logo
allArticlesConferencesPresentations

Keynote: Securing Shopify's Software Supply Chain

Conference:  KubeCon + CloudNativeCon Europe 2022

2022-05-19

Authors:   Shane Lawrence

Summary

The presentation discusses the importance of securing software supply chains and the techniques that Shopify has learned in protecting millions of businesses. The talk highlights the challenges of software supply chain attacks and the need for collaboration in addressing the issue.
  • Recent compromises of Codecov and Solar Winds have put a spotlight on software supply chain attacks.
  • Lessons that Shopify has learned in protecting millions of businesses and demonstrate these techniques using open source software.
  • Traditional defensive techniques can be applied in the cloud.
  • Voucher and grafeas implementations can give you control over the software that runs in your clusters.
  • The SLSA framework can guide you toward establishing trust in your software.
  • Falco can be used to detect malicious behaviour or indicators that your supply chain has been compromised.
  • Specific techniques for mitigating supply chain attacks include scanning or reviewing the code, using static analysis, and looking at the reputation and response to previous incidents of the maintainers.
  • We can expect more from our suppliers by asking for receipts, an S-bomb, and what your software is made of.
The speaker uses the example of a magic container image toolbar to illustrate the importance of being cautious when downloading software. The toolbar had impossible claims, clickbait, and a questionable presentation, making it suspicious and potentially malicious.

Abstract

Recent compromises of Codecov and Solar Winds have put a spotlight on software supply chain attacks, but this focus has led to new innovations for solving an old problem. In this talk, we'll discuss lessons that Shopify has learned in protecting millions of businesses and demonstrate these techniques using open source software. We'll look at how traditional defensive techniques can be applied in the cloud, how voucher and grafeas implementations can give you control over the software that runs in your clusters, and how the SLSA framework can guide you toward establishing trust in your software. We'll also look at how Falco can be used to detect malicious behaviour or indicators that your supply chain has been compromised. Attendees can expect to learn how to apply specific techniques for mitigating supply chain attacks.Click here to view captioning/translation in the MeetingPlay platform!
Materials:
Tags:
software supply chain attacks
cloud security
grafeas
voucher
SLSA

Post a comment

Related work

Keynote: Supply Chain Infections and the Future of Contactless Deliveries

Conference:  BlackHat USA 2021
Authors:
2021-08-04

RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Spicing up Container Image Security with SLSA & GUAC

Conference:  Cloud Native SecurityCon North America 2023
Authors: Ian Lewis

🦝 Let’s Talk Software Supply Chains with TAG Security

Conference:  Cloud Native SecurityCon North America 2023
Authors: Michael Lieberman

Google SLSA & NIST SSDF: Emerging Software Supply Chain Security Best Practices

Conference:  SupplyChainSecurityCon 2022
Authors: Tony Loehr
2022-06-22

From SBOMs to IBOMs - Know What's Happening in Your Clusters

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Ido Neeman
2023-04-19