Keynote: Fighting The Next War - Future Threats to OSS and Software Supply Chain Security

The keynote speech discusses the need to prepare for new kinds of attacks in the future and how OSS projects can do so.

• Many security attacks today are the same as those from the 1990s, and new attacks can emerge from new IT advancements.
• AI could enable new kinds of attacks such as uncanny spearfishing or automating mass pull requests with backdoors.
• OSS projects should prepare for new forms of attacks by thinking holistically about vulnerability disclosure, supply chain challenges, and digital identity and supply chain integrity.
• There are moves to put more liability on developers for the use of their software for illegal purposes, which is not a solution to the cybersecurity problem.
• OpenSSF has organized working groups to tackle these challenges and prepare for the next wave of attacks.

The speaker talks about how in the early days of the internet, certain layers were taken for granted as being trustworthy, but this left assumptions and biases for future generations to patch up. For example, public key cryptography was considered a weapon by the US government, which made it difficult to add security by default to network connections. It wasn't until a court case in 1999 that researchers were granted the ability to talk about cryptography publicly. This anecdote illustrates the importance of preparing for new kinds of attacks and not taking certain layers of security for granted.

Buffer overflows, typo-squatting, leaked credentials - many of the biggest problems in securing software today are the same greatest-hits since the 1990s. More or less once a year we see a novel kind of security attack, taking advantage of some new centralized service, a weakness we incorrectly assumed could not be exploited, or a new IT advancement that changes everything. As a keynote speech given at a 2023 Q1 conference, we are now legally required to mention ChatGPT, but ignoring the hype, the prospect of AI enabling uncanny spearfishing or automating mass pull requests with backdoors seems much less sci-fi today than it would have a year ago. What other new kinds of attacks could emerge, and what should OSS projects do to prepare?