A Pragmatic Approach to Software Supply Chain Security
At the start of this year, two major security incidents impacted developers: log4shell and spring4shell. Both involved trusted standard Java libraries that turned out to have critical vulnerabilities, and both led to headaches and long hours for developers and security staff alike. These are only the tip of the iceberg when it comes to software supply chain issues though – malicious attackers, unsuitable licences and deprecated code can all lead to problems in stuff that used to “just work”. So, what can you do about it?
Having worked on both sides of the security fence, I’ve seen all the challenges of software composition analysis, and the importance of taking a “big picture” view of your development toolchain. In this talk I’ll use log4shell as an example of how software supply chains can go wrong and talk about what you can do when it does. I’ll also go through all the elements of the software supply chain, talk about how (despite what sales teams might tell you) there’s no single simple solution to this, and show you how to manage your risk in an achievable way. You’ll leave with concrete steps you can take to improve not just the security but the reliability of your software delivery process, and an understanding of what you can do the next time something like log4shell comes along.