🦝 Let’s Talk Software Supply Chains with TAG Security

Conference: Cloud Native SecurityCon North America 2023

Authors: Michael Lieberman

Summary

The presentation discusses the group's efforts in improving supply chain security in cloud native applications through various initiatives such as creating a software supply chain security best practices guide and a secure software Factory reference architecture.

The group has created a software supply chain security best practices guide that covers the entire software development life cycle (SDLC) and has been cited by the NIST's secure software development framework.
They have also developed a secure software Factory reference architecture that focuses on securing the build pipeline, securing orchestration, and securing workloads in a cloud native context.
The group has collaborated with other organizations such as the CD Foundation and OpenSSF on supply chain security projects.
They have also created a catalog of supply chain compromises and a CNCF project supply chain security survey to identify challenges faced by various CNCF projects.
The presentation emphasizes the importance of securing the software supply chain to prevent attacks such as the SolarWinds style attack.

The group's software supply chain security best practices guide has been cited by the NIST's secure software development framework, highlighting its relevance and importance in the industry.

Abstract

The supply chain security working group has been working to provide guidance and resources for projects looking to improve their supply chain security. In this talk, we will discuss the outputs of this working group, including the Software Supply Chain Security Whitepaper, catalog of supply chain compromises, and our reference architecture for a secure supply chain. We will also discuss our recent survey about supply chain security, and have interactive discussions about next steps for this working group. Bring your questions and ideas about supply chain security!

Materials:

Tags: