Niels Tanis
Securing your application software supply-chain
#1about 3 minutes
Defining the modern software supply chain
The modern software supply chain encompasses all steps from source code to deployment, growing in complexity with cloud-native development.
#2about 1 minute
Learning from the SolarWinds supply chain attack
The SolarWinds incident serves as a key example of a supply chain attack where a compromised build server injected malicious code into a signed product.
#3about 3 minutes
Securing developer access and development tools
Protect source code access by implementing multi-factor authentication and git commit signing, while also considering the security risks within your IDE's own supply chain.
#4about 5 minutes
Managing risks from third-party libraries
Mitigate risks from third-party dependencies by addressing vulnerabilities, preventing dependency confusion, and using tools like OpenSSF Security Scorecards to assess package health.
#5about 3 minutes
Ensuring integrity with reproducible builds and signing
Create verifiable software by implementing reproducible builds and using tools like Sigstore and Cosine for keyless signing of artifacts like Docker images.
#6about 4 minutes
Creating a software bill of materials (SBOM)
A Software Bill of Materials (SBOM) acts like a parts list for your software, enabling you to track all components using tools like CycloneDX and Syft.
#7about 3 minutes
Adopting the SLSA framework for supply chain maturity
The SLSA framework provides a maturity model with incremental levels to help organizations progressively secure their software supply chain.
#8about 2 minutes
Implementing and enforcing supply chain policies
Apply supply chain security in practice with validation pipelines like SolarWinds' Project Trebuchet and enforce policies using tools like Kyverno and Google's Binary Authorization.
#9about 3 minutes
Key takeaways and next steps for securing your supply chain
The key to securing your supply chain is to be aware of its complexity, integrate security from the start, and begin by generating and eventually ingesting SBOM data.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
02:46 MIN
Exploring the core domains of supply chain security
Open Source Secure Software Supply Chain in action
01:00 MIN
Understanding the rising threat to software supply chains
Open Source Secure Software Supply Chain in action
09:08 MIN
Defining key standards and terminology in supply chain security
Open Source Secure Software Supply Chain in action
04:17 MIN
Using open source tools to secure the entire SDLC
Open Source Secure Software Supply Chain in action
00:09 MIN
Understanding software supply chain security in JavaScript
Oops! Stories of supply chain shenanigans
11:29 MIN
Building a secure and opinionated CI/CD pipeline
Open Source Secure Software Supply Chain in action
10:26 MIN
Mitigating supply chain attacks with DevSecOps practices
Security Pitfalls for Software Engineers
32:54 MIN
Taking responsibility for your software supply chain
Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor
Featured Partners
Related Videos
32:55Open Source Secure Software Supply Chain in action
Natale Vinto
24:47Supply Chain Security and the Real World: Lessons From Incidents
Adrian Mouat
28:45How your .NET software supply chain is open to attack : and how to fix it
Andrei Epure
25:48Reviewing 3rd party library security easily using OpenSSF Scorecard
Niels Tanis
26:41Overcome your trust issues! In a world of fake data, Data Provenance FTW
Jon Geater
27:32Security Pitfalls for Software Engineers
Jasmin Azemović
37:36Walking into the era of Supply Chain Risks
Vandana Verma
25:28How GitHub secures open source
Joseph Katsioloudes
From learning to earning
Jobs that call for the skills explored in this talk.
Implementing DevOps Solutions and Practices using Cisco Platforms Schulung (DEVOPS)
Incas Gmbh
GIT
Bash
Linux
DevOps
Python
+3
Security Engineer - Scrum Master
SD Worx Staffing Solutions
Senior
Scrum
DevOps
Python
Powershell
Data analysis