Play all

Intro

Notable Incidents

Fundamental Disconnect . We have developed tremendous tooling and automation that allows us to create secure, reliable software at a scale not previously considered

Threat Modeling Overview

Confidentiality Impact

Availability Impact

Supporting Infrastructure

The Perimeter is the Problem

Example CI/CD Pipeline Dataflow

Follow a Code Change

General/Overarching Concerns

Source Repository and Workflow Engine

Open Source Component Management

Open Source Backdoor Concerns

Build Management

Security Testing and Backdoors

Software Packaging and Distribution

Software Packaging - Monolithic applications vs. Microservice applications

Software Distribution

Using the Threat Model

Vendor Management

Potential Argument Discussion Points

Questions

Description:

Explore threat modeling techniques for CI/CD pipelines to enhance software supply chain security in this 28-minute OWASP conference talk. Delve into notable incidents, fundamental disconnects in modern software development, and the importance of threat modeling. Examine confidentiality and availability impacts, supporting infrastructure, and perimeter-related challenges. Analyze a sample CI/CD pipeline dataflow, following code changes through various stages. Address general concerns, source repository management, open source component risks, build management, security testing, and software packaging and distribution. Learn how to apply threat modeling insights to improve vendor management and engage in potential argument discussions. Gain valuable knowledge to strengthen your organization's software supply chain security posture.

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security

OWASP Foundation

Add to list

#Information Security (InfoSec) #Cybersecurity #Threat Modeling #Programming #Software Development #Infrastructure Security #Computer Science #DevOps #CI/CD Pipelines #Software Testing #Security Testing #Software Supply Chain Security

0:00 / 0:00