Session Name: Have a Plan Before You Need a Plan: Dealing With Software Supply Chain Issues the Right Way
Last December brought us a new level of 'dependency hell' with the 'internet-is-on-fire' level log4shell vulnerability. Billed the "worst security vulnerability in decades" by CISa Director Jen Easterly, Log4shell brought many software delivery organizations to a grinding halt and mired many in months-long remediation efforts. Many of them learned the hard way that managing dependencies effectively is not just a matter of prudential engineering but that many players have a stake in the effort, ranging from security containment efforts to avoiding legal risk stemming from the FCA's announcement of their intention to pursue companies caught not actioning log4shell and getting hacked as a result. So, how did we do as an industry deal with log4shell as a whole? How did organizations that got it right do it? What are the salient lessons software delivery teams should remember from the experience? How often do security incidents happen in the supply chain and what are the open source ecosystems doing about this? How do you formulate a plan for the next big thing?
This session will leave you with a set of best practices based on actual remediation and log4shell adoption data, as well as anecdotal experience over the year. You'll walk away with a deepened understanding of what the risk is, and what channels you need to develop across your DevOps organization, so that next time an incident of this magnitude happens you have the plan ready.
Ilkka is an experienced DevOps engineer and has worked with companies across 40 different countries to implement, maintain and improve their DevSecOps pipelines and Software Supply Chain practices. He is a passionate advocate of Value Stream Mapping and steady caffeination. In his day job, he leads Sonatype's Solutions Architecture and Developer advocacy divisions. During his free time, he likes to pretend he knows how to compose synthwave in front of his synthesizer.