This past year we learned the hard way that your software supply chain is only as secure as its weakest link - from Solarwinds, to CodeCov and Log4j. Your third-party and open source packages and imports are only one zero-day exploit away from compromising your entire production operation.
In this talk we’ll focus on three core areas to securing the supply chain, through an easy mnemonic we call the three S’s - Software Bill of Materials (SBOM), Signing and Slimming. By first identifying your inventory and know what you need to secure, you can then verify your packages and build an immutable identity, and ultimately by slimming you minimize the attack surface. We’ll walk through the practical ways to apply these methods to your software supply chain as first line security controls.