《securitycon-aaron-wayne.pdf》由会员分享,可在线阅读,更多相关《securitycon-aaron-wayne.pdf(15页珍藏版)》请在三个皮匠报告上搜索。
1、 Securing Diverse Supply Chains across Interconnected SystemsWayne StarrAaron Creel01 February 2023 The ProblemSynergizing activities across an organization for Large Software Systems can be difficult and time consuming.TeamsEcosystemsc+pythonnodeaptcjavagolangEnvironments One Software Project*Not i
2、ncluding containers,web or infrastructure components Why Solve This?SolutionsAutomationPolicyCheck dependencies and vulnerabilities with automated toolingImplement organizational standards to capture data consistently Policy Standard CheckpointsOn ImportOn IntegrationOn DeploymentCheck packages when
3、 they enter the dev environmentCheck packages on build or in continuous integrationCheck packages as they are deployed to production The Stale ShelfIn addition to common checkpoints you must continuously evaluate the products that you have running in production.Vulnerabilities never stop being disco
4、vered and you must be prepared to respond when updates are required.Keep Things SimpleReduce developer friction through standardized/templated tooling within the enterpriseTighten feedback loops within the environment developers use today to provide feedback quickly Automation Package Identification
5、cpe:2.3:a:google:protobuf:3.1.0:*:*:*:*:*:*:*cpe versionpartvendorproductversionupdateeditionlanguagesw editiontarget swtarget hwother Analysis ConsiderationsIs this package on disk or in a requirements file?Is this package publicly available or private?Is this package actually in use by the applica
6、tion?ShortcomingsConsistencyConfigurabilityManagementTooling can be inconsistent or not provide required information across package ecosystemsSBOM utilities sometimes lack the configurability needed to run within large(slow)codebasesOnce data is collected,managing data and keeping things together can be difficult Demo Questions