How to stop the ‘Gradle Snatchers’: Securing your builds from baddies
Following on from one of the first recorded supply chain attacks against Gradle, this talk will discuss the security concerns surrounding our favorite build tool and how we can protect against them. This starts with gaining an understanding of some of Gradle's common vulnerabilities and how to avoid these within our Android projects. You'll leave this talk with:
- Insights on the Gradle Wrapper supply-chain attack and how to protect against it.
- An overview of a Gradle dependency attack and how to protect against them.
- A concrete list of security setting best practices within Gradle, including wrapper verification, repository filtering, dependency verification and others.
Ed Holloway-George is an Android Developer and Google Developer Expert originally from Oxford, UK but now currently residing in Nottingham, UK.
An Android developer for nearly 10 years; Ed now works for ASOS as a Senior Developer having previously worked on well-known applications such as National Trust, My Oxfam, Snoop, Carling Tap and many more.
In his spare time, Ed can be found tweeting and posting pictures of his dog.
