Adrian Mouat

Supply Chain Security and the Real World: Lessons From Incidents

One leaked secret in a Docker image compromised thousands of CI/CD pipelines. This talk dissects real-world breaches to show you how to truly secure your supply chain.

Supply Chain Security and the Real World: Lessons From Incidents
#1about 6 minutes

Moving beyond abstract security metaphors and vague advice

Security advice often relies on unhelpful abstractions, but real-world incidents provide concrete, actionable guidance for developers.

#2about 3 minutes

Analyzing the Codecov breach and its attack vector

The Codecov breach occurred when a secret in a Docker image led to a modified script that exfiltrated CI/CD environment variables.

#3about 5 minutes

Securing Docker builds and verifying script downloads

Prevent secret leaks in Dockerfiles by using the `--secret` flag and always verify downloaded scripts with checksums or GPG signatures.

#4about 2 minutes

The risks of storing secrets in environment variables

Storing secrets in environment variables makes them easy to exfiltrate, so prefer identity federation, secret managers, or temporary files instead.

#5about 5 minutes

Deconstructing the `changed-files` GitHub Action attack

A compromised dependency (`reviewdog`) was used to inject malicious code into the `changed-files` action, targeting Coinbase in a multi-stage attack.

#6about 2 minutes

Hardening GitHub repositories and pinning dependencies

Mitigate attacks by enforcing commit signing, restricting tag updates, and pinning GitHub Actions to a specific content digest.

#7about 2 minutes

Replacing long-lived credentials with short-lived tokens

Eliminate a common attack vector by replacing long-lived credentials with short-lived tokens generated via identity federation like OIDC.

#8about 1 minute

Summary of actionable supply chain security advice

A final recap covers key actions like verifying downloads, avoiding secrets in environment variables, pinning actions, and using short-lived credentials.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Mitigating supply chain attacks with DevSecOps practices
04:45 MIN

Mitigating supply chain attacks with DevSecOps practices

Security Pitfalls for Software Engineers

Understanding the rising threat to software supply chains
01:46 MIN

Understanding the rising threat to software supply chains

Open Source Secure Software Supply Chain in action

Key takeaways and next steps for securing your supply chain
02:33 MIN

Key takeaways and next steps for securing your supply chain

Securing your application software supply-chain

Securing container images and the software supply chain
01:52 MIN

Securing container images and the software supply chain

Security Challenges of Breaking A Monolith

Exploring the core domains of supply chain security
01:31 MIN

Exploring the core domains of supply chain security

Open Source Secure Software Supply Chain in action

Learning from the SolarWinds supply chain attack
01:25 MIN

Learning from the SolarWinds supply chain attack

Securing your application software supply-chain

Implementing and enforcing supply chain policies
02:25 MIN

Implementing and enforcing supply chain policies

Securing your application software supply-chain

Taking action on NPM supply chain security vulnerabilities
05:36 MIN

Taking action on NPM supply chain security vulnerabilities

WeAreDevelopers LIVE - Build a multi AI agents game master with Strands & our weekly web finds

Featured Partners

Related Videos

See all videos
Real-World Security for Busy Developers
29:50

Real-World Security for Busy Developers

Kevin Lewis

Securing your application software supply-chain
28:27

Securing your application software supply-chain

Niels Tanis

How GitHub secures open source
25:28

How GitHub secures open source

Joseph Katsioloudes

How your .NET software supply chain is open to attack : and how to fix it
28:45

How your .NET software supply chain is open to attack : and how to fix it

Andrei Epure

Open Source Secure Software Supply Chain in action
32:55

Open Source Secure Software Supply Chain in action

Natale Vinto

Security Pitfalls for Software Engineers
27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Simple Steps to Kill DevSec without Giving Up on Security
21:53

Simple Steps to Kill DevSec without Giving Up on Security

Isaac Evans

Walking into the era of Supply Chain Risks
37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Related Articles

View all articles
Benedikt Bischof
Walking Into The Era of Supply Chain Risks
Welcome to this issue of the WeAreDevelopers Live Talk series. This article recaps an interesting talk by Vandana Verma who introduced the audience interesting topic of supply chain risks.About the Speaker:Vandana is Security Solutions Architect at S...
Walking Into The Era of Supply Chain Risks
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security
Chris Heilmann
Dev Digest 134 - Where pixels sing?
News and ArticlesWeAreDevelopers LIVE Data and Security Day is on Wednesday, 25/09/2024. Learn about OPC UA Updates, Best Practices for Using GitHub Secrets, Passwordless Web 1.5, Emerging AI Security Risks, Data Privacy in LLMs and get a chance to t...
Dev Digest 134 - Where pixels sing?

From learning to earning

Jobs that call for the skills explored in this talk.