For a couple of years, there is an awakening in the industry about the fact that Open Source is everywhere and that its supply chain is now the easiest way to create increasingly public, disruptive, and costly attacks. We have yet to see the cost and fallouts of the SolarWinds cyberattack or the Log4j vulnerability.
Software supply chain, and more specifically the supply chain of open source software can be attacked at every links. The attacks we are talking about are, but not limited to: unpatched software vulnerabilites, 0-days, typo-squatting, dependency confusion, impersonation, hypocrite commits, compromision of code repositories, build servers, or package mirrors.
In this talk, we will review the various threats targeting the Open Source Software Supply Chain that could lead to the attacks listed above. We will also give an overview of the industry current best practices and the risk mitigation frameworks that emerge. All along the talk, we will provide the audience with some key tips and tricks how to secure the supply chain of their Open Source Software and what the Eclipse Foundation will do in the upcoming weeks and months to help the Eclipse Projects with those issues.
Keywords: SLSA and NIST SSDF, SBOM (CycloneDX, SPDX), digital signature, sigstore, zero trust, reproducible builds, provenance and attestation, workload identities.