DevSec For Scale Podcast – Software Supply Chain Security w/ Anton Weiss, Otomato Software

In this episode of the “DevSec for Scale” podcast, Jeremy Hess interviews Anton Weiss, a software delivery futurist and founder of Otomato Software. Anton shares insights on the importance of securing developer access and documenting build procedures to enhance security. He emphasizes that collaboration and proper documentation are essential in identifying and mitigating security risks during the build process. By reviewing and understanding what is being incorporated into the build, companies can better secure their software supply chains.

Anton highlights that the biggest security threat often comes from within—whether it’s due to human error or malicious intent. He discusses the rapid evolution of technology and the struggle for security practices and tools to keep pace. As new technologies emerge, security professionals must continually adapt and learn. Anton mentions initiatives like Sigstore, which aim to improve software supply chain security, but acknowledges that integrating these tools and practices effectively remains a challenge.

Reflecting on his experiences, Anton shares stories of supply chain attacks, including an incident where AWS access keys were accidentally exposed, leading to a significant bill due to unauthorized usage. He also recounts discovering a tampered open-source package that introduced malicious software. These examples underline the importance of vigilance and proactive measures in maintaining security.

For smaller companies, Anton advises documenting build procedures, using proxy repositories for external packages, and implementing open-source code scanners. He stresses the need for continuous security practices and recommends allocating time to address security debt, similar to managing technical debt. By integrating security measures early and consistently, companies can better protect their software and data as they grow.