Adrian Mouat

Supply Chain Security and the Real World: Lessons From Incidents

One leaked secret in a Docker image compromised thousands of CI/CD pipelines. This talk dissects real-world breaches to show you how to truly secure your supply chain.

Supply Chain Security and the Real World: Lessons From Incidents
#1about 6 minutes

Moving beyond abstract security metaphors and vague advice

Security advice often relies on unhelpful abstractions, but real-world incidents provide concrete, actionable guidance for developers.

#2about 3 minutes

Analyzing the Codecov breach and its attack vector

The Codecov breach occurred when a secret in a Docker image led to a modified script that exfiltrated CI/CD environment variables.

#3about 5 minutes

Securing Docker builds and verifying script downloads

Prevent secret leaks in Dockerfiles by using the `--secret` flag and always verify downloaded scripts with checksums or GPG signatures.

#4about 2 minutes

The risks of storing secrets in environment variables

Storing secrets in environment variables makes them easy to exfiltrate, so prefer identity federation, secret managers, or temporary files instead.

#5about 5 minutes

Deconstructing the `changed-files` GitHub Action attack

A compromised dependency (`reviewdog`) was used to inject malicious code into the `changed-files` action, targeting Coinbase in a multi-stage attack.

#6about 2 minutes

Hardening GitHub repositories and pinning dependencies

Mitigate attacks by enforcing commit signing, restricting tag updates, and pinning GitHub Actions to a specific content digest.

#7about 2 minutes

Replacing long-lived credentials with short-lived tokens

Eliminate a common attack vector by replacing long-lived credentials with short-lived tokens generated via identity federation like OIDC.

#8about 1 minute

Summary of actionable supply chain security advice

A final recap covers key actions like verifying downloads, avoiding secrets in environment variables, pinning actions, and using short-lived credentials.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Selecting strategic partners and essential event tools
03:17 MIN

Selecting strategic partners and essential event tools

Cat Herding with Lions and Tigers - Christian Heilmann

Organizing a developer conference for 15,000 attendees
01:32 MIN

Organizing a developer conference for 15,000 attendees

Cat Herding with Lions and Tigers - Christian Heilmann

Increasing the value of talk recordings post-event
04:57 MIN

Increasing the value of talk recordings post-event

Cat Herding with Lions and Tigers - Christian Heilmann

Using content channels to build an event community
04:49 MIN

Using content channels to build an event community

Cat Herding with Lions and Tigers - Christian Heilmann

Establishing a single source of truth for all data
02:39 MIN

Establishing a single source of truth for all data

Cat Herding with Lions and Tigers - Christian Heilmann

Balancing the trade-off between efficiency and resilience
03:38 MIN

Balancing the trade-off between efficiency and resilience

What 2025 Taught Us: A Year-End Special with Hung Lee

Breaking down silos between HR, tech, and business
03:39 MIN

Breaking down silos between HR, tech, and business

What 2025 Taught Us: A Year-End Special with Hung Lee

Why corporate AI adoption lags behind the hype
03:28 MIN

Why corporate AI adoption lags behind the hype

What 2025 Taught Us: A Year-End Special with Hung Lee

Featured Partners

Related Videos

See all videos
Securing your application software supply-chain28:27

Securing your application software supply-chain

Niels Tanis

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

How your .NET software supply chain is open to attack : and how to fix it28:45

How your .NET software supply chain is open to attack : and how to fix it

Andrei Epure

How GitHub secures open source25:28

How GitHub secures open source

Joseph Katsioloudes

Open Source Secure Software Supply Chain in action32:55

Open Source Secure Software Supply Chain in action

Natale Vinto

Simple Steps to Kill DevSec without Giving Up on Security21:53

Simple Steps to Kill DevSec without Giving Up on Security

Isaac Evans

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Related Articles

View all articles
BB
Benedikt Bischof
Walking Into The Era of Supply Chain Risks
Welcome to this issue of the WeAreDevelopers Live Talk series. This article recaps an interesting talk by Vandana Verma who introduced the audience interesting topic of supply chain risks.About the Speaker:Vandana is Security Solutions Architect at S...
Walking Into The Era of Supply Chain Risks

From learning to earning

Jobs that call for the skills explored in this talk.