Blueprint for Secure OSS Supply Chains

Open source has become a critical part of global infrastructure. Kubernetes and cloud native adoption is seeing record high growth, especially at large companies. An estimated 5.6 million developers use Kubernetes today. Alongside this growth, software supply chain attacks are on the rise with some reports showing them having increased 650% in 2021. These attacks have had huge knock-on effects to the extent that the White House has issued an executive order and additional guidance with recommendations and upcoming regulation.

However, there are a number of challenges for the industry to overcome. Due to the scope of the software supply chain, attack vectors exist at every link, and every open source dependency introduces yet another supply chain to secure. Beyond this, there is little automated support for new policies once a manual pass at security is made. Where they exist, today’s solutions are very fragmented and often bolted on rather than fully integrated, and are neither comprehensive nor developer friendly. How do we get to safer software supply chains?

It turns out that the problems with open source security might best be solved by open source itself. In this talk, I’ll talk about the power of the open source movement and how that brings people together to share data, best practices, and how to work as a global community to tackle this problem space. I’ll share a blueprint for software supply chain security for open source projects that highlights projects and frameworks for security, transparency, and interoperability, including a look at tools and frameworks like Sigstore, SLSA, and SBOMs. This blueprint is based on the experiences of the Kubernetes project, which set about improving its security posture in 2019.

Attendees will come away from this talk with:

  • A good overview of software supply chain security
  • An overview of open source projects that are innovating in this space
  • How the community is working toward interoperability between them to serve as a model for the future of software.
  • How to make your own projects more secure
  • How to get involved in open source projects to drive forward the direction of supply chain security to make it better for everyone

Tracy Miranda