Keynote: The Next Steps in Software Supply Chain Security

The presentation discusses the progress made in software supply chain security and the need to focus on the consuming aspects of the supply chain. The speaker highlights ongoing open source efforts to address policy, aggregation, and synthesis and identifies gaps in the space that need to be filled.

• There has been a lot of progress in software supply chain security, with many efforts focused on the producing aspects of the supply chain
• The consuming aspects of the supply chain need to be developed, with a focus on policy, aggregation, and synthesis
• Ongoing open source efforts are being made to address these issues, but there are still gaps in the space that need to be filled

The speaker mentions the need for proactive policies to identify critical libraries before they become a problem, citing the example of the Log4J vulnerability. They emphasize the importance of finding underpinning libraries critical to open source infrastructure before they become a problem.

We've made a lot of progress in the realm of supply chain security in recent years! However, there is still much to do. A lot of efforts have been put into developing the "producing" aspects of the Software Supply Chain - SLSA, Tekton (and other build systems), Software Bill of Materials (SBOM). This has led to a much higher fidelity security metadata than we've ever seen. As we move forward, the "consuming" aspects of the Software Supply Chain will need to be developed.Policy, Aggregation and Synthesis are key aspects of this side of the problem. We will share some ongoing open source effort to address them and highlight gaps within the space that need to be filled.