Developers want to move fast to build new features, fix bugs, and provide better user and customer experiences. However, there is a constant struggle between developers, who want to leverage various open source libraries and frameworks and may not be able to keep up with all their updates, and security teams, who want to ensure they are minimizing risk. While containers help provide consistent environments across the entire software development lifecycle, there's thought and process needed to maximize their benefits.

In this workshop, you’ll start off by learning about and remediating several common attacks against your software supply chain. From there, we'll dive deeply into the practice of securing the software supply chain, taking a comprehensive view of the problem and possible solutions. With this knowledge, you’ll then learn how Docker Scout helps you understand what’s in your images, how those images are constructed, what's running where, and providing actionable feedback as early in the process as possible so concerns are eliminated before they become problems.

Intended audience: Developers, Security Engineers, Product Security, Platform Folks

Topics to be covered:

• Connect the concepts of software development lifecycle (SDLC), software supply chain (SSC), and security.
• Approach SSC security comprehensively, from dependencies to runtime.
• Improve your software security posture without "breaking the build."
• Hands-on with Docker Scout to help you understand your SSC and identify & remediate security issues.

Agenda

8:00–8:15 Welcome and setup

8:15–8:30 Talk: CVEs, dependencies, and base images

8:30–9:00 Hands-on: Remediating vulnerabilities

9:00–9:15 Talk: Understanding the software supply chain

9:15–9:30 Break

9:30–10:00 Hands-on: Using Docker Scout to connect your data model

10:00–10:15 Talk: Docker Image Provenance and SBOM

10:15–10:45 Hands-on: Explore and add provenance and SBOMs using Buildkit and Docker Scout

10:45–11:00 Break

11:00–11:15 Talk: Maintaining Security with Policy: First, do no harm

11:15–11:45 Hands-on: Getting back into compliance with Docker Scout

11:45–12:00 Talk: What's next and Q&A

Anticipated resources/takeaways:

• Understand and verify how your applications are built.
• Quickly and easily identify problems with your software supply chain and remediate them.
• Use policies to encourage best practices across your organization without blocking fixes getting to production.
• Provide visibility into the security stance of your software to others within your organization.