Securing the Open Source Software Supply Chain

Securing the Open Source Software Supply Chain

PyCon US via YouTube Direct link

Intro

1 of 39

1 of 39

Intro

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

Securing the Open Source Software Supply Chain

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 Q&A
  3. 3 Is it safe to use open- source software?
  4. 4 Is it safe to use open-source software? Yes!
  5. 5 A better question: How can we use open-source software safely?
  6. 6 What is the Software Supply Chain?
  7. 7 The Software Supply Chain: Everything it takes to produce your software
  8. 8 What is the Secure Software Supply Chain?
  9. 9 Why is software- supply chain security such a big deal?
  10. 10 Why is software- supply chain security such a big deal right now?
  11. 11 ABCs of the Secure Software Supply Chain
  12. 12 Ephemeral
  13. 13 Fuzzing
  14. 14 Joe Biden
  15. 15 Money
  16. 16 Open ID Connect
  17. 17 Provenance
  18. 18 Remediation
  19. 19 New! Community advisory databases
  20. 20 New! Vulnerability auditing software
  21. 21 GPG relies on a web of trust
  22. 22 A new standard for signing, verifying and protecting software
  23. 23 Understanding sigstore Throw away your keys
  24. 24 Understanding sigstore Provide an identity
  25. 25 Understanding sigstore Bind key & identity to signing certificate
  26. 26 Understanding sigstore Publish in the transparency log
  27. 27 New! Better, more secure build infrastructure
  28. 28 Safeguarding artifact integrity across any software supply chain
  29. 29 Understanding SLSA ( salsa') Security framework • Checklist of standards and controls • A series of levels
  30. 30 Understanding in-toto • A universal standard • For all ecosystems • Ensuring integrity of an artifact • Proof of what was done at each step
  31. 31 New! Enforcing security policies for source control
  32. 32 Understanding Allstar • A GitHub app • Enforces best practices • Allows you to set policy • Across an entire organization
  33. 33 Voluntary 2FA requirement
  34. 34 2FA mandate for critical projects
  35. 35 Hardware key giveaway
  36. 36 Coming soon! PEP 458 implementation & PEP 480 update
  37. 37 Improvement: Vendor neutral collaboration
  38. 38 Improvement: More funding for projects
  39. 39 Predictions: My predictions for the next year

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.