Supply-Chain Security in Open-Source Software

Last week we started the Autumn 2019 Building Network Automation Solutions online course with an interesting presentation from Matthias Luft focused on open-source supply chain security

TL&DR: Can I download whatever stuff I found as my first Google hit and use it in my automation solution? ****, NO!

Matthias covered these topics:

  • Discovering dependencies in large open-source projects;
  • The basics of supply chain security and trust;
  • Technical mechanisms one can use to increase trust, and heuristics of trust;
  • An overview of well-known software supply chain security incidents (including YAML/JSON parsing vulnerability in Ansible)
  • Fundamental challenges we’re facing in brave new open-source world (from unknown authors to unknown security posture of source code)
  • Potential mitigations, including a pragmatic approach of establishing an in-house software inventory and monitoring vulnerability feeds)

Anyone ever attending the automation course can already access the materials (we believe in lifetime access)… and if you never attended the course you can get them with Expert Subscription.

Add comment