your entire container lifecycle verifiable.