Supply chain security is becoming more and more important, but it is often talked about in abstract and general terms that do little to help the average organization.
Sophisticated and not-so sophisticated breaches and attacks in recent years have taught us a lot about the soft spots that attackers target. As an industry, it's time we turned these insights into actionable advice for the average devops team.
This talk will look at some real world examples of supply chain compromises and translate the lessons into concrete actions that you can take today to help secure your builds and pipelines.
We will look at:
- The xz attack and what it means for trust
- The Solarwinds breach and how the industry reacted
- CVEs, scanning tools, and how useful they are as a metric
- What the average company or OSS project can do to prevent and mitigate attacks
Interview:
What is the focus of your work?
I work at Chainguard, where we're focusing on solutions for securing the software supply chain. In the past, I've been involved with various aspects of our secure images product, including engineering and product management. More recently I've focused on creating tutorials, blogs and other videos aimed at helping engineers use our secure images.
What’s the motivation for your talk?
Sometimes security advice can get a bit abstract, to the point that it's hard to apply. It's common for an incident or vulnerability to have a detailed breakdown, but it's much rarer to have a detailed breakdown of how the attack could have been prevented or avoided. This talk is my attempt to remedy this by pulling concrete and easily applied security advice from real incidents.
Who is your talk for?
Anyone that wants to make their supply chain more secure! People new to the field will be able to follow along and have plenty of resources to learn more and even experts should still learn something new. It is a technical talk, so attendees shouldn't be afraid of Dockerfiles or GitHub workflows.
What do you want someone to walk away with from your presentation?
I want people to go into work the next week and make a concrete change to their systems that improves security. Even if it's changing a single line in a Dockerfile, if everyone makes a single change, it will have been more than worth it.
What do you think is the next big disruption in software?
It's hard not to answer AI, but I think that will have been covered to death. In the supply chain security field, things tend to move when there are large incidents such as Log4J or Solarwinds. It's not a stretch to predict we will have something similar in the next few years, perhaps in a fundamental project underpinning a lot of our industry. If that happens, we will see redoubled interest in the space.
Speaker
Adrian Mouat
Technical Community Advocate @Chainguard, Complainer of Supply Chain Security & Author of "Using Docker"
Adrian has been involved with containers from the early days of Docker and authored the O’Reilly book “Using Docker”.
He works at Chainguard whose mission is to make the software lifecycle secure by default. His current focus is on improving the standard of security and provenance guarantees in container images.
Find Adrian Mouat at:
Date
Tuesday Apr 8 / 10:35AM BST ( 50 minutes )
Location
Mountbatten (6th Fl.)
