Real World Security: Software Supply Chain
As organizations embrace the modern software supply chain model that Docker enables, the threat model for their apps evolves. Applications are manufactured from many components and providers, shipped to a broad range of distribution centers such as a Docker registry, and deployed to many environments from public clouds to air gapped infrastructure. We will present the methodology of, and research gathered through, a real world case study on misconfigured registries. From there we will discuss a threat model for the end to end software supply chain; build, to ship, to run. We’ll demonstrate an open source tool that can be used to audit your environment and discuss the steps taken to create an even more “secure by default” configuration for the OSS Docker Registry. Finally, we’ll highlight further best practices to secure your software supply chain. Speakers: Daniel Shapira - Security Researcher, Twistlock.
David Lawrence - Senior Security Engineer, Docker.