Natale Vinto

Open Source Secure Software Supply Chain in action

How can you trust the open-source code that makes up your application? This talk demonstrates a verifiable chain of trust using tools like Sigstore and Tekton.

Open Source Secure Software Supply Chain in action
#1about 2 minutes

Understanding the rising threat to software supply chains

The dramatic increase in supply chain attacks necessitates new security standards and government regulations to mitigate risk.

#2about 2 minutes

Exploring the core domains of supply chain security

Securing the supply chain involves understanding software composition with SBOMs, continuous scanning, content signing, and runtime policy enforcement.

#3about 5 minutes

Using open source tools to secure the entire SDLC

A suite of open source tools like Sigstore, Tecton, and Clair can be used to prevent malicious code, safeguard build systems, and monitor deployments.

#4about 2 minutes

Defining key standards and terminology in supply chain security

Understanding critical concepts like SALSA levels, CVEs, provenance, attestation, and SBOMs is essential for implementing robust security.

#5about 3 minutes

Building a secure and opinionated CI/CD pipeline

A secure pipeline can be constructed using Tecton for SALSA compliance and Sigstore for keyless signing of commits and artifacts.

#6about 4 minutes

Comparing a generic vs a security-augmented workflow

A security-augmented workflow integrates checks like local dependency scanning, commit signature verification, and SALSA compliance into the standard development process.

#7about 4 minutes

Demo: Initiating a secure code update for an application

The demonstration begins by scaffolding a microservice from a secure software template and making a code change to update inventory.

#8about 3 minutes

Demo: Scanning and remediating vulnerabilities locally in the IDE

Using an IDE extension, transitive dependencies are scanned for vulnerabilities, which are then fixed by updating the framework and base image versions.

#9about 4 minutes

Demo: Triggering the secure pipeline with a keyless signed commit

The developer uses keyless signing with an OIDC provider to sign the commit, which automatically triggers a secure pipeline that verifies the signature and generates an SBOM.

#10about 3 minutes

Demo: Verifying deployment and monitoring runtime security

The demo concludes by showing the successfully deployed application and using a security dashboard to check for runtime policy violations and visualize network traffic.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Mitigating supply chain attacks with DevSecOps practices
04:45 MIN

Mitigating supply chain attacks with DevSecOps practices

Security Pitfalls for Software Engineers

Implementing and enforcing supply chain policies
02:25 MIN

Implementing and enforcing supply chain policies

Securing your application software supply-chain

Building a foundation for pipeline security
03:50 MIN

Building a foundation for pipeline security

Walking into the era of Supply Chain Risks

Taking responsibility for your software supply chain
10:01 MIN

Taking responsibility for your software supply chain

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

Understanding the risks of the modern software supply chain
06:19 MIN

Understanding the risks of the modern software supply chain

Overcome your trust issues! In a world of fake data, Data Provenance FTW

How Codespaces improves open source and security
04:33 MIN

How Codespaces improves open source and security

How we will build the software of tomorrow

The scale and challenge of securing open source
04:14 MIN

The scale and challenge of securing open source

How GitHub secures open source

Defining the modern software supply chain
02:53 MIN

Defining the modern software supply chain

Securing your application software supply-chain

Featured Partners

Related Videos

See all videos
Securing your application software supply-chain
28:27

Securing your application software supply-chain

Niels Tanis

Overcome your trust issues! In a world of fake data, Data Provenance FTW
26:41

Overcome your trust issues! In a world of fake data, Data Provenance FTW

Jon Geater

DevSecOps culture
16:00

DevSecOps culture

Ali Yazdani

Organizational Change Through The Power Of Why - DevSecOps Enablement
26:50

Organizational Change Through The Power Of Why - DevSecOps Enablement

Nazneen Rupawalla

Stranger Danger: Your Java Attack Surface Just Got Bigger
1:58:59

Stranger Danger: Your Java Attack Surface Just Got Bigger

Vandana Verma Sehgal

Securing Secrets in the GitOps era
58:57

Securing Secrets in the GitOps era

Alex Soto

Supply Chain Security and the Real World: Lessons From Incidents
24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

How GitHub secures open source
25:28

How GitHub secures open source

Joseph Katsioloudes

Related Articles

View all articles
Benedikt Bischof
Walking Into The Era of Supply Chain Risks
Welcome to this issue of the WeAreDevelopers Live Talk series. This article recaps an interesting talk by Vandana Verma who introduced the audience interesting topic of supply chain risks.About the Speaker:Vandana is Security Solutions Architect at S...
Walking Into The Era of Supply Chain Risks
Chris Heilmann
Dev Digest 131 - AI'm not sure about OSS
News and ArticlesRust and Typescript are rising stars in programming languages 2024 survey, the State of CSS 2024 survey is open and here is what's new in ECMAScript.In security news, a Microsoft update bricks Linux dual-boot systems, they patched a ...
Dev Digest 131 - AI'm not sure about OSS

From learning to earning

Jobs that call for the skills explored in this talk.

DevOps Engineer

DevOps Engineer

Bitpanda
Vienna, Austria

Senior
Linux
Docker
Terraform
Amazon Web Services (AWS)