Natale Vinto

Open Source Secure Software Supply Chain in action

How can you trust the open-source code that makes up your application? This talk demonstrates a verifiable chain of trust using tools like Sigstore and Tekton.

Open Source Secure Software Supply Chain in action
#1about 2 minutes

Understanding the rising threat to software supply chains

The dramatic increase in supply chain attacks necessitates new security standards and government regulations to mitigate risk.

#2about 2 minutes

Exploring the core domains of supply chain security

Securing the supply chain involves understanding software composition with SBOMs, continuous scanning, content signing, and runtime policy enforcement.

#3about 5 minutes

Using open source tools to secure the entire SDLC

A suite of open source tools like Sigstore, Tecton, and Clair can be used to prevent malicious code, safeguard build systems, and monitor deployments.

#4about 2 minutes

Defining key standards and terminology in supply chain security

Understanding critical concepts like SALSA levels, CVEs, provenance, attestation, and SBOMs is essential for implementing robust security.

#5about 3 minutes

Building a secure and opinionated CI/CD pipeline

A secure pipeline can be constructed using Tecton for SALSA compliance and Sigstore for keyless signing of commits and artifacts.

#6about 4 minutes

Comparing a generic vs a security-augmented workflow

A security-augmented workflow integrates checks like local dependency scanning, commit signature verification, and SALSA compliance into the standard development process.

#7about 4 minutes

Demo: Initiating a secure code update for an application

The demonstration begins by scaffolding a microservice from a secure software template and making a code change to update inventory.

#8about 3 minutes

Demo: Scanning and remediating vulnerabilities locally in the IDE

Using an IDE extension, transitive dependencies are scanned for vulnerabilities, which are then fixed by updating the framework and base image versions.

#9about 4 minutes

Demo: Triggering the secure pipeline with a keyless signed commit

The developer uses keyless signing with an OIDC provider to sign the commit, which automatically triggers a secure pipeline that verifies the signature and generates an SBOM.

#10about 3 minutes

Demo: Verifying deployment and monitoring runtime security

The demo concludes by showing the successfully deployed application and using a security dashboard to check for runtime policy violations and visualize network traffic.

Related jobs
Jobs that call for the skills explored in this talk.

d

Saby Company
Delebio, Italy

Junior

test

Milly
Vienna, Austria

Intermediate

Matching moments

Mitigating supply chain attacks with DevSecOps practices
10:26 MIN

Mitigating supply chain attacks with DevSecOps practices

Security Pitfalls for Software Engineers

Implementing and enforcing supply chain policies
23:29 MIN

Implementing and enforcing supply chain policies

Securing your application software supply-chain

Building a foundation for pipeline security
15:14 MIN

Building a foundation for pipeline security

Walking into the era of Supply Chain Risks

Taking responsibility for your software supply chain
32:54 MIN

Taking responsibility for your software supply chain

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

Understanding the risks of the modern software supply chain
00:23 MIN

Understanding the risks of the modern software supply chain

Overcome your trust issues! In a world of fake data, Data Provenance FTW

The scale and challenge of securing open source
00:05 MIN

The scale and challenge of securing open source

How GitHub secures open source

Securing container images and the software supply chain
09:22 MIN

Securing container images and the software supply chain

Security Challenges of Breaking A Monolith

Defining the modern software supply chain
07:52 MIN

Defining the modern software supply chain

Walking into the era of Supply Chain Risks

Featured Partners

Related Videos

See all videos
Securing your application software supply-chain28:27

Securing your application software supply-chain

Niels Tanis

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

How GitHub secures open source25:28

How GitHub secures open source

Joseph Katsioloudes

How your .NET software supply chain is open to attack : and how to fix it28:45

How your .NET software supply chain is open to attack : and how to fix it

Andrei Epure

Reviewing 3rd party library security easily using OpenSSF Scorecard25:48

Reviewing 3rd party library security easily using OpenSSF Scorecard

Niels Tanis

Overcome your trust issues! In a world of fake data, Data Provenance FTW26:41

Overcome your trust issues! In a world of fake data, Data Provenance FTW

Jon Geater

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

DevSecOps culture16:00

DevSecOps culture

Ali Yazdani

Related Articles

View all articles
BB
Benedikt Bischof
Walking Into The Era of Supply Chain Risks
Welcome to this issue of the WeAreDevelopers Live Talk series. This article recaps an interesting talk by Vandana Verma who introduced the audience interesting topic of supply chain risks.About the Speaker:Vandana is Security Solutions Architect at S...
Walking Into The Era of Supply Chain Risks
CH
Chris Heilmann
Dev Digest 131 - AI'm not sure about OSS
News and ArticlesRust and Typescript are rising stars in programming languages 2024 survey, the State of CSS 2024 survey is open and here is what's new in ECMAScript.In security news, a Microsoft update bricks Linux dual-boot systems, they patched a ...
Dev Digest 131 - AI'm not sure about OSS
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?

From learning to earning

Jobs that call for the skills explored in this talk.

DevSecOps

DevSecOps

Devsecops

40-60K
DevOps
Docker
Jenkins
Openshift
+3