tldr - powered by Generative AI

• OnSiteCode connects to various tools in the software supply chain to analyze changes in real-time and provide notification of intrusive events
• The platform is policy-based and covers different layers of security, including access, insecure configurations, sequence detection, leak detection, infrastructure as code, and cloud security scanning
• Access-related configurations and privileged access are analyzed to ensure adherence to security standards
• The platform can detect anomalies and behaviors such as commits outside of normal working hours, peer reviews from non-developer accounts, and changes in work patterns for employees leaving the company
• The platform can assist with mitigating the risk of intellectual property theft
• Additional tooling is recommended for organizations with complicated release cycles to conform to NIST guidelines

tldr - powered by Generative AI

• Recent compromises of Codecov and Solar Winds have put a spotlight on software supply chain attacks.
• Lessons that Shopify has learned in protecting millions of businesses and demonstrate these techniques using open source software.
• Traditional defensive techniques can be applied in the cloud.
• Voucher and grafeas implementations can give you control over the software that runs in your clusters.
• The SLSA framework can guide you toward establishing trust in your software.
• Falco can be used to detect malicious behaviour or indicators that your supply chain has been compromised.
• Specific techniques for mitigating supply chain attacks include scanning or reviewing the code, using static analysis, and looking at the reputation and response to previous incidents of the maintainers.
• We can expect more from our suppliers by asking for receipts, an S-bomb, and what your software is made of.