►
From YouTube: Keynote: Securing Open Source - David A. Wheeler, Director, Open Source Supply Chain Security
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Keynote: Securing Open Source - David A. Wheeler, Director, Open Source Supply Chain Security, The Linux Foundation
The subversion of SolarWinds’ Orion build system, dependency confusion attacks, and event-stream's subversion make it clear that attackers can successfully attack systems by attacking their supply chains, and attackers have not stopped attacking vulnerabilities in software developed & deployed. This talk will briefly discuss the software supply chain environment, some countermeasures, and some ongoing activities to reduce risks from software vulnerabilities and the software supply chain. The good news is that there are ways to counter such attacks, but they will require changes in how we do software development, selection, and deployment.
A
I
hope
to
convince
you
about
four
key
points:
attacks,
weakness,
hope,
change,
attacks,
hope,
weakness,
hope
change.
What
do
I
mean
by
that?
Well,
the
first
part
part,
I
hope
you
already
are
convinced
of
attackers-
are
attacking
systems
they're
attacking
those
systems
via
the
vulnerabilities
that
they
have
when
they
are
deployed
and
also
through
their
supply
chains
weakness.
A
Sadly,
those
attackers
are
often
succeeding,
and
this
is
primarily
because
current
development
and
supply
chain
processes
really
often
don't
adequately
counter
attacks
and
even
when
they're
fixed,
they
often
don't
get
deployed
in
a
timely
way.
But
I
don't
want
you
to
leave
without
hope.
There
is
hope
there
are
counter
measures
to
attacks
and
there's
ongoing
work
to
ease
their
deployment
for
change.
A
I
think
that
first
point
about
software's
under
attack
is
pretty
obvious.
I
mean
these
are
just
some
logos
and
and
some
indications
of
examples
of
software
under
attack
the
top
left
symbol.
There
is
heart
bleed
but
in
fact,
there's
a
whole
bunch
of
different
attacks
and
vulnerabilities,
but
of
course,
repositories
have
been
under
attack.
The
more
recent
solarwinds
orion
subversion
was
caused
through
a
subverted,
build
environment.
It
didn't
matter
what
the
software
developers
wrote
because
the
code
they
wrote
wasn't
what
was
going
to
be
used
for
shipping.
A
And
some
of
you
may
say:
oh
hey,
we
use
cloud,
therefore,
somehow
we're
immune
to
all
this.
So
of
course
that's
ridiculous.
Dan
lawrence
has
this
interesting
article,
where
he
notes
that
today's
cloud
infrastructure
is
still
being
built
out
of
duct
tape
and
kite
strings,
so
he
played
around
with
helm3.
He
looked
at
a
particular
helm
chart
and
tried
to
answer
what
you
would
think
would
be
simple
questions.
You
know
exactly
what
software
was
installed.
Where
did
it
come
from?
A
How
was
it
built
and
he
could
not
answer
those
questions
and,
as
a
result,
you
know
he
he
made
some
interesting
observations.
One,
of
course,
is
if
you
think
your
container
scanning
setup
is
catching
everything
think
again,
he
found
25
vulnerabilities
in
just
that
one
package
and
he
noted
that
hey
package
managers
add
convenience,
but
every
layer
adds
trust
and
I
would
also
add
adds
time
it
can
take
a
long
time
for
a
vulnerability.
That's
been
fixed
to
get
through
all
those
layers.
A
So
it's
I
think
it's
helpful
to
think
about
how
is
software
developed
you
know,
and
so
this
is
a
simple
model
of
the
software
supply
chain,
called
a
supply
chain
integrity
map.
As
you
can
see,
you
know
it's
a
simple
map:
what's
what
goes
on
developers?
Work
within
their
local
environments
then
send
their
changes
and
so
on
off
to
source
and
data
repositories.
A
A
Typo
squatting,
which
is
basically
confusing
acquirers
and
developers
into
thinking
they're,
installing
one
package
when
they're
installing
another
dependency
confusion
where
they
think
it's
the
software's
coming
from
one
repository,
but
it's
actually
coming
from
another
there's
malicious
software,
there's
all
sorts
of
vulnerabilities
that
go
in
as
part
of
developments
and
just
there's
a
whole
host
of
problems,
but
I
don't
want
you
to
leave
with
oh
my
gosh.
There
are
so
many
problems
because
in
fact
there
are
counter
measures,
and
these
are
again
just
a
sample
of
counter
measures.
A
Various
approaches
where
you
can
do
various
things
to
counter
some
of
those
attacks.
I
certainly
can't
talk
about
all
of
them,
but
a
trivial
one.
I'll
note,
for
example,
is
you
know
one
of
the
big
problems
right
now
is
developers
often
don't
understand
a
lot
of
things?
Nobody
teaches
them
in
classes,
and
so
a
little
education
and
training
can
go
a
long
way
and
of
course
that's
not
enough.
There's
various
tools,
you
can
add
to
say
the
build
verification
processes
and
so
on
to
really
help.
A
A
So.
What
can
open
source
software
developers
and
users
do
well
if
you're
not
already
doing
these
already
here's
some
first
starting
steps,
you'll
learn
how
to
develop
and
acquire
secure
software.
If
you
don't
have,
if
you,
if
nothing
else,
take
a
look
at
the
secure
software
development
fundamentals.
Course
it's
free,
it's
on
edx,
go
take
it
there's
others
take
those
but
learn
how
to
do
this
stuff.
A
Make
the
software
secure
by
default,
make
it
easy
to
use
securely
harden
it
up
against
attacks
if
you're
doing
open
source
software
development
work
to
earn
an
open
source,
I'm
sorry
cii
best
practices,
badge.
There's
the
url
use
many
tools
to
find
vulnerabilities
in
your
build
and
verification
environment.
No
tools
will
not
find
everything
but
they're
helpful
as
part
of
a
solution,
of
course
monitor
for
known
vulnerabilities
in
the
in
whatever
you
depend
on,
so
that
you
can
immediately
respond
and
immediately
update.
A
Of
course,
in
order
to
do
that,
rapid
update,
you
need
to
use
package
managers
and
automated
tools,
so
you
can
rapidly
respond
when
a
vulnerability
is
found-
and
I
mentioned
these
tests-
those
need
to
include
negative
tests.
In
other
words,
there
are
some
things
that
should
not
be
allowed
test
for
that
make
sure
they
stay
not
allowed.
This
is
something
that
people
often
forget,
particularly
if
they're
using
tdd
finally
evaluate
software
before
you
select
it,
you
know,
look
for
typo
squatting.
Is
that
really
the
right
name?
Is
that
software
malicious?
A
Do
you
have
reason
to
believe
it
secure
and
when
you're
evaluating
here's
some
sample
things
to
consider?
Is
it
easy
to
use
securely?
Is
there
evidence
that
developers
work
to
make
it
secure
is
it
maintained?
Has
significant
use
what's
the
license
if
it
has
a
not
an
open
source
license?
Shockingly,
it's
not
going
to
be
collaboratively
developed
like
an
open
source
project.
A
The
good
news
is
lots
of
folks
are
working
to
make
things
better.
The
open
ssf,
for
example,
open
source
security
foundation,
is
working
on
this
there's
a
number
of
other
projects
here.
In
fact,
this
is
a
short
list.
There's
many
more
projects
and
foundations
and
organizations
working
to
make
things
better.
A
So
if
you
are
an
open
source
software
developer
user,
you
need
to
do
all
those
things
I
mentioned
earlier,
but
you
also
need
to
prep
for
the
future.
Here's
some
things
that
I
see
coming
down
the
pike
you
need
to
start
being
prepared
to
generate
and
request
software
build
materials,
there's
a
lot
of
pressure
in
even
high
levels
of
government
and
so
on.
To
start
saying,
we
need
to
know
what's
in
our
software
and
we
need
to
be
prepared
to
answer
that
question.
It's
a
reasonable
question.
A
Look
for
more
information
about
the
software
before
you
select
it.
There's
organizations
like
those
within
the
open
ssf
that
are
working
to
improve
information
about
the
software
that
you're
to
improve
information
about
the
software.
So
you
can
have
better
information
when
you
select
it,
I
think
verified
reproducible
builds
are
important.
That's
particularly
useful
for
countering
subverted,
builds,
improved
cryptographic,
signature
verification.