OSS Supply-Chain Security - What Will It Take?
fab23 writes:
https://queue.acm.org/detail.cfm?id=3570923
A discussion with Maya Kaczorowski, Falcon Momot, George Neville-Neil, and Chris McCubbin
While enterprise security teams naturally tend to turn their focus primarily to direct attacks on their own infrastructure, cybercrime exploits now are increasingly aimed at easier targets upstream-within the open-source software supply chains that enterprises and other organizations have come to rely upon.
This has led to a perfect storm, since virtually all significant codebase repositories at this point include at least some amount of open-source software, given that's where a wealth of innovation is available to be tapped. But opportunities also abound there for the authors of malware, since it's a setup they can leverage to spread the seeds of their exploits far and wide.
The broader cybercrime world, meanwhile, has noted that open-source supply chains are generally easy to penetrate, given an abundance of entry points and an inconsistent dedication to security.
What's being done at this point to address the apparent risks? What are the issues and questions developers and security experts ought to be considering?
To delve into this, we asked George Neville-Neil, who writes acmqueue's Kode Vicious column, to talk it over with a few people known for their work in the front lines: Maya Kaczorowski, who was the senior director of software supply-chain security at GitHub prior to turning her focus more recently to secure networking at a Canadian startup called Tailscale; Falcon Momot, who is responsible for managing quality standards and running a large penetration testing team at Leviathan Security; and Chris McCubbin, an applied scientist at Amazon Web Services who focuses on detecting external security risks and performing triage as necessary.
Read more of this story at SoylentNews.