The tutorial begins by outlining the fundamentals of software supply chain security, emphasizing the potential risks and consequences of a compromised supply chain. It explores various attack vectors, including malicious code injection, tampering with dependencies, and compromised build systems. Participants will gain insights into the motivations behind software supply chain attacks and their impact on businesses, governments, and individuals.
Next, the tutorial focuses on vulnerability management, including reporting vulnerabilities and effectively handling them when a project receives one. Participants will learn how to responsibly disclose vulnerabilities and discover available tools to streamline the process.
Furthermore, the tutorial delves into strategies and best practices for enhancing software supply chain security. It examines market-available tools that can help mitigate common attack vectors. Notably, the Eclipse Foundation security team will emphasize GitHub's tools to secure participants' repositories and organizations. Additionally, the tutorial explores methods for assessing the security posture of third-party components, including vulnerability management and dependency tracking.
Throughout the tutorial, the audience will see examples illustrating the impact of software supply chain attacks and the practical application of security measures. Participants will have the opportunity to engage in hands-on exercises to strengthen their own projects.
By the end of this tutorial, participants will have a comprehensive understanding of software supply chain security and the support provided by the Eclipse Foundation security team, including the necessary tools and practices to protect their software systems from potential attacks and vulnerabilities. They will be equipped with the knowledge and skills to assess, establish, and maintain a secure software supply chain, ultimately enhancing the resilience of their organizations in the face of evolving cyber threats.
Installation instructions. All registrants shall have:
- a working laptop with recent browser installed
- an active Github accounts and gitlab.eclipse.org (so that you can clone and push to personal repositories)
- a signed ECA on file (https://www.eclipse.org/legal/ecafaq.php#headingTen) if registrant is not already a committer.
On site expectations:
- Reliable internet connection to work with github.com and gitlab.eclipse.org