SlideShare a Scribd company logo

Supply Chain Security for Developers.pdf

S
ssuserc5b30e

https://teachingcyber.gumroad.com/ The Software Supply Chain Security for Developers course takes you from little or no knowledge and shows you how to build security into development projects with practical demonstrations.  You will learn the principles of configuring environments in a practical way using minimal lectures and focusing on step by step demonstrations.  There are very few courses like this that get straight into the practicalities application security and devsecops.  With this capability, you will be able to provide professional and consistent service to your company or clients and help secure your organisation.  You will learn to implement security using GitHub and Azure DevOps. This is a fast-growing area, specialist developers with skills in security are in high demand and using the skills here will enable your career, giving you cyber security experience in Azure DevOps, GitHub and command line.  If you are a beginner, this course is for you as it will give you the foundations in a practical way, not theoretical.  If you are an experienced practitioner you are now becoming aware of conducting supply chain assessments, this course is absolutely essential for you.  Some of the key areas you will learn are: Software Supply Chain Security Building software supply supply chain security into the development using GitHub Building software supply chain security into the development using Azure DevOps Practical application security skills Increase knowledge and skills around DevSecOps This course will give you the grounding you need to help you learn, retain and replicate the security skills necessary to build and improve your DevSecOps processes.  The lectures are to the point and concise because your time, like many practitioners, is precious.  All demos can be followed using your own software accounts and replayed time and again as your one-stop security reference.  https://teachingcyber.gumroad.com/

Technology
1 of 29
TC Teaching Cyber Cybersecurity for All Website - Course Info: https://teachingcyber.gumroad.com/
TC S U P P L Y C H A I N S E C U R I T Y F O R D E V E L O P E R S
Sections: • Introduction • Supply Chain Security • Implementation Introduction
Covers security for: • Components • Activities • Processes • 3rd party libraries • Infrastructure • Development tools • Anything that touches code Software Supply Chain Security
Challenges: • Time pressures • Solution release deadlines • Business commitments • Getting the right balance • Remain efficient • One weakness leads to compromise Software Supply Chain Security
Scope: • SDLC • Design to release • Leverage existing tech • Code reuse • Open source software Software Supply Chain Security
Attackers can and do: • Identify solutions using open source components • Compromise accounts of open source developers • Add malicious code to repositorie using compromised accounts Software Supply Chain Security Scenario
Outcome: • Users update their components to the latest version • Everyone using the code is at risk • Individuals • Large enterprises Software Supply Chain Security Scenario
Reasons: • Software composition analysis • Tools and processes • Checks dependencies • Helps identify vulnerabilities SCA helps with 1 and 2: 1. Know your dependencies 2. Know your vulnerabilities 3. Patch and update What is SCA?
• Identify, assess, remediate and report • Prioritised to help manage the high number of vulnerabilities • Focus on the criticals using finite resources first • Use compensating controls • Fix through patching / updates • Removal / code removal Vulnerability Management
• Always be responsive • Fixes are usually available • Apply to current code version • Consider past code versions • Notifications • Share the vulnerability • Share the mitigations • Share the good work done Vulnerability Management
• Core to cyber security • Identify, prioritise risks • Aim to mitigate risk • Looking at what could happen • Broad, future events including flood and fire Risk Management
• Organisation risks are broad • Includes software development • Combined risks set business priority • Most critical at the top • Most critical dealt with first • Risks Mgmt vs Business Cost and resource Risk Management
If a business does not does manage software development risks and vulnerabilities Then developers will: • Not get additional budget • Not get additional resource • Receive fewer opportunities • Receive less training and time for training • Be less competitive in the global market place Risk Management
• The most effective method to reduce supply chain threats • Get current code, update it to next stable release • Repair a vulnerability or flaw • Patch quickly for critical vulns • Test patches for assurance • Consider code removal first, redundant code and libraries exist everywhere Patching
TC I M P L E M E N T A T I O N
DEMO
Azure DevOps Supply Chain Demo Summary What you learned: • Create and modify a project • Azure DevOps Marketplace • Create and modify pipelines • Pipeline configuration • Awareness of parallel jobs • Review a security report
DEMO
GitHub Supply Chain Demo Summary What you learned: • How to enable dependabot • How to configure dependabot • Reviewing vulnerabilities • Security report review • Pull request management • Overview of GitHub Actions
DEMO
Command Line Audit Summary What you learned: • How to use pip-audit • Reviewing vulnerabilities • Language specific tools
TC W H A T ’ S N E X T ?
Summary: • Keep it simple • Refer to government guidance • Give devs control • Create an inventory • Policies, standards, procedures • Least privilege • Endpoint protection • Build a security culture • Automate where possible • Regular audits • Policy management Best Practices & Recommendations
Some useful info: • Microsoft Azure, creating a cloud account • Terraform Tutorial • Course demo code References
• Cloud Resource Management • Cloud Benefits • Cloud Risks • How to create a design • How to build manually • Infrastructure as code SUMMARY
• Cloud Provider Training • Terraform Training • GitHub Training • Course Demo Code SUMMARY
Areas for you to explore: • Monitoring Cloud Resources • Managing Cloud Inventories • Ingress/Egress Management • Ownership • Attack Surface Reduction • Vulnerability Management • Patch Management SUMMARY
• Thank you! • Please take time to give feedback and rate • Ask questions h t t p s : / / w w w. l i n k e d i n . c o m / i n / t i m c o a k l e y SUMMARY

Recommended

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 

Recommended

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceBlack Duck by Synopsys
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
DevOps intro
DevOps introDevOps intro
DevOps introAbdelrhman Shawky
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
DevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxDevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxranjithvisualpath44
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptxMuhammadRehan856177
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptxroongrus
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Vimal Suba
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHPMohammad Emran Hasan
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle ManagementAmazon Web Services
 
Keeping up with PHP
Keeping up with PHPKeeping up with PHP
Keeping up with PHPZend by Rogue Wave Software
 
Back To Basics
Back To BasicsBack To Basics
Back To Basicskamalikamj
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

More Related Content

Similar to Supply Chain Security for Developers.pdf

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceBlack Duck by Synopsys
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
DevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxDevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxranjithvisualpath44
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptxroongrus
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Vimal Suba
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle ManagementAmazon Web Services
 
Back To Basics
Back To BasicsBack To Basics
Back To Basicskamalikamj
 

Similar to Supply Chain Security for Developers.pdf (20)

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of Excellence
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
DevOps intro
DevOps introDevOps intro
DevOps intro
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
DevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxDevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptx
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptx
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
 
Keeping up with PHP
Keeping up with PHPKeeping up with PHP
Keeping up with PHP
 
Back To Basics
Back To BasicsBack To Basics
Back To Basics
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Supply Chain Security for Developers.pdf

  • 1. TC Teaching Cyber Cybersecurity for All Website - Course Info: https://teachingcyber.gumroad.com/
  • 2. TC S U P P L Y C H A I N S E C U R I T Y F O R D E V E L O P E R S
  • 3. Sections: • Introduction • Supply Chain Security • Implementation Introduction
  • 4. Covers security for: • Components • Activities • Processes • 3rd party libraries • Infrastructure • Development tools • Anything that touches code Software Supply Chain Security
  • 5. Challenges: • Time pressures • Solution release deadlines • Business commitments • Getting the right balance • Remain efficient • One weakness leads to compromise Software Supply Chain Security
  • 6. Scope: • SDLC • Design to release • Leverage existing tech • Code reuse • Open source software Software Supply Chain Security
  • 7. Attackers can and do: • Identify solutions using open source components • Compromise accounts of open source developers • Add malicious code to repositorie using compromised accounts Software Supply Chain Security Scenario
  • 8. Outcome: • Users update their components to the latest version • Everyone using the code is at risk • Individuals • Large enterprises Software Supply Chain Security Scenario
  • 9. Reasons: • Software composition analysis • Tools and processes • Checks dependencies • Helps identify vulnerabilities SCA helps with 1 and 2: 1. Know your dependencies 2. Know your vulnerabilities 3. Patch and update What is SCA?
  • 10. • Identify, assess, remediate and report • Prioritised to help manage the high number of vulnerabilities • Focus on the criticals using finite resources first • Use compensating controls • Fix through patching / updates • Removal / code removal Vulnerability Management
  • 11. • Always be responsive • Fixes are usually available • Apply to current code version • Consider past code versions • Notifications • Share the vulnerability • Share the mitigations • Share the good work done Vulnerability Management
  • 12. • Core to cyber security • Identify, prioritise risks • Aim to mitigate risk • Looking at what could happen • Broad, future events including flood and fire Risk Management
  • 13. • Organisation risks are broad • Includes software development • Combined risks set business priority • Most critical at the top • Most critical dealt with first • Risks Mgmt vs Business Cost and resource Risk Management
  • 14. If a business does not does manage software development risks and vulnerabilities Then developers will: • Not get additional budget • Not get additional resource • Receive fewer opportunities • Receive less training and time for training • Be less competitive in the global market place Risk Management
  • 15. • The most effective method to reduce supply chain threats • Get current code, update it to next stable release • Repair a vulnerability or flaw • Patch quickly for critical vulns • Test patches for assurance • Consider code removal first, redundant code and libraries exist everywhere Patching
  • 16. TC I M P L E M E N T A T I O N
  • 17. DEMO
  • 18. Azure DevOps Supply Chain Demo Summary What you learned: • Create and modify a project • Azure DevOps Marketplace • Create and modify pipelines • Pipeline configuration • Awareness of parallel jobs • Review a security report
  • 19. DEMO
  • 20. GitHub Supply Chain Demo Summary What you learned: • How to enable dependabot • How to configure dependabot • Reviewing vulnerabilities • Security report review • Pull request management • Overview of GitHub Actions
  • 21. DEMO
  • 22. Command Line Audit Summary What you learned: • How to use pip-audit • Reviewing vulnerabilities • Language specific tools
  • 23. TC W H A T ’ S N E X T ?
  • 24. Summary: • Keep it simple • Refer to government guidance • Give devs control • Create an inventory • Policies, standards, procedures • Least privilege • Endpoint protection • Build a security culture • Automate where possible • Regular audits • Policy management Best Practices & Recommendations
  • 25. Some useful info: • Microsoft Azure, creating a cloud account • Terraform Tutorial • Course demo code References
  • 26. • Cloud Resource Management • Cloud Benefits • Cloud Risks • How to create a design • How to build manually • Infrastructure as code SUMMARY
  • 27. • Cloud Provider Training • Terraform Training • GitHub Training • Course Demo Code SUMMARY
  • 28. Areas for you to explore: • Monitoring Cloud Resources • Managing Cloud Inventories • Ingress/Egress Management • Ownership • Attack Surface Reduction • Vulnerability Management • Patch Management SUMMARY
  • 29. • Thank you! • Please take time to give feedback and rate • Ask questions h t t p s : / / w w w. l i n k e d i n . c o m / i n / t i m c o a k l e y SUMMARY