"AI era is bright, but full of terrors!"

In a world where vulnerabilities like Log4Shell, Spring4Shell, and the XZ Backdoor make headlines, securing our software ecosystem has never been more critical. In this session, Soroosh, a hands-on architect with experience working on security platform services for large enterprises like Rabobank, will share practical strategies and best practices for securing the software development process, applicable to both small startups and large organizations.

Key takeaways and questions that will be answered in this session:
[Live Demo] What is a "Supply Chain Attack," and how dangerous can it be?
An example of lateral movement that begins with a basic SQL injection attack and escalates to gaining root access to a Kubernetes cluster
Exploring new attack vectors in the AI era and the defense strategies to detect, prevent and mitigate them
Most effective practices to secure your CI/CD process
Practical strategies on how Software Bill of Materials (SBOM) help us prepare for the next Log4Shell crisis?
What does DevSecOps mean, and what is its main objective?

Devoxx

A conference talk transcript covering software supply chain attacks and how developers can protect against them. The speaker demonstrates live how running 'mvn install' or 'npm install' with a malicious dependency can silently open a reverse shell to a hacker's machine. Key threats covered include dependency confusion attacks, typosquatting, malicious packages with fake download counts, and AI-suggested compromised libraries. Mitigation recommendations span three tiers: critical (namespace reservation, version pinning, checksum verification, npm --ignore-scripts), essential (private repository routing with Nexus/JFrog, Dependabot/Renovate, immutable versions, SBOM generation), and advanced (real-time package blocking, artifact signing, continuous SBOM monitoring with tools like OWASP Dependency-Track). The talk also emphasizes that tooling alone is insufficient without DevSecOps culture, developer security training, threat modeling, and governance practices.

Are We Ready For The Next Cyber Security Crisis Like Log4Shell? by Soroosh Khodami