Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Securing the Open Source Software Supply Chain

PyCon US via YouTube

Overview

Explore the critical topic of securing the open source software supply chain in this 30-minute PyCon US talk. Delve into the challenges of ensuring security in open source software, where anyone can publish libraries and contribute to projects. Learn about new tools and best practices that can be implemented immediately to enhance the security of your software supply chain and build trust in the ecosystem. Discover how different security measures protect against various vulnerabilities in the software supply chain. Gain insights into upcoming improvements and potential advancements in the open-source ecosystem. Topics covered include ephemeral environments, fuzzing, community advisory databases, vulnerability auditing software, sigstore for signing and verifying software, SLSA (Supply chain Levels for Software Artifacts) framework, in-toto standard, and Allstar for enforcing security policies. Also, learn about recent initiatives like 2FA requirements and hardware key giveaways, as well as predictions for future developments in open source security.

Syllabus

Intro
Q&A
Is it safe to use open- source software?
Is it safe to use open-source software? Yes!
A better question: How can we use open-source software safely?
What is the Software Supply Chain?
The Software Supply Chain: Everything it takes to produce your software
What is the Secure Software Supply Chain?
Why is software- supply chain security such a big deal?
Why is software- supply chain security such a big deal right now?
ABCs of the Secure Software Supply Chain
Ephemeral
Fuzzing
Joe Biden
Money
Open ID Connect
Provenance
Remediation
New! Community advisory databases
New! Vulnerability auditing software
GPG relies on a web of trust
A new standard for signing, verifying and protecting software
Understanding sigstore Throw away your keys
Understanding sigstore Provide an identity
Understanding sigstore Bind key & identity to signing certificate
Understanding sigstore Publish in the transparency log
New! Better, more secure build infrastructure
Safeguarding artifact integrity across any software supply chain
Understanding SLSA ( salsa') Security framework • Checklist of standards and controls • A series of levels
Understanding in-toto • A universal standard • For all ecosystems • Ensuring integrity of an artifact • Proof of what was done at each step
New! Enforcing security policies for source control
Understanding Allstar • A GitHub app • Enforces best practices • Allows you to set policy • Across an entire organization
Voluntary 2FA requirement
2FA mandate for critical projects
Hardware key giveaway
Coming soon! PEP 458 implementation & PEP 480 update
Improvement: Vendor neutral collaboration
Improvement: More funding for projects
Predictions: My predictions for the next year

Taught by

PyCon US

Reviews

Start your review of Securing the Open Source Software Supply Chain

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.