MOSE Shorts 19: (Open Source) Software Supply Chain Security and All

Software supply chain security has been on the top of minds lately, for a very good reason. With most steps depending on digital infrastructure, there are a lot of opportunities for cyber attacks to happen. At the same time, there is an often silent mistrust in open source software, because it is designed and developed in public environments. People think that because everyone can see the source code, and is aware of some of the bugs in it that aren't fixed yet, it somehow gives them the upper hand to carry out attacks against these projects. There's something odd about this perception though.

In this MOSE Shorts segment, Wayne Starr shares his view on the state of software supply chain security in the open source ecosystem. He highlights the XZ incident, and how it was caught because the software was open source. He also highlights that this challenge is also present in closed source software, however, it is much harder to spot. This makes proprietary software even less secure, and you have to work twice as much to ensure that you are well protected when using it. Think about the "SolarWinds vulnerability" as an example.

Learn more about:

- Why the open environment is an advantage fro security perspective

- SBOMs and their applicability and application in different ecosystems, like Go, Python or C

- Why it matters how you release software

- Can people still be hobbyists in the open source ecosystem?

- User experience, air-gapped environments and the Zarf project

- The productization work that turns open source projects into products

- A case for experimenting with something in the product first, and then implementing it in the upstream project

Hosted on Acast. See acast.com/privacy for more information.