tldr - powered by Generative AI

• Real-world data can help organizations decide where to focus and when to pivot
• There is plenty of eye-opening data from surveys and reports on the security of cloud-native and open source software, as well as the security of the software supply chain as a whole
• Identifying the most important actions to improve the security of open source projects or software applications is critical
• A panel of experts examines key data points from recent surveys and reports and provides actionable steps organizations and projects can take to secure their software supply chain

tldr - powered by Generative AI

• Threat modeling is important to bring quantifiability and reason to abstract threats and to identify attack paths.
• The Stride process and standards documents can be used to exhaust potential permutations of threats and identify simple controls to cover as many cases as possible.
• The attack tree is a visual representation of an attack and can be used to multiply likelihood and impact to give abstract risk scores.
• Layering controls across the branches of the attack tree can break the attack chain and provide a minimum viable set of security configurations.
• Pipeline metadata is important for piecing things back together and giving a different type of observation.
• Best practices for securing the supply chain include using S-bombs, artifact signing, and evidence leaks and ledgers.
• Measuring SAL level and mean time to remediation are useful indicators of vendor maturity.
• Retrofitting and slowly maturing the supply chain is important.
• Asking vendors for S-bombs is a closer first step than asking for SAL level.