Open Source Software Supply Chain Security — Why does it matter?

Channel:
Eclipse Foundation
Subscribers:
24,000
Published on ● Video Link: https://www.youtube.com/watch?v=UMLfEL9YqEE


Duration: 38:51
175 views
5

Presented by Mikaël Barbero (Eclipse Foundation) at EclipseCon 2022.

For a couple of years, there is an awakening in the industry about the fact that Open Source is everywhere and that its supply chain is now the easiest way to create increasingly public, disruptive, and costly attacks. We have yet to see the cost and fallouts of the SolarWinds cyberattack or the Log4j vulnerability.

Software supply chain, and more specifically the supply chain of open source software can be attacked at every links. The attacks we are talking about are, but not limited to: unpatched software vulnerabilites, 0-days, typo-squatting, dependency confusion, impersonation, hypocrite commits, compromision of code repositories, build servers, or package mirrors.

In this talk, we will review the various threats targeting the Open Source Software Supply Chain that could lead to the attacks listed above. We will also give an overview of the industry current best practices and the risk mitigation frameworks that emerge. All along the talk, we will provide the audience with some key tips and tricks how to secure the supply chain of their Open Source Software and what the Eclipse Foundation will do in the upcoming weeks and months to help the Eclipse Projects with those issues.

Keywords: SLSA and NIST SSDF, SBOM (CycloneDX, SPDX), digital signature, sigstore, zero trust, reproducible builds, provenance and attestation, workload identities.



Other Videos By Eclipse Foundation


2022-11-30Yocto, with great power comes legal headache – Alberto Pianon - Carlo Piana
2022-11-30What's New in the Land of Oniro? (SFScon22) Oniro Project release 2.0 Davide Ricci - Stefan Schmidt
2022-11-30Sven Erik Jeroschewski, Open Source Developer at Bosch.io, Project Lead Eclipse Kuksa
2022-11-30Interview with Fillipe Prezado and Audrey Colle during the SDV Hackathon at BCX
2022-11-30Dennis Leung talks about the fantastic success of the SDV working group
2022-11-30Intervew with Gabriela Kreyßing, Product Owner at Bosch.io, Project Lead Eclipse Velocitas
2022-11-30Best Of Bosch Connected Experience | Eclipse SDV Hack Challenge
2022-11-24Why Eclipse Kura and Eclipse Kapua treat EdgeOps headaches better than ibuprofen?
2022-11-24Drive Your Business With Open Source Sponsorship
2022-11-24Eclipse Muto
2022-11-24Open Source Software Supply Chain Security — Why does it matter?
2022-11-24Reaching and Equipping the Next Generation of Open Source Developers
2022-11-24Free and Open Source Hardware to enable RISC-V IoT Applications With Eclipse Foundation and OpenHW
2022-11-24Bringing hawkBit to production
2022-11-24Eclipse Hara: Updating Embedded Devices with hawkBit Made Easy
2022-11-24Theia.cloud - Running Theia-based products in the cloud
2022-11-24Diagram Editors with GLSP: Why flexibility is key
2022-11-24NabLab from Eclipse to VSCode thanks to LSP & Sirius Web
2022-11-24Eclipse JKube - What's up, Doc?
2022-11-23How I Learned to Stop Worrying and Love the SBOM
2022-11-22Eclipse Tips & Tricks - 2022