Talk from Darcy Clarke, Open Source Engineer, Independent at OpenJS World 2023 in Vancouver, Canada, May 10-12.
From OpenJS World 2023: Securing Your Software Supply Chain – Darcy Clarke
Talk from Darcy Clarke, Open Source Engineer, Independent at OpenJS World 2023 in Vancouver, Canada, May 10-12.
Darcy Clarke, an independent open source engineer, highlights the constant threats and attacks faced by the software supply chain, with a particular focus on the JavaScript ecosystem. The talk explores the current state of the ecosystem, emphasizing the importance of managing dependencies, including transitive dependencies, and the various threats to the software supply chain. Darcy also shares insights using the “Create React App” project as an example.
The presentation emphasizes the key factor of accuracy in securing the supply chain and provides practical advice, including avoiding mutable package references, using lockfiles, and caching and bundling dependencies. Darcy then discusses the existing solutions and tools available, such as security companies, advisory tools, software bill of materials (SBOMs), cryptography, scorecards, and badging. Future state solutions and tooling are also explored, focusing on introspection and validation. The session concludes with a short Q&A session and key takeaways.
0:00 Introduction
3:30 Why? Open Source software security is critical to our long-term success
4:04 Current state ecosystem
5:07 How? Dependencies
7:01 Transitive dependencies
11:01 Supply chain threats
17:07 Less talked about supply chain threats
18:07 Nondeterminism and mutability
18:57 Create react app [project
21:00 Key: accuracy is very important
24:24 Avoid mutable package references
26:00 Use lockfiles
27:05 Cache and bundle and dependencies
27:21 Current state of solutions and tooling with example
30:00 Security companies and tools, advisory tools, SBOMs, cryptography, scorecards brands and badging, and panaceas
33:13 Future state solutions and tooling
36:06 Introspection
38:41 Validation
39:03 Wrap up Q&A and key takeaways