Play all

Intro

Q&A

Is it safe to use open- source software?

Is it safe to use open-source software? Yes!

A better question: How can we use open-source software safely?

What is the Software Supply Chain?

The Software Supply Chain: Everything it takes to produce your software

What is the Secure Software Supply Chain?

Why is software- supply chain security such a big deal?

Why is software- supply chain security such a big deal right now?

ABCs of the Secure Software Supply Chain

Ephemeral

Fuzzing

Joe Biden

Money

Open ID Connect

Provenance

Remediation

New! Community advisory databases

New! Vulnerability auditing software

GPG relies on a web of trust

A new standard for signing, verifying and protecting software

Understanding sigstore Throw away your keys

Understanding sigstore Provide an identity

Understanding sigstore Bind key & identity to signing certificate

Understanding sigstore Publish in the transparency log

New! Better, more secure build infrastructure

Safeguarding artifact integrity across any software supply chain

Understanding SLSA ( salsa') Security framework • Checklist of standards and controls • A series of levels

Understanding in-toto • A universal standard • For all ecosystems • Ensuring integrity of an artifact • Proof of what was done at each step

New! Enforcing security policies for source control

Understanding Allstar • A GitHub app • Enforces best practices • Allows you to set policy • Across an entire organization

Voluntary 2FA requirement

2FA mandate for critical projects

Hardware key giveaway

Coming soon! PEP 458 implementation & PEP 480 update

Improvement: Vendor neutral collaboration

Improvement: More funding for projects

Predictions: My predictions for the next year

Description:

Explore the critical topic of securing the open source software supply chain in this 30-minute PyCon US talk. Delve into the challenges of ensuring security in open source software, where anyone can publish libraries and contribute to projects. Learn about new tools and best practices that can be implemented immediately to enhance the security of your software supply chain and build trust in the ecosystem. Discover how different security measures protect against various vulnerabilities in the software supply chain. Gain insights into upcoming improvements and potential advancements in the open-source ecosystem. Topics covered include ephemeral environments, fuzzing, community advisory databases, vulnerability auditing software, sigstore for signing and verifying software, SLSA (Supply chain Levels for Software Artifacts) framework, in-toto standard, and Allstar for enforcing security policies. Also, learn about recent initiatives like 2FA requirements and hardware key giveaways, as well as predictions for future developments in open source security. Read more

Securing the Open Source Software Supply Chain

PyCon US

Add to list

#Conference Talks #PyCon US #Information Security (InfoSec) #Cybersecurity #Supply Chain Security #Secure Software Supply Chain #Software Security #Sigstore #Software Supply Chain Security #SLSA

0:00 / 0:00