Open source software supply chain has enabled great innovation, but there are a unique set of risks from this supply chain. While not a new topic, everyone from software users to governments have started to pay attention to the security risks that have emerged from the success of--and our dependence on—open source software. Some solutions proposed are not popular among open source developers and maintainers. Even worse, much of the discussion does not directly involve those with an attacker mindset, relying on just a few high profile incidents.
This session will bring together experts from the open source ecosystem with security experts to think about OSS security from an attacker’s perspective. We’ll go through a few scenarios collectively, and then brainstorm more in small groups, sharing them out. Each attack scenario will then be evaluated against potential defensive measures.