Abstract

Besides their many advantages, heavy reliance on external (open source) dependencies as well as continuous integration and deployment (CI/CD) in modern software development have introduced many new threats to the software supply chain. As a result, the number and impact of supply chain attacks have increased dramatically in recent years. The workshop reviews potential attack vectors and provides practical measures to protect modern applications.

Based on the desired format, it is possible to just follow along or get your own hands dirty by executing selected attacks.

Target Audience

Software Engineers, System Administrators, DevOps; Basic experience/understanding of modern CI/CD and software development.

Details

Supply chain threats (e.g. Top 10 CI/CD Security Risks) are reviewed and effective measures to mitigate resulting attacks are introduced, such as:

• Identities and authentication
• Code repository protection
• Base images
• Dependency management
• Security scanning
• Secure artifacts
• Secret management
• 3rd party integration risks
• Deployment schemes
• Artifact integrity validation
• Intro to SBOMs
• ...

Selected attacks and mitigations will demonstrated and can be tested by attendees on their own devices.