In 2016, a dispute over the name Kik let to an outage that affected nearly the entire internet: an open-source package with 11 lines of code, that every developer could easily write themselves, was withdrawn from the package registry and caused thousands of websites to break. And, in 2020, SolarWinds caused a security leak that affected over 33,000 customers, amongst them the Department of Homeland Security and the Department of Treasury: an attack to the software supply chain of their software Orion was successful and let to malicious software to be distributed to many of their clients.

Incidents like this proof that application security is not just security testing before you ship your software or architecture reviews. Security must be baked into your development process and if must span the entire software supply chain.

In this talk you’ll learn how you can integrate security into your complete development process:
- Secure development environments
- Secret scanning and secret rotation
- Dependency management and software composition analysis (SCA)
- Manage your software supply chain with Dependabot
- Find XSS, SQL injection, and memory leaks
- Static and dynamic security testing (SAST and DAST)
- Hunt for vulnerabilities writing your own CodeQL queries

The talk is for everyone that is interested in application security – developers as well as DevOps engineers.

The talk explains how you can bake security into your development and DevOps process. The focus lies on GitHub Advanced Security – but also other tools for SCA, SAST, and DAST are introduced.