logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Tony Loehr
2022-06-22

tldr - powered by Generative AI

The presentation discusses the OnSiteCode platform and its capabilities in assisting with anomaly detection and adhering to security frameworks in software development pipelines.
  • OnSiteCode connects to various tools in the software supply chain to analyze changes in real-time and provide notification of intrusive events
  • The platform is policy-based and covers different layers of security, including access, insecure configurations, sequence detection, leak detection, infrastructure as code, and cloud security scanning
  • Access-related configurations and privileged access are analyzed to ensure adherence to security standards
  • The platform can detect anomalies and behaviors such as commits outside of normal working hours, peer reviews from non-developer accounts, and changes in work patterns for employees leaving the company
  • The platform can assist with mitigating the risk of intellectual property theft
  • Additional tooling is recommended for organizations with complicated release cycles to conform to NIST guidelines
Authors: Shane Lawrence
2022-05-19

tldr - powered by Generative AI

The presentation discusses the importance of securing software supply chains and the techniques that Shopify has learned in protecting millions of businesses. The talk highlights the challenges of software supply chain attacks and the need for collaboration in addressing the issue.
  • Recent compromises of Codecov and Solar Winds have put a spotlight on software supply chain attacks.
  • Lessons that Shopify has learned in protecting millions of businesses and demonstrate these techniques using open source software.
  • Traditional defensive techniques can be applied in the cloud.
  • Voucher and grafeas implementations can give you control over the software that runs in your clusters.
  • The SLSA framework can guide you toward establishing trust in your software.
  • Falco can be used to detect malicious behaviour or indicators that your supply chain has been compromised.
  • Specific techniques for mitigating supply chain attacks include scanning or reviewing the code, using static analysis, and looking at the reputation and response to previous incidents of the maintainers.
  • We can expect more from our suppliers by asking for receipts, an S-bomb, and what your software is made of.