The modern software supply chain encompasses all steps from source code to deployment, growing in complexity with cloud-native development.
The SolarWinds incident serves as a key example of a supply chain attack where a compromised build server injected malicious code into a signed product.
Protect source code access by implementing multi-factor authentication and git commit signing, while also considering the security risks within your IDE's own supply chain.
Mitigate risks from third-party dependencies by addressing vulnerabilities, preventing dependency confusion, and using tools like OpenSSF Security Scorecards to assess package health.
Create verifiable software by implementing reproducible builds and using tools like Sigstore and Cosine for keyless signing of artifacts like Docker images.
A Software Bill of Materials (SBOM) acts like a parts list for your software, enabling you to track all components using tools like CycloneDX and Syft.
The SLSA framework provides a maturity model with incremental levels to help organizations progressively secure their software supply chain.
Apply supply chain security in practice with validation pipelines like SolarWinds' Project Trebuchet and enforce policies using tools like Kyverno and Google's Binary Authorization.
The key to securing your supply chain is to be aware of its complexity, integrate security from the start, and begin by generating and eventually ingesting SBOM data.
32:55Natale Vinto
26:41Jon Geater
16:00Ali Yazdani
51:41Panel Discussion
26:50Nazneen Rupawalla
24:47Adrian Mouat
28:45Andrei Epure
25:48Niels Tanis
.gif?w=240&auto=compress,format)
Jobs that call for the skills explored in this talk.
NTT DATA Deutschland GmbH
NTT DATA Deutschland GmbH
Siemens AG