Reflections on Trust in the Software Supply Chain

Explore the critical landscape of software supply chain security in this 45-minute OWASP 2023 Global AppSec DC conference talk. Examine the current state and challenges organizations face in ensuring software security and trustworthiness. Evaluate ongoing efforts such as Supply-chain Levels for Software Artifacts (SLSA), Software Bill of Materials (SBOM), code signing, and build tool chain security. Witness a demonstration exposing potential security theater in some current initiatives. Conclude with an insightful discussion on binary-source validation as a promising solution for enhancing software supply chain security. Gain valuable insights from Jeremy Long, Principal Security Engineer at ServiceNow and founder of the OWASP dependency-check project, as he shares his expertise in security automation and secure development processes.