Adrian Mouat
Supply Chain Security and the Real World: Lessons From Incidents
#1about 6 minutes
Moving beyond abstract security metaphors and vague advice
Security advice often relies on unhelpful abstractions, but real-world incidents provide concrete, actionable guidance for developers.
#2about 3 minutes
Analyzing the Codecov breach and its attack vector
The Codecov breach occurred when a secret in a Docker image led to a modified script that exfiltrated CI/CD environment variables.
#3about 5 minutes
Securing Docker builds and verifying script downloads
Prevent secret leaks in Dockerfiles by using the `--secret` flag and always verify downloaded scripts with checksums or GPG signatures.
#4about 2 minutes
The risks of storing secrets in environment variables
Storing secrets in environment variables makes them easy to exfiltrate, so prefer identity federation, secret managers, or temporary files instead.
#5about 5 minutes
Deconstructing the `changed-files` GitHub Action attack
A compromised dependency (`reviewdog`) was used to inject malicious code into the `changed-files` action, targeting Coinbase in a multi-stage attack.
#6about 2 minutes
Hardening GitHub repositories and pinning dependencies
Mitigate attacks by enforcing commit signing, restricting tag updates, and pinning GitHub Actions to a specific content digest.
#7about 2 minutes
Replacing long-lived credentials with short-lived tokens
Eliminate a common attack vector by replacing long-lived credentials with short-lived tokens generated via identity federation like OIDC.
#8about 1 minute
Summary of actionable supply chain security advice
A final recap covers key actions like verifying downloads, avoiding secrets in environment variables, pinning actions, and using short-lived credentials.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
01:00 MIN
Understanding the rising threat to software supply chains
Open Source Secure Software Supply Chain in action
25:54 MIN
Key takeaways and next steps for securing your supply chain
Securing your application software supply-chain
02:46 MIN
Exploring the core domains of supply chain security
Open Source Secure Software Supply Chain in action
04:05 MIN
Learning from the SolarWinds supply chain attack
Securing your application software supply-chain
23:29 MIN
Implementing and enforcing supply chain policies
Securing your application software supply-chain
06:06 MIN
Why Dockerfile security is a critical foundation
A practical guide to writing secure Dockerfiles
08:33 MIN
Preventing leaked secrets and managing dependencies
How GitHub secures open source
09:08 MIN
Defining key standards and terminology in supply chain security
Open Source Secure Software Supply Chain in action
Featured Partners
Related Videos
29:50Real-World Security for Busy Developers
Kevin Lewis
28:27Securing your application software supply-chain
Niels Tanis
32:55Open Source Secure Software Supply Chain in action
Natale Vinto
25:28How GitHub secures open source
Joseph Katsioloudes
28:45How your .NET software supply chain is open to attack : and how to fix it
Andrei Epure
21:53Simple Steps to Kill DevSec without Giving Up on Security
Isaac Evans
27:32Security Pitfalls for Software Engineers
Jasmin Azemović
37:36Walking into the era of Supply Chain Risks
Vandana Verma
From learning to earning
Jobs that call for the skills explored in this talk.
DevOps Engineer – Kubernetes & Cloud (m/w/d)
epostbox epb GmbH
Berlin, Germany
Intermediate
Senior
DevOps
Kubernetes
Cloud (AWS/Google/Azure)
DevOps Engineer - Cloud and On-Prem Infrastructure
Cyber Insight GmbH
€57-66K
Intermediate
Ceph
Azure
Linux
DevOps
+9