Adrian Mouat

Supply Chain Security and the Real World: Lessons From Incidents

One leaked secret in a Docker image compromised thousands of CI/CD pipelines. This talk dissects real-world breaches to show you how to truly secure your supply chain.

Supply Chain Security and the Real World: Lessons From Incidents
#1about 6 minutes

Moving beyond abstract security metaphors and vague advice

Security advice often relies on unhelpful abstractions, but real-world incidents provide concrete, actionable guidance for developers.

#2about 3 minutes

Analyzing the Codecov breach and its attack vector

The Codecov breach occurred when a secret in a Docker image led to a modified script that exfiltrated CI/CD environment variables.

#3about 5 minutes

Securing Docker builds and verifying script downloads

Prevent secret leaks in Dockerfiles by using the `--secret` flag and always verify downloaded scripts with checksums or GPG signatures.

#4about 2 minutes

The risks of storing secrets in environment variables

Storing secrets in environment variables makes them easy to exfiltrate, so prefer identity federation, secret managers, or temporary files instead.

#5about 5 minutes

Deconstructing the `changed-files` GitHub Action attack

A compromised dependency (`reviewdog`) was used to inject malicious code into the `changed-files` action, targeting Coinbase in a multi-stage attack.

#6about 2 minutes

Hardening GitHub repositories and pinning dependencies

Mitigate attacks by enforcing commit signing, restricting tag updates, and pinning GitHub Actions to a specific content digest.

#7about 2 minutes

Replacing long-lived credentials with short-lived tokens

Eliminate a common attack vector by replacing long-lived credentials with short-lived tokens generated via identity federation like OIDC.

#8about 1 minute

Summary of actionable supply chain security advice

A final recap covers key actions like verifying downloads, avoiding secrets in environment variables, pinning actions, and using short-lived credentials.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Malware campaigns, cloud latency, and government IT theft
01:06 MIN

Malware campaigns, cloud latency, and government IT theft

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Crypto crime, EU regulation, and working while you sleep
01:15 MIN

Crypto crime, EU regulation, and working while you sleep

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Prompt injection as an unsolved AI security problem
07:39 MIN

Prompt injection as an unsolved AI security problem

AI in the Open and in Browsers - Tarek Ziadé

Preventing exposed API keys in AI-assisted development
03:45 MIN

Preventing exposed API keys in AI-assisted development

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Evaluating tech startup funding and supply chain news
01:03 MIN

Evaluating tech startup funding and supply chain news

Fake or News: Coding on a Phone, Emotional Support Toasters, ChatGPT Weddings and more - Anselm Hannemann

The security risks of AI-generated code and slopsquatting
05:55 MIN

The security risks of AI-generated code and slopsquatting

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

How AI-generated content is overwhelming open source maintainers
06:46 MIN

How AI-generated content is overwhelming open source maintainers

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

The security challenges of building AI browser agents
06:33 MIN

The security challenges of building AI browser agents

AI in the Open and in Browsers - Tarek Ziadé

Featured Partners

Related Videos

See all videos
Securing your application software supply-chain28:27

Securing your application software supply-chain

Niels Tanis

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

How your .NET software supply chain is open to attack : and how to fix it28:45

How your .NET software supply chain is open to attack : and how to fix it

Andrei Epure

How GitHub secures open source25:28

How GitHub secures open source

Joseph Katsioloudes

Open Source Secure Software Supply Chain in action32:55

Open Source Secure Software Supply Chain in action

Natale Vinto

Simple Steps to Kill DevSec without Giving Up on Security21:53

Simple Steps to Kill DevSec without Giving Up on Security

Isaac Evans

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Related Articles

View all articles
BB
Benedikt Bischof
Walking Into The Era of Supply Chain Risks
Welcome to this issue of the WeAreDevelopers Live Talk series. This article recaps an interesting talk by Vandana Verma who introduced the audience interesting topic of supply chain risks.About the Speaker:Vandana is Security Solutions Architect at S...
Walking Into The Era of Supply Chain Risks

From learning to earning

Jobs that call for the skills explored in this talk.