Sign up to save your podcasts
Or
Share Supply Chain Is More Than Just Dependencies
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Supply Chain Is More Than Just Dependencies
Most developers think software supply chain security starts and ends with dependencies. But modern supply chain attacks don't stop there. Attackers look for paths into your software, and those paths often run through developers, CI/CD systems, build tools, deployment pipelines, and other trusted parts of the software delivery process.
This episode is sponsored by Maze.
In this episode of DevSec Station, Tanya Janca explains why the software supply chain is much bigger than libraries and packages, how modern attacks move through trusted systems, and what developers can do to better understand and protect the paths their software travels before it reaches production.
You'll learn:
• why dependencies are only one part of the supply chain
• how attackers move through trusted developer tooling and processes
• what "influence" means in a software supply chain context
• why supply chain attacks often appear normal until it's too late
• how to identify and protect the paths that affect your software
Tanya walks through a realistic supply chain attack scenario where no application vulnerability is exploited directly. Instead, an attacker compromises a trusted part of the software delivery process and uses it to influence what gets built and deployed.
DevSec Station is a podcast by Tanya Janca (SheHacksPurple), focused on short, practical lessons that help software developers build more secure software.
Follow Tanya:
• https://shehackspurple.ca
• https://youtube.com/@shehackspurple
• https://linkedin.com/in/tanya-janca
This episode is sponsored by Maze.
One of the biggest problems in security right now is that every vulnerability (or cloud?) scanner says everything is critical, and honestly, no one has time for that.
Maze uses AI agents to investigate vulnerabilities in context, so you can focus on the issues that are actually exploitable in your environment, not just theoretically scary.
Their AI agents also generate and prioritize fixes that knock out multiple vulnerabilities at once, which is honestly the kind of scaling that security teams need right now.
Learn more about Maze mazehq.com/devsec
View all episodes
By Tanya Janca | SheHacksPurpleMost developers think software supply chain security starts and ends with dependencies. But modern supply chain attacks don't stop there. Attackers look for paths into your software, and those paths often run through developers, CI/CD systems, build tools, deployment pipelines, and other trusted parts of the software delivery process.
This episode is sponsored by Maze.
In this episode of DevSec Station, Tanya Janca explains why the software supply chain is much bigger than libraries and packages, how modern attacks move through trusted systems, and what developers can do to better understand and protect the paths their software travels before it reaches production.
You'll learn:
• why dependencies are only one part of the supply chain
• how attackers move through trusted developer tooling and processes
• what "influence" means in a software supply chain context
• why supply chain attacks often appear normal until it's too late
• how to identify and protect the paths that affect your software
Tanya walks through a realistic supply chain attack scenario where no application vulnerability is exploited directly. Instead, an attacker compromises a trusted part of the software delivery process and uses it to influence what gets built and deployed.
DevSec Station is a podcast by Tanya Janca (SheHacksPurple), focused on short, practical lessons that help software developers build more secure software.
Follow Tanya:
• https://shehackspurple.ca
• https://youtube.com/@shehackspurple
• https://linkedin.com/in/tanya-janca
This episode is sponsored by Maze.
One of the biggest problems in security right now is that every vulnerability (or cloud?) scanner says everything is critical, and honestly, no one has time for that.
Maze uses AI agents to investigate vulnerabilities in context, so you can focus on the issues that are actually exploitable in your environment, not just theoretically scary.
Their AI agents also generate and prioritize fixes that knock out multiple vulnerabilities at once, which is honestly the kind of scaling that security teams need right now.
Learn more about Maze mazehq.com/devsec