Modern software is complex and developers heavily rely upon third party code. Securing the software supply chain gained a lot of attention following the Solar Winds compromise. However in the years following this compromise, very little has effectively moved the needle to reduce risk related to third party code and the software supply chain.
This talk will walk through the following problems with securing the software supply chain and propose some solutions to help companies:
- Walk through example tech stack
- Break down each of the compoennts of the stack
- Highlight the scope of third party software and services used
- Discuss the academic vs reality in approching securing the supply chain
- Talk about how companies are approaching the problem
- Understanding software composition analysis and problems with these tools
- Vulnerability reporting is broken and the state of NVD
- Problems with software bill of materials (SBOMs)
- Walk through of ecosystems for third party code - Homebrew, Operating systems package managers, PyPI, NPM, etc
- Examples of attackers abusing these ecosystems to compromise organizations
- Walk through containers and Kubernetes
- Walk through AI supply chain and new Chinese AI models
- Examples of how security professionals are being targetted
- Approaches for securing the software supply chain that are working
- Descriptions of the challenges
- Open source options - OpenSSF Scorecard
- Startups and commercial solutions with unique solutions
- Options to cache or proxy third party code
- How ecosystem maintainers are trying to protect against attackers
- Options to secure the CI/CD and developer endpoints
