Tracing Code Lineage: Using OSINT to Illuminate the Origins of Open Source Software

Channel:
United States SANS Cyber Defense
Subscribers:
23,700
Published on ● Video Link: https://www.youtube.com/watch?v=wd6sLhPQQvM


Duration: 0:00
252 views
4

As open-source software (OSS) has become an integral part of modern digital infrastructures, ensuring its authenticity and understanding its origins are critical for mitigating supply chain risks. The diverse and often opaque origins of OSS components leave organizations vulnerable to tampered code, malicious actors, and unvetted dependencies, all of which can serve as entry points for sophisticated supply chain attacks.

This talk explores the dual concepts of provenance and pedigree within open source software, applying OSINT techniques to trace not only the origins but also the lineage of software components. By analyzing the history of contributors, changes, and project governance, security professionals can better assess the trustworthiness of the code they rely on.

We will demonstrate how OSINT can expose hidden risks in software, identifying suspicious patterns and contributors. This becomes especially important as we explore newer regulatory pushes to eliminate adversarial contributions in our supply chains in the pursuit of national security interests.
Lastly, we will map these techniques to real-world supply chain attack scenarios, leveraging frameworks like the SAP Risk Explorer for Software Supply Chains to highlight potential exploitation pathways.

Key Takeaways:
-OSINT-driven methods for tracing the provenance and pedigree of open source software.
-Techniques for identifying risky contributors and exploration of attribution challenges and Title 10 restrictions for US government agencies.
-How to map these risks to broader supply chain attack scenarios and approaches to distinguish normal adversarial activity from malicious actions.
-This session will equip cybersecurity and technical supply chain security practitioners with the tools and techniques to understand the supply chain threat landscape and apply OSINT in their mission to secure their organizations.

View upcoming Summits: http://www.sans.org/u/DuS

SANS Open-Source Intelligence Summit 2025
Tracing Code Lineage: Using OSINT to Illuminate the Origins of Open Source Software
Tony Turner



Other Videos By SANS Cyber Defense


2025-06-18Agentic AI and Security
2025-06-17The Myth: Only Developers Need To Know Python
2025-04-08Pros of ADINT | SANS OSINT Summit 2025
2025-04-08OSINT Resources — What Motivates You? | SANS OSINT Summit 2025
2025-04-08Why Are Security Certificates Useful? | SANS OSINT Summit 2025
2025-04-08Next Era of OSINT | SANS OSINT Summit 2025
2025-03-12Hidden in Plain Site: Leverage Commented Code and Web Metadata for Website Research
2025-03-12Tracing Code Lineage: Using OSINT to Illuminate the Origins of Open Source Software
2025-03-12Investigating Fentanyl Supply Chains: An OSINT Analysis of Chinese Biotechnology Companies
2025-03-12Chinese Social Media Intelligence
2025-03-12Mastering Email OSINT: Techniques for Uncovering Online Footprints
2025-03-12Matt Edmondson's Freestyle AI talk
2025-03-12Beyond Google Lens: How Real Estate Sites Can Assist Geolocation Efforts
2025-03-12Creating Social Network Graphs Using GEPHI
2025-03-12Social Media Discussion with the @OSINTMillennial
2025-03-12Fireside Chat with Jason Barrett
2025-03-12Navigating the Balance Between Public Information and Internal Threat Protection
2025-03-12Hunt Them Where They Play
2025-03-12Ads as Intel: Exploring ADINT's Capability to Pinpoint Personal Locations
2025-03-12Crowdsourced Intelligence: The Role of the OSINT Community in Global Investigations
2025-03-12Shadow Hunting: Advanced OSINT Skills to Navigate the Breach Data Labyrinth