logo
ArticlesConferencesPresentations
Dates
Author
Conferences
Tags

Sort by:  

Know Your Dependencies: A Guide to Automating Dependency Assurance

Conference:  Cloud Native SecurityCon North America 2022
Authors: Steve Judd
2022-10-25

tldr - powered by Generative AI

The importance of understanding and assuring the trustworthiness of external dependencies in software applications
  • Modern software components contain a selection of external dependencies whose provenance is unknown
  • Assuring the trustworthiness of dependencies is often ignored by organizations and their engineering teams
  • Efficient, automated pipelines can be used to audit dependencies for vulnerabilities and license obligations, assess them against the organization’s security policies, and ultimately provide the ability to control which dependencies can be used and deployed within the organization
Tags:
Dependencies
trust
Jetstack
Clients

GitBOM: Repurposing Git’s Graph for Supply Chain Security & Transparency

Conference:  SupplyChainSecurityCon 2022
Authors: Ed Warnicke, Aeva Black
2022-06-21

tldr - powered by Generative AI

The presentation discusses the need for simplicity in addressing supply chain security in open source software communities. The speaker proposes the use of a canonical, unique, and immutable identity for software artifacts to simplify the problem space.
  • Software artifacts can be represented as an array of bytes and should have a unique, canonical, and immutable identity
  • Identity should be based on the byte array representation of the artifact
  • File names, locations, and URLs are not suitable for identity
  • Simplifying the problem space requires a change in perspective
  • Focusing on simplicity leads to reliability, performance, and security
Tags:
binary executables
shared objects
containers
Dependencies
known vulnerabilities