DSOLG March 2026 - Double-header

## Details

Welcome to the DevSecOps London Gathering March Event on Wednesday 26 March. We bring you two amazing talks, as well as the usual conversations, pizza and beer!

📍 Hosted at Autogen AI, Pentonville Road, London
📅 Wednesday, 26 March
🕕 6:00–8:00 PM

## Talk 1

Abstract:
Software supply chain attacks are no longer rare or theoretical. They are happening every day. Recent ​ incidents show how easily malicious packages can enter trusted registries and make their way into production systems before anyone notices.

Today’s package managers host millions of components and support billions of downloads each week. That scale enables modern software development, but it also creates an enormous attack surface. Typosquatting, dependency confusion, malicious install scripts, and credential harvesting are no longer unusual techniques. They are now common and repeatable attack patterns.

This session looks at how these attacks are playing out. Using malicious code detection data from Veracode, we walk-through real-world supply chain attack campaigns, the techniques attackers use, and the indicators that separate legitimate open-source packages from malicious ones. Attendees will see how weaponized components are identified, sometimes before they reach production and sometimes after damage has already begun.

The talk also draws on industry research, including findings from the Veracode State of Software Security report, to put hard numbers behind the risk introduced by open-source dependencies and transitive trust.

The session concludes with practical guidance for reducing exposure without slowing development. Topics include dependency controls, CI CD enforcement, malicious code detection, and continuous monitoring approaches that fit modern engineering workflows.

## Talk 2

Abstract
The National Archives is the official archive and publisher for the UK Government. Our records include physical records such as the Domesday Book and Magna Carta, along with digital records from UK Government departments, Enquiries, and other public bodies, held both on premise and in public cloud.
It's vitally important to protect our digital records from accidental deletion and the increasing threat of ransomware. We therefore initiated a programme to implement immutable cloud backups using the AWS Backup service within a central, segregated AWS account.
In this talk, we'll share our learnings from this programme of work, including:

• why AWS Backup compliance mode vault locks are not always truly immutable
• which KMS key types should be selected to support backup and restore to a central vault
• the importance of Logically Air Gapped (LAG) vaults
• how each AWS service has implemented backups differently
• which widely used AWS database option doesn't support centralised backup
• cost considerations for setting up backup plans

We soon learnt that it's not just a case of "Turn on AWS Backup". To deploy a centralised solution, we needed to:

• configure centralised AWS Backup vaults and vault policies
• deploy components to workload accounts, including Backup vaults, EventBridge, IAM roles
• select the appropriate vault type depending on AWS resource type

We decided to implement our solution as an open-source, public Terraform Module which deploys immutable AWS Backups across an AWS Organization, to handle this complexity, and simplify onboarding new accounts and resources to be backed up.
You'll come away with an increased understanding of AWS Backup, an appreciation of its complexity and limitations, and the opportunity to greatly simplify deployment of truly immutable backups across your AWS accounts, using our public Terraform module.