Name: Securing the Software Supply Chain: Using Static Analysis to Catch Configuration Vulnerabilities
Date/time: Wednesday, October 4, 2023, 10:20 AM - 11:05 AM Pacific Time
Containers and Infrastructure as Code (IaC) have changed the way organizations build and deploy their applications. Gone are the days where hardware had to be manually provisioned and managed in-person. However, this doesn’t mean that these technologies can’t present security risks to your organization. If you’re not careful, misconfigurations can lead to exposed secrets, data leaks, unauthorized access, or DDoS attacks. Thus, it’s important to get your configurations right the first time to minimize the risk of these issues. In this talk, we’ll cover:
1. The importance of shifting left and trying to find vulnerabilities early in the SDLC
2. Overview of Dockerfiles and how you can accidentally introduce poor practices and security vulnerabilities to your configurations (with examples)
3. What Static Analysis and Software Composition Analysis are, and how they help you secure your code and dependencies.
4. How to set up a Static Analysis in your IDE to scan your Dockerfiles for issues, get suggested fixes for resolving them, and blocking critical issues using gating mechanisms.