Around the Supply Chain in 80 Slides

Transcript

1. Around the Supply Chain in 80 Slides Around the Supply

   Chain in 80 Slides Rootconf 2025 Nemo, endoflife.date

2. Nem Pantheon

3. Quick

4. Catch-up

5. Deep

6. Inspire

7. Not Exhaustive

8. Supply Chain Attack or Not

9. pypi.org/package/ python-requests

10. None

11. DockerHub 1M Spam Repositories

12. Linux Kernel Source Repository Hack

13. ~/aws/credentials gist.github.com

14. Secrets logged on private CI

15. Malicious Package built on your CI

16. Bribe Customer Support Data Breach

17. Definitions

18. Software Supply Chain Attack Insertion of nefarious code into trusted

    software before delivery. Russ Cox. 2025. Fifty Years of Open Source Software Supply Chain Security

19. Software Supply Chain Vulnerability An exploitable weakness in trusted software

    caused by a third-party, component of that software. Russ Cox. 2025. Fifty Years of Open Source Software Supply Chain Security

20. Software Supply Chain Security The engineering of defenses against software

    supply chain attacks and vulnerabilities. Russ Cox. 2025. Fifty Years of Open Source Software Supply Chain Security

21. Open Source* Software Supply Chain

22. tj-actions xz-utils

23. tj-actions

24. tj-actions • Immutable GitHub Actions • Transparency Logs • Version

    Pinning • Tag Protection • Malicious Fork/Branch Scans • Vulnerable CI Scans

25. tj-actions xz-utils • Immutable GitHub Actions • Transparency Logs •

    Version Pinning • Tag Protection • Malicious Fork/Branch Scans • Vulnerable CI Scans • ozz-fuzz • Minimal Dependency • Dynamic Loading • Source/Release diffs • Security Audits

26. Source Build Delivery Software Supply Chain Security

27. Detect Obviously Malicious ™ Packages Source / Defense

28. Prevent Obviously Malicious Package Installation Source / Defense

29. Security-Advisory Meta Package that conflicts with vulnerable packages Source /

    Defense

30. Typosquatting Slopsquatting Source / Attack

31. Improve Security Scan cadence ⏰ Source / Defense

32. Smarter CVE* Prioritization Source / Defense

33. End-of-Life Tracking ⌛ Source / Defense

34. Trusted OSS Supplier Source / Defense

35. Malicious AI Models Source / Attack

36. Source / Defense OpenSSF Scorecard

37. Source / Defense Audit your SBOMs

38. Source / Defense Score your Dependencies

39. Source / Vulnerability Security Commons Funding

40. Build / Defense Commit /Release Signing

41. Tokenless CI/OIDC Auth Build / Defense

42. Lower CI Perms Build / Defense

43. Build / Vulnerability MCP System Credentials

44. Build / Vulnerability Insecure CI Configuration

45. Build / Defense Lockfiles

46. Build / Defense Private Proxy Package Server

47. Delivery / Defense Publish SBOMs

48. Delivery / Defense Release Attestations

49. Delivery / Defense Trusted Publishing

50. Delivery / Defense Release Diff Alerts

51. Delivery / Attack Token Theft

52. Systems

53. Around the Supply Chain in 80 Slides Supply Chain Security

    Maturity Model RedHat / Sonatype

54. Unmanaged Exploration Ad-Hoc Control Monitor & Measure

55. Policy Governance Compliance Consistency / Build & Release Inventory /

    Supplier Hygiene / Transparency Resilience / Remediation

56. Policy Governance Compliance Consistency / Build & Release Inventory /

    Supplier Hygiene / Transparency Resilience / Remediation 3 4 2 2

57. IDC Survey, Q4 2024 by Canonical/Google Biggest challenges for OSS

    Software Supply Chains

58. Around the Supply Chain in 80 Slides Secure Supply Chain

    Consumption Framework OpenSSF / Microsoft

59. Ingest Inventory Update Enforce Audit Scan Rebuild Fix+Upstream

60. s2c2f

61. SLSA

62. Open Software Supply Chain Attack Reference (OSC&R)

63. Source Build Delivery Software Supply Chain Security

64. Around the Supply Chain in 80 Slides Around the Supply

    Chain in 80 Slides Rootconf 2025 Nemo, endoflife.date