https://teachingcyber.gumroad.com/
The Software Supply Chain Security for Developers course takes you from little or no knowledge and shows you how to build security into development projects with practical demonstrations. You will learn the principles of configuring environments in a practical way using minimal lectures and focusing on step by step demonstrations. There are very few courses like this that get straight into the practicalities application security and devsecops. With this capability, you will be able to provide professional and consistent service to your company or clients and help secure your organisation. You will learn to implement security using GitHub and Azure DevOps.
This is a fast-growing area, specialist developers with skills in security are in high demand and using the skills here will enable your career, giving you cyber security experience in Azure DevOps, GitHub and command line. If you are a beginner, this course is for you as it will give you the foundations in a practical way, not theoretical. If you are an experienced practitioner you are now becoming aware of conducting supply chain assessments, this course is absolutely essential for you.
Some of the key areas you will learn are:
Software Supply Chain Security
Building software supply supply chain security into the development using GitHub
Building software supply chain security into the development using Azure DevOps
Practical application security skills
Increase knowledge and skills around DevSecOps
This course will give you the grounding you need to help you learn, retain and replicate the security skills necessary to build and improve your DevSecOps processes. The lectures are to the point and concise because your time, like many practitioners, is precious. All demos can be followed using your own software accounts and replayed time and again as your one-stop security reference.
https://teachingcyber.gumroad.com/
4. Covers security for:
• Components
• Activities
• Processes
• 3rd party libraries
• Infrastructure
• Development tools
• Anything that touches code
Software Supply
Chain Security
5. Challenges:
• Time pressures
• Solution release deadlines
• Business commitments
• Getting the right balance
• Remain efficient
• One weakness leads to
compromise
Software Supply
Chain Security
7. Attackers can and do:
• Identify solutions using open
source components
• Compromise accounts of open
source developers
• Add malicious code to
repositorie using compromised
accounts
Software Supply
Chain Security
Scenario
8. Outcome:
• Users update their components
to the latest version
• Everyone using the code is at
risk
• Individuals
• Large enterprises
Software Supply
Chain Security
Scenario
9. Reasons:
• Software composition analysis
• Tools and processes
• Checks dependencies
• Helps identify vulnerabilities
SCA helps with 1 and 2:
1. Know your dependencies
2. Know your vulnerabilities
3. Patch and update
What is SCA?
10. • Identify, assess, remediate and
report
• Prioritised to help manage the
high number of vulnerabilities
• Focus on the criticals using
finite resources first
• Use compensating controls
• Fix through patching / updates
• Removal / code removal
Vulnerability
Management
11. • Always be responsive
• Fixes are usually available
• Apply to current code version
• Consider past code versions
• Notifications
• Share the vulnerability
• Share the mitigations
• Share the good work done
Vulnerability
Management
12. • Core to cyber security
• Identify, prioritise risks
• Aim to mitigate risk
• Looking at what could happen
• Broad, future events including
flood and fire
Risk
Management
13. • Organisation risks are broad
• Includes software development
• Combined risks set business
priority
• Most critical at the top
• Most critical dealt with first
• Risks Mgmt vs Business Cost
and resource
Risk
Management
14. If a business does not does
manage software development
risks and vulnerabilities
Then developers will:
• Not get additional budget
• Not get additional resource
• Receive fewer opportunities
• Receive less training and time
for training
• Be less competitive in the
global market place
Risk
Management
15. • The most effective method to
reduce supply chain threats
• Get current code, update it to
next stable release
• Repair a vulnerability or flaw
• Patch quickly for critical vulns
• Test patches for assurance
• Consider code removal first,
redundant code and libraries
exist everywhere
Patching
18. Azure DevOps
Supply Chain
Demo Summary
What you learned:
• Create and modify a project
• Azure DevOps Marketplace
• Create and modify pipelines
• Pipeline configuration
• Awareness of parallel jobs
• Review a security report
20. GitHub
Supply Chain
Demo Summary
What you learned:
• How to enable dependabot
• How to configure dependabot
• Reviewing vulnerabilities
• Security report review
• Pull request management
• Overview of GitHub Actions
24. Summary:
• Keep it simple
• Refer to government guidance
• Give devs control
• Create an inventory
• Policies, standards, procedures
• Least privilege
• Endpoint protection
• Build a security culture
• Automate where possible
• Regular audits
• Policy management
Best Practices &
Recommendations
25. Some useful info:
• Microsoft Azure, creating a
cloud account
• Terraform Tutorial
• Course demo code
References
26. • Cloud Resource Management
• Cloud Benefits
• Cloud Risks
• How to create a design
• How to build manually
• Infrastructure as code
SUMMARY
27. • Cloud Provider Training
• Terraform Training
• GitHub Training
• Course Demo Code
SUMMARY
28. Areas for you to explore:
• Monitoring Cloud Resources
• Managing Cloud Inventories
• Ingress/Egress Management
• Ownership
• Attack Surface Reduction
• Vulnerability Management
• Patch Management
SUMMARY
29. • Thank you!
• Please take time to give
feedback and rate
• Ask questions
h t t p s : / / w w w. l i n k e d i n . c o m / i n / t i m c o a k l e y
SUMMARY