Adrian Mouat
Supply Chain Security and the Real World: Lessons From Incidents
#1about 6 minutes
Moving beyond abstract security metaphors and vague advice
Security advice often relies on unhelpful abstractions, but real-world incidents provide concrete, actionable guidance for developers.
#2about 3 minutes
Analyzing the Codecov breach and its attack vector
The Codecov breach occurred when a secret in a Docker image led to a modified script that exfiltrated CI/CD environment variables.
#3about 5 minutes
Securing Docker builds and verifying script downloads
Prevent secret leaks in Dockerfiles by using the `--secret` flag and always verify downloaded scripts with checksums or GPG signatures.
#4about 2 minutes
The risks of storing secrets in environment variables
Storing secrets in environment variables makes them easy to exfiltrate, so prefer identity federation, secret managers, or temporary files instead.
#5about 5 minutes
Deconstructing the `changed-files` GitHub Action attack
A compromised dependency (`reviewdog`) was used to inject malicious code into the `changed-files` action, targeting Coinbase in a multi-stage attack.
#6about 2 minutes
Hardening GitHub repositories and pinning dependencies
Mitigate attacks by enforcing commit signing, restricting tag updates, and pinning GitHub Actions to a specific content digest.
#7about 2 minutes
Replacing long-lived credentials with short-lived tokens
Eliminate a common attack vector by replacing long-lived credentials with short-lived tokens generated via identity federation like OIDC.
#8about 1 minute
Summary of actionable supply chain security advice
A final recap covers key actions like verifying downloads, avoiding secrets in environment variables, pinning actions, and using short-lived credentials.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
10:26 MIN
Mitigating supply chain attacks with DevSecOps practices
Security Pitfalls for Software Engineers
01:00 MIN
Understanding the rising threat to software supply chains
Open Source Secure Software Supply Chain in action
25:54 MIN
Key takeaways and next steps for securing your supply chain
Securing your application software supply-chain
09:22 MIN
Securing container images and the software supply chain
Security Challenges of Breaking A Monolith
02:46 MIN
Exploring the core domains of supply chain security
Open Source Secure Software Supply Chain in action
04:05 MIN
Learning from the SolarWinds supply chain attack
Securing your application software supply-chain
23:29 MIN
Implementing and enforcing supply chain policies
Securing your application software supply-chain
19:31 MIN
Taking action on NPM supply chain security vulnerabilities
WeAreDevelopers LIVE - Build a multi AI agents game master with Strands & our weekly web finds
Featured Partners
Related Videos
29:50Real-World Security for Busy Developers
Kevin Lewis
28:27Securing your application software supply-chain
Niels Tanis
32:55Open Source Secure Software Supply Chain in action
Natale Vinto
25:28How GitHub secures open source
Joseph Katsioloudes
28:45How your .NET software supply chain is open to attack : and how to fix it
Andrei Epure
21:53Simple Steps to Kill DevSec without Giving Up on Security
Isaac Evans
27:32Security Pitfalls for Software Engineers
Jasmin Azemović
16:00DevSecOps culture
Ali Yazdani
Related Articles
View all articles.gif?w=240&auto=compress,format)
.png?w=240&auto=compress,format)
From learning to earning
Jobs that call for the skills explored in this talk.
DevSecOps Engineer Jr-Mid | Remote | *Attention - developers with a passion for security*
Punk Security Ltd.
Remote
€30-40K
Junior
Docker
Node.js
Kubernetes
+1
DevOps Security Engineer with Golang Development Focus
SAP AG
Sankt Leon-Rot, Germany
Junior
DevOps
Puppet
Docker
Ansible
Terraform
+2