Panel Discussion: How the Business Community is Working to Make the Open Source Software Supply Chain More Secure by Default

The importance of software supply chain security and the need for organizations to prioritize knowledge and training in analyzing S-bombs.

• Encouraging younger developers to get involved in software supply chain security
• Creating a database to share and compare S-bombs
• Training people to review and analyze S-bombs
• Procurement as a gatekeeper to S-bomb adoption
• The OpenCRE project as a way to develop a common format for regulations and standards
• The importance of developing a constituency within an organization to address software supply chain security

One of the biggest challenges in software supply chain security is getting procurement involved and engaged in the process. Many procurement teams lack knowledge about S-bombs and are not aware of the importance of requiring them from suppliers. This lack of knowledge can create a barrier to adoption, as vendors may push back and not understand the need for S-bombs. It is important to develop a constituency within an organization that includes legal, senior leadership, software developers, engineers, and product or service teams to address this issue.

While studies have shown that open source is not inherently more or less secure that proprietary software, the sheer volume of OSS code has created a systemic security challenge that companies of all kinds are stepping up to address. In the last year, the OpenSSF project has evolved to help harness and orchestrate these efforts. How are these companies getting involved? What kind of internal needs are they addressing, and how do they think about contributing back to the broader community? How does the OpenSSF governance structure support this? Please join us for this Governing Board Member panel discussion moderated by OpenSSF GM Brian Behlendorf to learn more about how these companies are working with the OpenSSF to advance the state of OSS security.