TL&DR: Can I download whatever stuff I found as my first Google hit and use it in my automation solution? ****, NO!
Matthias covered these topics:
- Discovering dependencies in large open-source projects;
- The basics of supply chain security and trust;
- Technical mechanisms one can use to increase trust, and heuristics of trust;
- An overview of well-known software supply chain security incidents (including YAML/JSON parsing vulnerability in Ansible)
- Fundamental challenges we’re facing in brave new open-source world (from unknown authors to unknown security posture of source code)
- Potential mitigations, including a pragmatic approach of establishing an in-house software inventory and monitoring vulnerability feeds)
Anyone ever attending the automation course can already access the materials (we believe in lifetime access)… and if you never attended the course you can get them with Expert ipSpace.net Subscription.
We migrated our blog a few days ago, and the commenting functionality is not there yet. In the meantime please find our content on LinkedIn and comment there.