Fight Back Against Cyber Risk in the Software Supply Chain with a Secure and Compliant DevSecOps Pipeline for Regulated Environments

The presentation discusses the risks and challenges in the software supply chain and how to combat them through a DevSecOps pipeline that includes continuous integration, continuous deployment, and continuous compliance.

• The software supply chain is vulnerable to risks such as compromised source code management tools, build container platforms, and package reports like container registries.
• The DevSecOps pipeline aims to shift security left by finding security problems as soon as possible before they reach production environments.
• The pipeline is defined as code and supports multiple development languages, consistent testing approaches, and shared pipeline templates.
• The pipeline includes continuous compliance based on gold to ensure continuous security and compliance with regulations.
• The pipeline also addresses auditing challenges through automated evidence gathering and a dashboard for viewing vulnerabilities.
• The pipeline aims to detect new vulnerabilities and zero-day bugs as soon as possible.

The presenter mentioned the case of ObjA, whose GitHub repository was hacked and malicious code was inserted in the build step, to illustrate the vulnerability of source code management tools.

Cyber-attacks and security vulnerabilities are one of the top concerns for organizations nowadays, especially for regulated environments, for example on the Financial Services market. Having secure and compliant dev sec ops pipelines is a major tool to fight back these threats and make sure regulated workloads can be safely deployed with reduced risk. In this session we will share our experience helping clients address these challenges using open-source tools and capabilities to provide secure and compliant DevSecOps pipelines. We will cover best practices of Secure Software Supply Chain including: - Reliable, repeatable automation with Everything as Code - Mitigation of security risks as early as possible - Driving standardization and reuse - Focus on Evidence Gathering for audits We will share a specific solution based on the BIAN (Banking Industry Architecture Network) architectural framework for banking interoperability which will showcase the application of Continuous Integration, Continuous Deployment and Continuous Compliance in a real-world scenario using available open source tools like Tekton, Terraform, SonarQube.