Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Around the Supply Chain in 80 Slides

Avatar for Nemo Nemo
May 17, 2025

Around the Supply Chain in 80 Slides

This was the opening talk at Rootconf 2025's Software Supply Chain Security track. I wanted to do a context-setting talk that setup the context for the rest of the track - so it covers a lot of ground, all of the interesting updates in the space, attack vectors, vulnerabilities, and defense mechanisms.

You can see the slides with my Speaker Notes at https://captnemo.in/talks/2025/around-scs-nemo-with-notes.pdf

Avatar for Nemo

Nemo

May 17, 2025
Tweet

More Decks by Nemo

Other Decks in Technology

Transcript

  1. Around the Supply Chain in 80 Slides Around the Supply

    Chain in 80 Slides Rootconf 2025 Nemo, endoflife.date
  2. Software Supply Chain Attack Insertion of nefarious code into trusted

    software before delivery. Russ Cox. 2025. Fifty Years of Open Source Software Supply Chain Security
  3. Software Supply Chain Vulnerability An exploitable weakness in trusted software

    caused by a third-party, component of that software. Russ Cox. 2025. Fifty Years of Open Source Software Supply Chain Security
  4. Software Supply Chain Security The engineering of defenses against software

    supply chain attacks and vulnerabilities. Russ Cox. 2025. Fifty Years of Open Source Software Supply Chain Security
  5. tj-actions • Immutable GitHub Actions • Transparency Logs • Version

    Pinning • Tag Protection • Malicious Fork/Branch Scans • Vulnerable CI Scans
  6. tj-actions xz-utils • Immutable GitHub Actions • Transparency Logs •

    Version Pinning • Tag Protection • Malicious Fork/Branch Scans • Vulnerable CI Scans • ozz-fuzz • Minimal Dependency • Dynamic Loading • Source/Release diffs • Security Audits
  7. Policy Governance Compliance Consistency / Build & Release Inventory /

    Supplier Hygiene / Transparency Resilience / Remediation
  8. Policy Governance Compliance Consistency / Build & Release Inventory /

    Supplier Hygiene / Transparency Resilience / Remediation 3 4 2 2
  9. Around the Supply Chain in 80 Slides Secure Supply Chain

    Consumption Framework OpenSSF / Microsoft
  10. Around the Supply Chain in 80 Slides Around the Supply

    Chain in 80 Slides Rootconf 2025 Nemo, endoflife.date