Skip to main content
  • Log in
  • Manage Cookies
EclipseCon - Eclipse Foundation
  • Conference
    • Program Schedule
    • Program List
    • Registration
  • Features
    • Community Day
    • Hacker Day
    • Dinner Meetups
    • OSGi Summit
    • Keynotes
  • Community
    • Code of Conduct
    • Health & Safety at EclipseCon
    • Community Resources
    • 2022 Speakers
    • Information for Speakers
  • Sponsors
    • Be a Sponsor
    • Information for Exhibitors
    • Our Sponsors
    • Sponsor Testimonials
  • Venue
    • Conference Venue
    • Hotels
    • Ludwigsburg
  • About Us
    • EclipseCon 2022
    • Program Committee
    • The Eclipse Foundation
    • Past Conferences
    • Other Events
  1. Home
  2. EclipseCon
  3. EclipseCon 2022
  4. Sessions
  5. Open Source Software Supply Chain Security — Why does it matter?

Open Source Software Supply Chain Security — Why does it matter?

Session details
Status: 
Accepted
Speaker(s): 
Mikaël Barbero (Eclipse Foundation)
Experience level: 
Beginner
Tags: 
security supplychain opensource
Session Track: 
The Open Source Way
Session Type: 
Standard

For a couple of years, there is an awakening in the industry about the fact that Open Source is everywhere and that its supply chain is now the easiest way to create increasingly public, disruptive, and costly attacks. We have yet to see the cost and fallouts of the SolarWinds cyberattack or the Log4j vulnerability.

Software supply chain, and more specifically the supply chain of open source software can be attacked at every links. The attacks we are talking about are, but not limited to: unpatched software vulnerabilites, 0-days, typo-squatting, dependency confusion, impersonation, hypocrite commits, compromision of code repositories, build servers, or package mirrors.

In this talk, we will review the various threats targeting the Open Source Software Supply Chain that could lead to the attacks listed above. We will also give an overview of the industry current best practices and the risk mitigation frameworks that emerge. All along the talk, we will provide the audience with some key tips and tricks how to secure the supply chain of their Open Source Software and what the Eclipse Foundation will do in the upcoming weeks and months to help the Eclipse Projects with those issues.

Keywords: SLSA and NIST SSDF, SBOM (CycloneDX, SPDX), digital signature, sigstore, zero trust, reproducible builds, provenance and attestation, workload identities. 

 

Slides: 
PDF icon 2022_10 — EclipseCon 2022 - Open Source Software Supply Chain Security — Why does it matters_.pdf
Objective of the presentation: 
Give some best practices to the audience how to secure their open source software supply chains.
Attendee pre-requisites - If none, enter "N/A": 
Basic Open Source Software knownledge
Schedule info
Time: 
26 Oct 2022 - 10:00 to 26 Oct 2022 - 10:35
Room: 
Silchersaal
  • Sign in to post comments.

Elite

  • Huawei
  • IBM

Premium

  • Yatta Solutions GmbH
  • Red Hat
  • Eurotech

Basic

  • Mercedes-Benz Tech Innovation
  • SSI Schaefer IT Solutions GmbH
  • TypeFox GmbH
  • Obeo
  • SCANOSS
  • Bosch IO GmbH
  • ARCAD Software
  • EclipseSource

Media

  • GermanTechJobs

Become a Sponsor

Eclipse Foundation

  • About Us
  • Contact Us
  • Sponsor
  • Members
  • Governance
  • Code of Conduct
  • Logo and Artwork
  • Board of Directors
  • Careers

Legal

  • Privacy Policy
  • Terms of Use
  • Copyright Agent
  • Eclipse Public License
  • Legal Resources

Useful Links

  • Report a Bug
  • Documentation
  • How to Contribute
  • Mailing Lists
  • Forums
  • Marketplace
EclipseCon is brought to you by The Eclipse Foundation with the support of our sponsors.
Powered by Drupal and built on COD.

Copyright © Eclipse Foundation. All Rights Reserved.

Back to the top