SlideShare ist ein Scribd-Unternehmen logo

Supply Chain Security for Developers.pdf

S
ssuserc5b30e

https://teachingcyber.gumroad.com/ The Software Supply Chain Security for Developers course takes you from little or no knowledge and shows you how to build security into development projects with practical demonstrations.  You will learn the principles of configuring environments in a practical way using minimal lectures and focusing on step by step demonstrations.  There are very few courses like this that get straight into the practicalities application security and devsecops.  With this capability, you will be able to provide professional and consistent service to your company or clients and help secure your organisation.  You will learn to implement security using GitHub and Azure DevOps. This is a fast-growing area, specialist developers with skills in security are in high demand and using the skills here will enable your career, giving you cyber security experience in Azure DevOps, GitHub and command line.  If you are a beginner, this course is for you as it will give you the foundations in a practical way, not theoretical.  If you are an experienced practitioner you are now becoming aware of conducting supply chain assessments, this course is absolutely essential for you.  Some of the key areas you will learn are: Software Supply Chain Security Building software supply supply chain security into the development using GitHub Building software supply chain security into the development using Azure DevOps Practical application security skills Increase knowledge and skills around DevSecOps This course will give you the grounding you need to help you learn, retain and replicate the security skills necessary to build and improve your DevSecOps processes.  The lectures are to the point and concise because your time, like many practitioners, is precious.  All demos can be followed using your own software accounts and replayed time and again as your one-stop security reference.  https://teachingcyber.gumroad.com/

Technologie
1 von 29
TC Teaching Cyber Cybersecurity for All Website - Course Info: https://teachingcyber.gumroad.com/
TC S U P P L Y C H A I N S E C U R I T Y F O R D E V E L O P E R S
Sections: • Introduction • Supply Chain Security • Implementation Introduction
Covers security for: • Components • Activities • Processes • 3rd party libraries • Infrastructure • Development tools • Anything that touches code Software Supply Chain Security
Challenges: • Time pressures • Solution release deadlines • Business commitments • Getting the right balance • Remain efficient • One weakness leads to compromise Software Supply Chain Security
Scope: • SDLC • Design to release • Leverage existing tech • Code reuse • Open source software Software Supply Chain Security
Attackers can and do: • Identify solutions using open source components • Compromise accounts of open source developers • Add malicious code to repositorie using compromised accounts Software Supply Chain Security Scenario
Outcome: • Users update their components to the latest version • Everyone using the code is at risk • Individuals • Large enterprises Software Supply Chain Security Scenario
Reasons: • Software composition analysis • Tools and processes • Checks dependencies • Helps identify vulnerabilities SCA helps with 1 and 2: 1. Know your dependencies 2. Know your vulnerabilities 3. Patch and update What is SCA?
• Identify, assess, remediate and report • Prioritised to help manage the high number of vulnerabilities • Focus on the criticals using finite resources first • Use compensating controls • Fix through patching / updates • Removal / code removal Vulnerability Management
• Always be responsive • Fixes are usually available • Apply to current code version • Consider past code versions • Notifications • Share the vulnerability • Share the mitigations • Share the good work done Vulnerability Management
• Core to cyber security • Identify, prioritise risks • Aim to mitigate risk • Looking at what could happen • Broad, future events including flood and fire Risk Management
• Organisation risks are broad • Includes software development • Combined risks set business priority • Most critical at the top • Most critical dealt with first • Risks Mgmt vs Business Cost and resource Risk Management
If a business does not does manage software development risks and vulnerabilities Then developers will: • Not get additional budget • Not get additional resource • Receive fewer opportunities • Receive less training and time for training • Be less competitive in the global market place Risk Management
• The most effective method to reduce supply chain threats • Get current code, update it to next stable release • Repair a vulnerability or flaw • Patch quickly for critical vulns • Test patches for assurance • Consider code removal first, redundant code and libraries exist everywhere Patching
TC I M P L E M E N T A T I O N
DEMO
Azure DevOps Supply Chain Demo Summary What you learned: • Create and modify a project • Azure DevOps Marketplace • Create and modify pipelines • Pipeline configuration • Awareness of parallel jobs • Review a security report
DEMO
GitHub Supply Chain Demo Summary What you learned: • How to enable dependabot • How to configure dependabot • Reviewing vulnerabilities • Security report review • Pull request management • Overview of GitHub Actions
DEMO
Command Line Audit Summary What you learned: • How to use pip-audit • Reviewing vulnerabilities • Language specific tools
TC W H A T ’ S N E X T ?
Summary: • Keep it simple • Refer to government guidance • Give devs control • Create an inventory • Policies, standards, procedures • Least privilege • Endpoint protection • Build a security culture • Automate where possible • Regular audits • Policy management Best Practices & Recommendations
Some useful info: • Microsoft Azure, creating a cloud account • Terraform Tutorial • Course demo code References
• Cloud Resource Management • Cloud Benefits • Cloud Risks • How to create a design • How to build manually • Infrastructure as code SUMMARY
• Cloud Provider Training • Terraform Training • GitHub Training • Course Demo Code SUMMARY
Areas for you to explore: • Monitoring Cloud Resources • Managing Cloud Inventories • Ingress/Egress Management • Ownership • Attack Surface Reduction • Vulnerability Management • Patch Management SUMMARY
• Thank you! • Please take time to give feedback and rate • Ask questions h t t p s : / / w w w. l i n k e d i n . c o m / i n / t i m c o a k l e y SUMMARY

Empfohlen

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 

Empfohlen

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceBlack Duck by Synopsys
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
DevOps intro
DevOps introDevOps intro
DevOps introAbdelrhman Shawky
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
DevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxDevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxranjithvisualpath44
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptxMuhammadRehan856177
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptxroongrus
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Vimal Suba
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHPMohammad Emran Hasan
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle ManagementAmazon Web Services
 
Keeping up with PHP
Keeping up with PHPKeeping up with PHP
Keeping up with PHPZend by Rogue Wave Software
 
Back To Basics
Back To BasicsBack To Basics
Back To Basicskamalikamj
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Weitere ähnliche Inhalte

Ähnlich wie Supply Chain Security for Developers.pdf

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceBlack Duck by Synopsys
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
DevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxDevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxranjithvisualpath44
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptxroongrus
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Vimal Suba
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle ManagementAmazon Web Services
 
Back To Basics
Back To BasicsBack To Basics
Back To Basicskamalikamj
 

Ähnlich wie Supply Chain Security for Developers.pdf (20)

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of Excellence
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
DevOps intro
DevOps introDevOps intro
DevOps intro
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
DevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptxDevOps Training | DevOps Online Training in Hyderabad.pptx
DevOps Training | DevOps Online Training in Hyderabad.pptx
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptx
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
 
Keeping up with PHP
Keeping up with PHPKeeping up with PHP
Keeping up with PHP
 
Back To Basics
Back To BasicsBack To Basics
Back To Basics
 

Kürzlich hochgeladen

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Kürzlich hochgeladen (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Supply Chain Security for Developers.pdf

  • 1. TC Teaching Cyber Cybersecurity for All Website - Course Info: https://teachingcyber.gumroad.com/
  • 2. TC S U P P L Y C H A I N S E C U R I T Y F O R D E V E L O P E R S
  • 3. Sections: • Introduction • Supply Chain Security • Implementation Introduction
  • 4. Covers security for: • Components • Activities • Processes • 3rd party libraries • Infrastructure • Development tools • Anything that touches code Software Supply Chain Security
  • 5. Challenges: • Time pressures • Solution release deadlines • Business commitments • Getting the right balance • Remain efficient • One weakness leads to compromise Software Supply Chain Security
  • 6. Scope: • SDLC • Design to release • Leverage existing tech • Code reuse • Open source software Software Supply Chain Security
  • 7. Attackers can and do: • Identify solutions using open source components • Compromise accounts of open source developers • Add malicious code to repositorie using compromised accounts Software Supply Chain Security Scenario
  • 8. Outcome: • Users update their components to the latest version • Everyone using the code is at risk • Individuals • Large enterprises Software Supply Chain Security Scenario
  • 9. Reasons: • Software composition analysis • Tools and processes • Checks dependencies • Helps identify vulnerabilities SCA helps with 1 and 2: 1. Know your dependencies 2. Know your vulnerabilities 3. Patch and update What is SCA?
  • 10. • Identify, assess, remediate and report • Prioritised to help manage the high number of vulnerabilities • Focus on the criticals using finite resources first • Use compensating controls • Fix through patching / updates • Removal / code removal Vulnerability Management
  • 11. • Always be responsive • Fixes are usually available • Apply to current code version • Consider past code versions • Notifications • Share the vulnerability • Share the mitigations • Share the good work done Vulnerability Management
  • 12. • Core to cyber security • Identify, prioritise risks • Aim to mitigate risk • Looking at what could happen • Broad, future events including flood and fire Risk Management
  • 13. • Organisation risks are broad • Includes software development • Combined risks set business priority • Most critical at the top • Most critical dealt with first • Risks Mgmt vs Business Cost and resource Risk Management
  • 14. If a business does not does manage software development risks and vulnerabilities Then developers will: • Not get additional budget • Not get additional resource • Receive fewer opportunities • Receive less training and time for training • Be less competitive in the global market place Risk Management
  • 15. • The most effective method to reduce supply chain threats • Get current code, update it to next stable release • Repair a vulnerability or flaw • Patch quickly for critical vulns • Test patches for assurance • Consider code removal first, redundant code and libraries exist everywhere Patching
  • 16. TC I M P L E M E N T A T I O N
  • 17. DEMO
  • 18. Azure DevOps Supply Chain Demo Summary What you learned: • Create and modify a project • Azure DevOps Marketplace • Create and modify pipelines • Pipeline configuration • Awareness of parallel jobs • Review a security report
  • 19. DEMO
  • 20. GitHub Supply Chain Demo Summary What you learned: • How to enable dependabot • How to configure dependabot • Reviewing vulnerabilities • Security report review • Pull request management • Overview of GitHub Actions
  • 21. DEMO
  • 22. Command Line Audit Summary What you learned: • How to use pip-audit • Reviewing vulnerabilities • Language specific tools
  • 23. TC W H A T ’ S N E X T ?
  • 24. Summary: • Keep it simple • Refer to government guidance • Give devs control • Create an inventory • Policies, standards, procedures • Least privilege • Endpoint protection • Build a security culture • Automate where possible • Regular audits • Policy management Best Practices & Recommendations
  • 25. Some useful info: • Microsoft Azure, creating a cloud account • Terraform Tutorial • Course demo code References
  • 26. • Cloud Resource Management • Cloud Benefits • Cloud Risks • How to create a design • How to build manually • Infrastructure as code SUMMARY
  • 27. • Cloud Provider Training • Terraform Training • GitHub Training • Course Demo Code SUMMARY
  • 28. Areas for you to explore: • Monitoring Cloud Resources • Managing Cloud Inventories • Ingress/Egress Management • Ownership • Attack Surface Reduction • Vulnerability Management • Patch Management SUMMARY
  • 29. • Thank you! • Please take time to give feedback and rate • Ask questions h t t p s : / / w w w. l i n k e d i n . c o m / i n / t i m c o a k l e y SUMMARY