About us
DevSecOps is a growing area with a number of very good conferences being organised.
DevSecOps London Gathering was created to allow people to share their real life experience of introducing or working with Security in their delivery.
A monthly gathering for anybody involved with factoring Security into DevOps - this is not just for developers or security SMEs.
Keep up to date with DSOLG
- Follow our LinkedIn Page for presentation materials and other goodies
- Subscribe to our YouTube Channel @DevSecOpsLondonGathering
- Follow us on Twitter @DevSecOpsLG
- Tune in to our Podcast DSO Overflow
Interested in speaking at one of our events? Get in touch via our form.
Or if you'd like to make a request for an event topic or speaker, let us know.
To get in touch with the DSOLG team email us team@dsolg.com
Upcoming events
1
DSOLG March 2026 - Double-header
123 Pentonville Rd, London N1 9LG, London, GB## Details
Welcome to the DevSecOps London Gathering March Event on Wednesday 26 March. We bring you two amazing talks, as well as the usual conversations, pizza and beer!
đź“Ť Hosted at Autogen AI, Pentonville Road, London
đź“… Wednesday, 26 March
🕕 6:00–8:00 PM## Talk 1
Abstract:
Software supply chain attacks are no longer rare or theoretical. They are happening every day. Recent ​ incidents show how easily malicious packages can enter trusted registries and make their way into production systems before anyone notices.Today’s package managers host millions of components and support billions of downloads each week. That scale enables modern software development, but it also creates an enormous attack surface. Typosquatting, dependency confusion, malicious install scripts, and credential harvesting are no longer unusual techniques. They are now common and repeatable attack patterns.
This session looks at how these attacks are playing out. Using malicious code detection data from Veracode, we walk-through real-world supply chain attack campaigns, the techniques attackers use, and the indicators that separate legitimate open-source packages from malicious ones. Attendees will see how weaponized components are identified, sometimes before they reach production and sometimes after damage has already begun.
The talk also draws on industry research, including findings from the Veracode State of Software Security report, to put hard numbers behind the risk introduced by open-source dependencies and transitive trust.
The session concludes with practical guidance for reducing exposure without slowing development. Topics include dependency controls, CI CD enforcement, malicious code detection, and continuous monitoring approaches that fit modern engineering workflows.
## Talk 2
Abstract
The National Archives is the official archive and publisher for the UK Government. Our records include physical records such as the Domesday Book and Magna Carta, along with digital records from UK Government departments, Enquiries, and other public bodies, held both on premise and in public cloud.
It's vitally important to protect our digital records from accidental deletion and the increasing threat of ransomware. We therefore initiated a programme to implement immutable cloud backups using the AWS Backup service within a central, segregated AWS account.
In this talk, we'll share our learnings from this programme of work, including:- why AWS Backup compliance mode vault locks are not always truly immutable
- which KMS key types should be selected to support backup and restore to a central vault
- the importance of Logically Air Gapped (LAG) vaults
- how each AWS service has implemented backups differently
- which widely used AWS database option doesn't support centralised backup
- cost considerations for setting up backup plans
We soon learnt that it's not just a case of "Turn on AWS Backup". To deploy a centralised solution, we needed to:
- configure centralised AWS Backup vaults and vault policies
- deploy components to workload accounts, including Backup vaults, EventBridge, IAM roles
- select the appropriate vault type depending on AWS resource type
We decided to implement our solution as an open-source, public Terraform Module which deploys immutable AWS Backups across an AWS Organization, to handle this complexity, and simplify onboarding new accounts and resources to be backed up.
You'll come away with an increased understanding of AWS Backup, an appreciation of its complexity and limitations, and the opportunity to greatly simplify deployment of truly immutable backups across your AWS accounts, using our public Terraform module.41 attendees
Past events
88
