logo
allArticlesConferencesPresentations

Sponsored Session: Because Security Matters: Securing Your Open Source Supply Chain

Conference:  SupplyChainSecurityCon 2022

2022-06-22

Authors:   Don Vosburg, Aaron Conklin

Summary

The presentation discusses the importance of software security in organizations and how to maintain it while reducing the surface area. It emphasizes the need for partnering with companies that specialize in security to handle the burden. The presentation also covers key concepts of security such as confidentiality, integrity, availability, authenticity, non-repudiation, accountability, and anonymity. The speaker highlights the ebb and flow between openness and closeness needed for a functional environment and security. The presentation also discusses security certifications and standards such as Common Criteria, NIAP, DISA's Security Technology Information Guides, Phipps 140.3 Standard, and CIS Benchmarks.
  • Partnering with companies that specialize in security can help reduce the burden of maintaining software security while still ensuring overall security
  • Key concepts of security include confidentiality, integrity, availability, authenticity, non-repudiation, accountability, and anonymity
  • There is an ebb and flow between openness and closeness needed for a functional environment and security
  • Security certifications and standards such as Common Criteria, NIAP, DISA's Security Technology Information Guides, Phipps 140.3 Standard, and CIS Benchmarks are important for maintaining software security
The speaker mentions that authenticity is a huge concern when dealing with the open-source world, as input comes in from many different organizations. It is important to ensure that the initial packages are correct and that they are not being modified with malicious code over time. This highlights the need for a robust framework for security certification and the importance of working with trusted sources.

Abstract

As network and application security capabilities continue to improve, the software supply chain is becoming a viable threat vector. This session will present an overview of the threat landscape and provide a case study in how SUSE moved to secure its part of the open source codebase. Delve into the implications of the most common software security certifications and how they shaped SUSE’s people, processes, and tools on our journey towards supply chain security for open source.
Materials:
Slides
Tags:
software supply chain security
open source codebase
software security certifications
SUSE
people

Post a comment

Related work

Addressing Cybersecurity Challenges in Open Source Software

Conference:  SupplyChainSecurityCon 2022
Authors: Matt Jarvis, Steve Hendrick
2022-06-21

The Simple, Yet Lethal, Anatomy of a Software Supply Chain Attack

Conference:  RSA Conference 2022
Authors:
2022-06-06

Sponsored Session: The Simple, Yet Lethal, Anatomy of a Software Supply Chain Attack

Conference:  SupplyChainSecurityCon 2022
Authors: Jossef Harush Kadouri
2022-06-22

Untrusted Execution: Attacking the Cloud Native Supply Chain

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Andrew Martin
2022-10-26

Silly Gooses, Let's Make Sense of the Security Supply Chain, Together

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Grace Nguyen
2023-04-19

What Makes A Build Reproducible?

Conference:  SupplyChainSecurityCon 2022
Authors: Rose Judge, Joshua Lock
2022-06-21