SlideShare a Scribd company logo

Supply Chain Security for Developers.pdf

S
ssuserc5b30e

https://teachingcyber.gumroad.com/ The Software Supply Chain Security for Developers course takes you from little or no knowledge and shows you how to build security into development projects with practical demonstrations.  You will learn the principles of configuring environments in a practical way using minimal lectures and focusing on step by step demonstrations.  There are very few courses like this that get straight into the practicalities application security and devsecops.  With this capability, you will be able to provide professional and consistent service to your company or clients and help secure your organisation.  You will learn to implement security using GitHub and Azure DevOps. This is a fast-growing area, specialist developers with skills in security are in high demand and using the skills here will enable your career, giving you cyber security experience in Azure DevOps, GitHub and command line.  If you are a beginner, this course is for you as it will give you the foundations in a practical way, not theoretical.  If you are an experienced practitioner you are now becoming aware of conducting supply chain assessments, this course is absolutely essential for you.  Some of the key areas you will learn are: Software Supply Chain Security Building software supply supply chain security into the development using GitHub Building software supply chain security into the development using Azure DevOps Practical application security skills Increase knowledge and skills around DevSecOps This course will give you the grounding you need to help you learn, retain and replicate the security skills necessary to build and improve your DevSecOps processes.  The lectures are to the point and concise because your time, like many practitioners, is precious.  All demos can be followed using your own software accounts and replayed time and again as your one-stop security reference.  https://teachingcyber.gumroad.com/

Technology
1 of 29
TC Teaching Cyber Cybersecurity for All Website - Course Info: https://teachingcyber.gumroad.com/
TC S U P P L Y C H A I N S E C U R I T Y F O R D E V E L O P E R S
Sections: • Introduction • Supply Chain Security • Implementation Introduction
Covers security for: • Components • Activities • Processes • 3rd party libraries • Infrastructure • Development tools • Anything that touches code Software Supply Chain Security
Challenges: • Time pressures • Solution release deadlines • Business commitments • Getting the right balance • Remain efficient • One weakness leads to compromise Software Supply Chain Security
Scope: • SDLC • Design to release • Leverage existing tech • Code reuse • Open source software Software Supply Chain Security
Attackers can and do: • Identify solutions using open source components • Compromise accounts of open source developers • Add malicious code to repositorie using compromised accounts Software Supply Chain Security Scenario
Outcome: • Users update their components to the latest version • Everyone using the code is at risk • Individuals • Large enterprises Software Supply Chain Security Scenario
Reasons: • Software composition analysis • Tools and processes • Checks dependencies • Helps identify vulnerabilities SCA helps with 1 and 2: 1. Know your dependencies 2. Know your vulnerabilities 3. Patch and update What is SCA?
• Identify, assess, remediate and report • Prioritised to help manage the high number of vulnerabilities • Focus on the criticals using finite resources first • Use compensating controls • Fix through patching / updates • Removal / code removal Vulnerability Management
• Always be responsive • Fixes are usually available • Apply to current code version • Consider past code versions • Notifications • Share the vulnerability • Share the mitigations • Share the good work done Vulnerability Management
• Core to cyber security • Identify, prioritise risks • Aim to mitigate risk • Looking at what could happen • Broad, future events including flood and fire Risk Management
• Organisation risks are broad • Includes software development • Combined risks set business priority • Most critical at the top • Most critical dealt with first • Risks Mgmt vs Business Cost and resource Risk Management
If a business does not does manage software development risks and vulnerabilities Then developers will: • Not get additional budget • Not get additional resource • Receive fewer opportunities • Receive less training and time for training • Be less competitive in the global market place Risk Management
• The most effective method to reduce supply chain threats • Get current code, update it to next stable release • Repair a vulnerability or flaw • Patch quickly for critical vulns • Test patches for assurance • Consider code removal first, redundant code and libraries exist everywhere Patching
TC I M P L E M E N T A T I O N
DEMO
Azure DevOps Supply Chain Demo Summary What you learned: • Create and modify a project • Azure DevOps Marketplace • Create and modify pipelines • Pipeline configuration • Awareness of parallel jobs • Review a security report
DEMO
GitHub Supply Chain Demo Summary What you learned: • How to enable dependabot • How to configure dependabot • Reviewing vulnerabilities • Security report review • Pull request management • Overview of GitHub Actions
DEMO
Command Line Audit Summary What you learned: • How to use pip-audit • Reviewing vulnerabilities • Language specific tools
TC W H A T ’ S N E X T ?
Summary: • Keep it simple • Refer to government guidance • Give devs control • Create an inventory • Policies, standards, procedures • Least privilege • Endpoint protection • Build a security culture • Automate where possible • Regular audits • Policy management Best Practices & Recommendations
Some useful info: • Microsoft Azure, creating a cloud account • Terraform Tutorial • Course demo code References
• Cloud Resource Management • Cloud Benefits • Cloud Risks • How to create a design • How to build manually • Infrastructure as code SUMMARY
• Cloud Provider Training • Terraform Training • GitHub Training • Course Demo Code SUMMARY
Areas for you to explore: • Monitoring Cloud Resources • Managing Cloud Inventories • Ingress/Egress Management • Ownership • Attack Surface Reduction • Vulnerability Management • Patch Management SUMMARY
• Thank you! • Please take time to give feedback and rate • Ask questions h t t p s : / / w w w. l i n k e d i n . c o m / i n / t i m c o a k l e y SUMMARY

Recommended

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 

Recommended

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceBlack Duck by Synopsys
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
DevOps intro
DevOps introDevOps intro
DevOps introAbdelrhman Shawky
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
DevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxDevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxranjithvisualpath44
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptxMuhammadRehan856177
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptxroongrus
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Vimal Suba
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHPMohammad Emran Hasan
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle ManagementAmazon Web Services
 
Keeping up with PHP
Keeping up with PHPKeeping up with PHP
Keeping up with PHPZend by Rogue Wave Software
 
Back To Basics
Back To BasicsBack To Basics
Back To Basicskamalikamj
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

More Related Content

Similar to Supply Chain Security for Developers.pdf

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceBlack Duck by Synopsys
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
DevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxDevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxranjithvisualpath44
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptxroongrus
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Vimal Suba
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle ManagementAmazon Web Services
 
Back To Basics
Back To BasicsBack To Basics
Back To Basicskamalikamj
 

Similar to Supply Chain Security for Developers.pdf (20)

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of Excellence
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
DevOps intro
DevOps introDevOps intro
DevOps intro
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
DevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxDevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptx
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptx
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
 
Keeping up with PHP
Keeping up with PHPKeeping up with PHP
Keeping up with PHP
 
Back To Basics
Back To BasicsBack To Basics
Back To Basics
 

Recently uploaded

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Recently uploaded (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Supply Chain Security for Developers.pdf

  • 1. TC Teaching Cyber Cybersecurity for All Website - Course Info: https://teachingcyber.gumroad.com/
  • 2. TC S U P P L Y C H A I N S E C U R I T Y F O R D E V E L O P E R S
  • 3. Sections: • Introduction • Supply Chain Security • Implementation Introduction
  • 4. Covers security for: • Components • Activities • Processes • 3rd party libraries • Infrastructure • Development tools • Anything that touches code Software Supply Chain Security
  • 5. Challenges: • Time pressures • Solution release deadlines • Business commitments • Getting the right balance • Remain efficient • One weakness leads to compromise Software Supply Chain Security
  • 6. Scope: • SDLC • Design to release • Leverage existing tech • Code reuse • Open source software Software Supply Chain Security
  • 7. Attackers can and do: • Identify solutions using open source components • Compromise accounts of open source developers • Add malicious code to repositorie using compromised accounts Software Supply Chain Security Scenario
  • 8. Outcome: • Users update their components to the latest version • Everyone using the code is at risk • Individuals • Large enterprises Software Supply Chain Security Scenario
  • 9. Reasons: • Software composition analysis • Tools and processes • Checks dependencies • Helps identify vulnerabilities SCA helps with 1 and 2: 1. Know your dependencies 2. Know your vulnerabilities 3. Patch and update What is SCA?
  • 10. • Identify, assess, remediate and report • Prioritised to help manage the high number of vulnerabilities • Focus on the criticals using finite resources first • Use compensating controls • Fix through patching / updates • Removal / code removal Vulnerability Management
  • 11. • Always be responsive • Fixes are usually available • Apply to current code version • Consider past code versions • Notifications • Share the vulnerability • Share the mitigations • Share the good work done Vulnerability Management
  • 12. • Core to cyber security • Identify, prioritise risks • Aim to mitigate risk • Looking at what could happen • Broad, future events including flood and fire Risk Management
  • 13. • Organisation risks are broad • Includes software development • Combined risks set business priority • Most critical at the top • Most critical dealt with first • Risks Mgmt vs Business Cost and resource Risk Management
  • 14. If a business does not does manage software development risks and vulnerabilities Then developers will: • Not get additional budget • Not get additional resource • Receive fewer opportunities • Receive less training and time for training • Be less competitive in the global market place Risk Management
  • 15. • The most effective method to reduce supply chain threats • Get current code, update it to next stable release • Repair a vulnerability or flaw • Patch quickly for critical vulns • Test patches for assurance • Consider code removal first, redundant code and libraries exist everywhere Patching
  • 16. TC I M P L E M E N T A T I O N
  • 17. DEMO
  • 18. Azure DevOps Supply Chain Demo Summary What you learned: • Create and modify a project • Azure DevOps Marketplace • Create and modify pipelines • Pipeline configuration • Awareness of parallel jobs • Review a security report
  • 19. DEMO
  • 20. GitHub Supply Chain Demo Summary What you learned: • How to enable dependabot • How to configure dependabot • Reviewing vulnerabilities • Security report review • Pull request management • Overview of GitHub Actions
  • 21. DEMO
  • 22. Command Line Audit Summary What you learned: • How to use pip-audit • Reviewing vulnerabilities • Language specific tools
  • 23. TC W H A T ’ S N E X T ?
  • 24. Summary: • Keep it simple • Refer to government guidance • Give devs control • Create an inventory • Policies, standards, procedures • Least privilege • Endpoint protection • Build a security culture • Automate where possible • Regular audits • Policy management Best Practices & Recommendations
  • 25. Some useful info: • Microsoft Azure, creating a cloud account • Terraform Tutorial • Course demo code References
  • 26. • Cloud Resource Management • Cloud Benefits • Cloud Risks • How to create a design • How to build manually • Infrastructure as code SUMMARY
  • 27. • Cloud Provider Training • Terraform Training • GitHub Training • Course Demo Code SUMMARY
  • 28. Areas for you to explore: • Monitoring Cloud Resources • Managing Cloud Inventories • Ingress/Egress Management • Ownership • Attack Surface Reduction • Vulnerability Management • Patch Management SUMMARY
  • 29. • Thank you! • Please take time to give feedback and rate • Ask questions h t t p s : / / w w w. l i n k e d i n . c o m / i n / t i m c o a k l e y SUMMARY