Niels Tanis

Securing your application software supply-chain

Is your software supply chain your weakest link? Learn to defend against attacks with modern tools for code signing, provenance, and policy enforcement.

Securing your application software supply-chain
#1about 3 minutes

Defining the modern software supply chain

The modern software supply chain encompasses all steps from source code to deployment, growing in complexity with cloud-native development.

#2about 1 minute

Learning from the SolarWinds supply chain attack

The SolarWinds incident serves as a key example of a supply chain attack where a compromised build server injected malicious code into a signed product.

#3about 3 minutes

Securing developer access and development tools

Protect source code access by implementing multi-factor authentication and git commit signing, while also considering the security risks within your IDE's own supply chain.

#4about 5 minutes

Managing risks from third-party libraries

Mitigate risks from third-party dependencies by addressing vulnerabilities, preventing dependency confusion, and using tools like OpenSSF Security Scorecards to assess package health.

#5about 3 minutes

Ensuring integrity with reproducible builds and signing

Create verifiable software by implementing reproducible builds and using tools like Sigstore and Cosine for keyless signing of artifacts like Docker images.

#6about 4 minutes

Creating a software bill of materials (SBOM)

A Software Bill of Materials (SBOM) acts like a parts list for your software, enabling you to track all components using tools like CycloneDX and Syft.

#7about 3 minutes

Adopting the SLSA framework for supply chain maturity

The SLSA framework provides a maturity model with incremental levels to help organizations progressively secure their software supply chain.

#8about 2 minutes

Implementing and enforcing supply chain policies

Apply supply chain security in practice with validation pipelines like SolarWinds' Project Trebuchet and enforce policies using tools like Kyverno and Google's Binary Authorization.

#9about 3 minutes

Key takeaways and next steps for securing your supply chain

The key to securing your supply chain is to be aware of its complexity, integrate security from the start, and begin by generating and eventually ingesting SBOM data.

Related jobs
Jobs that call for the skills explored in this talk.

d

Saby Company
Delebio, Italy

Junior

job ad

Saby Company
Delebio, Italy

Intermediate

Matching moments

Exploring the core domains of supply chain security
02:46 MIN

Exploring the core domains of supply chain security

Open Source Secure Software Supply Chain in action

Mitigating supply chain attacks with DevSecOps practices
10:26 MIN

Mitigating supply chain attacks with DevSecOps practices

Security Pitfalls for Software Engineers

Understanding the rising threat to software supply chains
01:00 MIN

Understanding the rising threat to software supply chains

Open Source Secure Software Supply Chain in action

Defining key standards and terminology in supply chain security
09:08 MIN

Defining key standards and terminology in supply chain security

Open Source Secure Software Supply Chain in action

Using open source tools to secure the entire SDLC
04:17 MIN

Using open source tools to secure the entire SDLC

Open Source Secure Software Supply Chain in action

Defining the modern software supply chain
07:52 MIN

Defining the modern software supply chain

Walking into the era of Supply Chain Risks

Building a foundation for pipeline security
15:14 MIN

Building a foundation for pipeline security

Walking into the era of Supply Chain Risks

Securing container images and the software supply chain
09:22 MIN

Securing container images and the software supply chain

Security Challenges of Breaking A Monolith

Featured Partners

Related Videos

See all videos
Open Source Secure Software Supply Chain in action32:55

Open Source Secure Software Supply Chain in action

Natale Vinto

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

How your .NET software supply chain is open to attack : and how to fix it28:45

How your .NET software supply chain is open to attack : and how to fix it

Andrei Epure

Reviewing 3rd party library security easily using OpenSSF Scorecard25:48

Reviewing 3rd party library security easily using OpenSSF Scorecard

Niels Tanis

Overcome your trust issues! In a world of fake data, Data Provenance FTW26:41

Overcome your trust issues! In a world of fake data, Data Provenance FTW

Jon Geater

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

DevSecOps culture16:00

DevSecOps culture

Ali Yazdani

Related Articles

View all articles
BB
Benedikt Bischof
Walking Into The Era of Supply Chain Risks
Welcome to this issue of the WeAreDevelopers Live Talk series. This article recaps an interesting talk by Vandana Verma who introduced the audience interesting topic of supply chain risks.About the Speaker:Vandana is Security Solutions Architect at S...
Walking Into The Era of Supply Chain Risks
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
CH
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security

From learning to earning

Jobs that call for the skills explored in this talk.

DevSecOps

DevSecOps

Devsecops

40-60K
DevOps
Docker
Jenkins
Openshift
+3