Rob Bos, presenting at DevCon Romania 2024, offers a comprehensive overview on protecting software supply chains from attacks, focusing on best practices in DevOps and pipeline security.

DevCon Romania 2024 - Protect yourself against supply chain attacks

Author: Rob Bos
Date posted: 07 Nov 2024

Today at DevCon Romania 2024, I shared my insights on why and how we need to actively protect ourselves against supply chain attacks, particularly within our DevOps practices. The presentation was part of the DevOps track, where I addressed an audience full of interested engineers and developers.

Rob on stage at DevCon Romania 2024

The Importance of Supply Chain Security

In modern software delivery, supply chains span a broad spectrum—from third-party dependencies included in production, to any systems or processes interacting with code prior to deployment. Each segment introduces potential attack vectors that, if left unaddressed, could be exploited by adversaries.

I emphasized how crucial it is to think comprehensively about our software supply chains. Security is not a responsibility reserved for a single team or phase. Every engineer should consider:

  • Dependencies being deployed to production
  • Tools and scripts interacting with source code
  • Continuous integration/continuous deployment (CI/CD) pipelines and automated processes
  • Third-party services and access controls

This broad perspective helps identify potential weak spots where attackers might infiltrate, manipulate, or disrupt code as it moves from development to production.

Full room attending supply chain security talk

Encouraging Proactive Security

During the session, I encouraged attendees to:

  • Audit and evaluate their CI/CD pipelines regularly
  • Restrict and monitor access to code repositories
  • Use tools like GitHub Advanced Security and similar to identify vulnerabilities early
  • Apply the principle of least privilege to automation tasks and external integrations
  • Stay informed about emerging supply chain attack techniques

Security posture is never static; it’s an evolving effort that requires vigilance and adaptation.

Additional Resources

I have made all my slides from the session available in PDF format for anyone who wishes to explore the details and access all links discussed during the presentation:

Stay Connected

I am always happy to discuss DevOps, supply chain security, or answer questions related to this talk. Feel free to connect with me on LinkedIn.

Tags

  • GitHub
  • GitHub Advanced Security (GHAS)
  • Conference
  • Slides
  • DevCon Romania

Make a contribution to the discussion

This post appeared first on “Rob Bos’ Blog”. Read the entire article here