How Much Do You Trust That Package? Understanding the Software Supply Chain
linux.conf.au via YouTube
Overview
Explore the critical issue of supply chain security in modern software development through this 16-minute conference talk from linux.conf.au. Delve into the history of the software supply chain, examine recent security incidents involving third-party modules, and understand the risks associated with rapid development practices. Learn about the challenges faced by maintainers, the impact of unmaintained packages, and the potential vulnerabilities in popular ecosystems like npm and PyPI. Discover practical strategies to mitigate risks, including best practices for package management, regular audits, and responsible upgrade procedures. Gain valuable insights to enhance the security of your software projects and better navigate the complex landscape of third-party dependencies.
Syllabus
Intro
The Supply Chain
Unavailability
Defects
Bugs
Package Availability
Lack of Maintenance
Breaking Into Your Code
Python Nation
Colorama
NPM
Ecosystem
Electron
JavaScript
Mitigating Risks
The Dam Maintainer
Upgrades and Updates
Auditing
Summary
Everything
Taught by
linux.conf.au