Explore the critical challenges and vulnerabilities in software supply chain security through a comprehensive analysis of notable incidents and potential solutions. Delve into the event-stream and electron-native-notify incidents, examining how attackers target developer tools and the heart of the software ecosystem. Investigate the strategies maintainers employ to mitigate security vulnerabilities, using the marked Cross-site Scripting vulnerability as a case study. Assess the risks associated with compromised maintainer accounts and discuss improved account security hygiene practices. Evaluate the effectiveness of the "many eyes" approach to bug detection in open-source projects. Consider the implications of maintainers removing their libraries from registries and examine the contents of these crucial code repositories. Gain valuable insights into the ongoing battle for software supply chain security and the potential paths forward for the industry.
Are We Forever Doomed to Software Supply Chain Security?
Overview
Syllabus
Intro
The event-stream incident
electron-native-notify The event stream incident
Attacking the heart of developer tooling
How do maintainers mitigate security vulnerabilities?
The case of marked's Cross-site Scripting vulnerability
Compromising Maintainer Accounts
Can we do better for account security hygiene?
given enough eyeballs, all bugs are shallow
What happens when maintainer: remove their libraries?
What's inside these registries?
Taught by
Linux Foundation
