How to Secure Your Supply Chain at Scale

The presentation discusses the journey of Yahoo in enhancing their cybersecurity controls and adopting open source standards to fill gaps in their existing security measures.

• Yahoo faced challenges in onboarding different teams and projects to use their security tools and services, which made them susceptible to software supply chain attacks.
• To address this, they enhanced their developer workflows by automating tool integration and reducing friction between security and development teams.
• They introduced software composition analysis to detect vulnerabilities in open source dependencies and added build-time and deployment-time vulnerability assessments to catch issues in actual components integrated during the build process.
• They also utilized dynamic admission control in Kubernetes to check images deployed to their clusters against predefined policies and block or inform engineers of any violations.
• Yahoo's journey highlights the importance of adoption and integration of security tools and services across the company to prevent software supply chain attacks.

Yahoo faced challenges in onboarding teams to use their admission webhook, which took six months to make default. This highlights the importance of adoption of tools and services across the company to prevent software supply chain attacks.

In this session we will present a high-level system that protects against attacks — like unauthorized access, exploiting known vulnerabilities, injecting malicious software — by integrating open source tools such as Grafeas, Sigstore, Screwdriver, Kyverno & Anchore. In short, providing a unified solution for securing various aspects of the software supply chain. As one of the top ten visited websites on the Internet, Yahoo's massive scale across hybrid cloud and mobile platforms makes the security of our brands paramount — especially in today's evolving software supply chain landscape. This talk will deep dive into our primary use cases of source code scanning, security misconfiguration detection, vulnerability management, and protecting K8s deployments using dynamic policies. Attendees will leave with a framework for successfully managing the same tools Yahoo uses to simplify the developer experience.