logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Krishna Rajeesh Nallur Valiyaveettil, Brendan Kelly
2023-04-19

tldr - powered by Generative AI

The presentation discusses the risks and challenges in the software supply chain and how to combat them through a DevSecOps pipeline that includes continuous integration, continuous deployment, and continuous compliance.
  • The software supply chain is vulnerable to risks such as compromised source code management tools, build container platforms, and package reports like container registries.
  • The DevSecOps pipeline aims to shift security left by finding security problems as soon as possible before they reach production environments.
  • The pipeline is defined as code and supports multiple development languages, consistent testing approaches, and shared pipeline templates.
  • The pipeline includes continuous compliance based on gold to ensure continuous security and compliance with regulations.
  • The pipeline also addresses auditing challenges through automated evidence gathering and a dashboard for viewing vulnerabilities.
  • The pipeline aims to detect new vulnerabilities and zero-day bugs as soon as possible.
Authors: Jonathan Leitschuh, Patrick Way
2022-11-17

tldr - powered by Generative AI

The talk discusses a highly scalable solution for fixing common security vulnerabilities in open source software through automated bulk pull request generation.
  • Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes.
  • Automated creation of thousands of bug reports by itself isn’t useful, & would be even more of a burden on volunteer maintainers of OSS projects.
  • The solution is automated bulk pull request generation, which provides maintainers with information about the vulnerability and a fix in the form of an easily actionable pull request.
  • The speaker generated over 150 pull requests to fix zip slip across the open source ecosystem, primarily in the Java ecosystem.
  • Technologies like CodeQL and OpenRewrite are discussed as tools to aid in this process.