CI/CD and Supply Chain SecurityWorkshop
Besides their many advantages, heavy reliance on external (open source) dependencies as well as continuous integration and deployment (CI/CD) in modern software development have introduced many new threats to the software supply chain. As a result, the number and impact of supply chain attacks have increased dramatically in recent years. The workshop reviews potential attack vectors and provides practical measures to protect modern applications.
Based on the desired format, it is possible to just follow along or get your own hands dirty by executing selected attacks.
Software Engineers, System Administrators, DevOps; Basic experience/understanding of modern CI/CD and software development.
Supply chain threats (e.g. Top 10 CI/CD Security Risks) are reviewed and effective measures to mitigate resulting attacks are introduced, such as:
- Identities and authentication
- Code repository protection
- Base images
- Dependency management
- Security scanning
- Secure artifacts
- Secret management
- 3rd party integration risks
- Deployment schemes
- Artifact integrity validation
- Intro to SBOMs
Selected attacks and mitigations will demonstrated and can be tested by attendees on their own devices.