Securing the SDLC: Trust Boundaries, Software Supply Chain & OpenSSF Tools

Описание: How do you defend your software from threats creeping in at every step of the SDLC? In this DevOps State Amsterdam talk, we:

Map trust boundaries in your pipeline—from dev workstation to end user.
Reveal how your dependency tree explodes into dozens of transitives, each a potential risk.
Share real-world breaches (Log4Shell, XZ Utils) and the cost to users, orgs & reputations.
Introduce OpenSSF Scorecard—an open-source repo-level scanner with 18 heuristics that rates your project 1–10.
Outline key OpenSSF projects & working groups you need in your toolkit:
Sigstore for code signing
Salsa for vetting maintainers
Guac for turning SBOMs into actionable graphs
OpenSSF Security Baseline for interoperable security data

Stress that tools alone aren’t enough—leverage free guides and courses from the Best Practices WG to level up your team’s security maturity.

⏱ Timestamps
00:00 Dependency trees & trust boundaries
02:15 Why breaches hurt users most
04:10 Supply-chain attack trends & case studies
06:30 Scorecard deep dive & use cases
09:00 Overview of Sigstore, Salsa, Guac & Baseline
11:20 Education: guides & free OpenSSF courses

Resources & Links
• OpenSSF Scorecard → https://github.com/ossf/scorecard
• OpenSSF homepage → https://openssf.org/
• Sigstore → https://sigstore.dev/
• Free security guides & courses → https://openssf.org/education/

If you’re ready to lock down your pipeline, like and subscribe for weekly DevSecOps insights—and let us know your biggest supply-chain challenge in the comments! 🔐🚀