Trust No One: Securing the Modern Software Supply Chain with Zero Trust

Disclaimer: This summary has been generated by AI. It is experimental, and feedback is welcomed. Please reach out to info@qconlondon.com with any comments or concerns.

The presentation titled "Trust No One: Securing the Modern Software Supply Chain with Zero Trust" by Emma Yuan Fang focuses on addressing the security challenges in cloud-native software development through zero trust principles.

Key Topics Discussed:

  • Threat landscapes and Security Challenges: Explores various vulnerabilities within CI/CD pipelines, dependencies, and container images exploited by threat actors, and human factors like misconfigurations.
  • Zero Trust Principles: Emphasizes verifying every interaction, implementing least privilege access, and assuming breach to enhance security.
  • Supply Chain Attacks: Discusses notable examples such as the SolarWinds attack and dependency confusion exploits, stressing the importance of verifying code integrity.
  • Practical Guidance: Offers strategies for managing and selecting dependencies responsibly, securing CI/CD pipelines, and avoiding malicious packages through techniques like digital signatures and checksum verification.
  • Security Controls: Highlights the need for securing development environments and workload, implementing conditional access, and managing secrets effectively across the software supply chain.
  • Artifact Integrity and Monitoring: Advises on the use of artifact signing, branch protection policies, and auditing CI/CD tools to prevent unauthorized changes.

Conclusion: The session provides a checklist for applying zero trust principles in software supply chains, encouraging organizations to prioritize critical vulnerabilities and adopt comprehensive security practices tailored to their specific environments.

This is the end of the AI-generated content.

Can you truly trust your software supply chain? As cloud-native software development surges, threat actors increasingly target the supply chain, exploiting vulnerabilities in CI/CD pipelines, dependencies, and container images. These risks can be further amplified by human factors such as misconfigurations and flawed access control policies.

In this talk, we will explore how seemingly trusted entities within your DevOps pipelines can be exploited by threat actors. We will discuss the critical need for a proactive approach to defend against upstream threats by verifying each interaction within the system. Learn how to decipher Zero Trust principles and translate them into security controls to protect your software supply chain.

Key Objectives:

  • Understand the threat landscapes and security challenges in the software supply chain.
  • Discuss the key principles of the Zero Trust and the advantages of applying this approach to enhance the security posture of your DevOps environment and CI/CD Pipelines.
  • Lean practical guidance to defend against supply chain attacks by implementing Zero Trust Security. 

Speaker

Emma Yuan Fang

Senior Cloud Security Architect @EPAM, DevSecOps, Cloud Security Advocate, Strategist and Public Speaker, Ex-Microsoft, CISSP

Emma is a Senior Manager, Cloud Security Architect at EPAM, with extensive experience in cloud, DevSecOps, and security architecture & strategy. In her role, she designs and architects security solutions for cloud consulting projects. Formerly at Microsoft, she delivered cybersecurity projects and technical workshops to a diverse range of clients from tech startups to established FTSE 100 firms. Alongside her professional work, Emma is an international public speaker, dedicated to advocate for a more diverse workforce in cybersecurity through mentorship programs and community engagements. She is an ambassador for Google's Women Techmaker and CyberFirst NI, volunteers in the leadership team at Women in Cybersecurity (WiCyS) UK&I affiliate, lead WiCyS mentorship cohort, and serves as a member of Industry Advisory Board at the University of Buckingham.

Read more
Find Emma Yuan Fang at:

Date

Tuesday Apr 8 / 01:35PM BST ( 50 minutes )

Location

Mountbatten (6th Fl.)

Topics

software supply chain cloud security zero trust

Slides

Slides are not available

Share

Share Share

From the same track

Session security

Securing AI Assistants: Strategies and Practices for Protecting Data

Tuesday Apr 8 / 03:55PM BST

The data behind AI copilots is not only their most critical asset but also a key strategic consideration for enterprises and SMBs alike.

Speaker image - Andra Lezza

Andra Lezza

OWASP London Chapter Leader, 10+ Years of Experience Building AppSec Program

Session

Secure by Design: Building Security into Engineering Workflows and Teams

Tuesday Apr 8 / 10:35AM BST

Security doesn't have to be a blocker- it can be an enabler. In this session, we’ll explore how to seamlessly integrate secure development practices into engineering workflows while fostering a culture of collaboration and shared ownership.

Speaker image - Stefania Chaplin

Stefania Chaplin

Founder & CEO @DevStefOps, Previously Solutions Architect @GitLab, AWS Certified Security - Speciality

Session open source

Empower Your Developers: How Open Source Dependencies Risk Management Can Unlock Innovation

Tuesday Apr 8 / 11:45AM BST

As security practitioners, we face the challenge of driving innovation whilst needing to balance security risks.

Speaker image - Celine Pypaert

Celine Pypaert

Vulnerability Manager @Johnson Matthey, Women in CyberSecurity UK Volunteer, Book Contributor, Ex-Microsoft

Session

Unconference: Resilient Engineering Practices for Security Against Modern Threats

Tuesday Apr 8 / 05:05PM BST

Session

Panel: Security Against Modern Threats

Tuesday Apr 8 / 02:45PM BST

Details coming soon.