Explore the critical issue of securing the software supply chain in this 22-minute conference talk from USENIX Enigma 2020. Delve into the challenges posed by widespread code reuse and third-party dependencies in modern software development. Examine high-profile security incidents and their patterns, including compromised developer credentials and ecosystem access issues. Learn about the innovative Go checksum database, designed to secure the Go modules ecosystem without additional work from module authors. Discover how this centralized log system employs Certificate Transparency technology to ensure accountability and enables third-party auditors to provide new version notifications. Understand the database's cacheability features and their implications for resource management and privacy. Gain insights into applying these concepts to other software package ecosystems to enhance overall software supply chain security.
Overview
Syllabus
Intro
Three supply chain security players
Provenance
Go Modules
Availability
Go Module Proxies and Mirror
Integrity
Merkle trees for accountability
Tiles for caching
The Go Checksum Database
Go build dependencies
Vulnerability tracking
Security practices
Auditing
Questions?
Taught by
USENIX Enigma Conference
Related Courses
-
Beyond the Code - SBOM and Supply Chain Security
-
Benchmarking the Security of Your Software Supply Chain
-
How Much Do You Trust That Package? Understanding the Software Supply Chain
-
Securing Python Projects Supply Chain
-
Supply Chain Security with Dependency Track
-
OWASP Dependency Track - Fortifying the Software Supply Chain
