Hardening your soft software supply chain
Maya Kaczorowski at DevSecCon24 2020
Software supply chain threats are real! As more developers and companies rely on open-source code - that anyone can contribute to, including attackers - this opens the door to a new vector of attack. There are increasing supply chain compromises which successfully sneak in new backdoored packages, use typosquatting, or even compromise build tooling and signing keys. What's actually happening in the wild, how do you determine your dependencies, and properly secure yourself?
We’ll first cover common kinds of supply chain attacks, and when they’re likely to happen. Then, for developers, we’ll discuss what you can do to determine your dependencies, track metadata for these, and be notified of new security patches you should apply, including best practices to make this easier on your dev team. This includes not only your dependencies, but also good security hygiene internally, like scanning for secrets in code, and conducting code reviews.
We’ll also cover what you can do to contribute back - like how you should report vulnerabilities you discover in open-source. Lastly, for maintainers, we’ll review what security reporting should look like, and steps you can take today to increase security and trust.
You’ll come away with a better understanding of what you can do for supply chain security for your organization, the projects you depend on, and the projects you maintain.
Maya Kaczorowski
Product Manager at GitHub
Maya is a Product Manager at GitHub in software supply chain security. She was previously in Security & Privacy at Google, focused on container security, and encryption. Prior to Google, she was at McKinsey & Company, working in IT security for large enterprises. Maya completed her Master's in mathematics focusing on cryptography and game theory. Outside of work, Maya is passionate about ice cream, puzzling, running, and reading nonfiction.
We’ll first cover common kinds of supply chain attacks, and when they’re likely to happen. Then, for developers, we’ll discuss what you can do to determine your dependencies, track metadata for these, and be notified of new security patches you should apply, including best practices to make this easier on your dev team. This includes not only your dependencies, but also good security hygiene internally, like scanning for secrets in code, and conducting code reviews.
We’ll also cover what you can do to contribute back - like how you should report vulnerabilities you discover in open-source. Lastly, for maintainers, we’ll review what security reporting should look like, and steps you can take today to increase security and trust.
You’ll come away with a better understanding of what you can do for supply chain security for your organization, the projects you depend on, and the projects you maintain.
Maya Kaczorowski
Product Manager at GitHub
Maya is a Product Manager at GitHub in software supply chain security. She was previously in Security & Privacy at Google, focused on container security, and encryption. Prior to Google, she was at McKinsey & Company, working in IT security for large enterprises. Maya completed her Master's in mathematics focusing on cryptography and game theory. Outside of work, Maya is passionate about ice cream, puzzling, running, and reading nonfiction.