From OpenJS World 2023: Securing Your Software Supply Chain – Darcy Clarke

Talk from Darcy Clarke, Open Source Engineer, Independent at OpenJS World 2023 in Vancouver, Canada, May 10-12.

Darcy Clarke, an independent open source engineer, highlights the constant threats and attacks faced by the software supply chain, with a particular focus on the JavaScript ecosystem. The talk explores the current state of the ecosystem, emphasizing the importance of managing dependencies, including transitive dependencies, and the various threats to the software supply chain. Darcy also shares insights using the “Create React App” project as an example. 

The presentation emphasizes the key factor of accuracy in securing the supply chain and provides practical advice, including avoiding mutable package references, using lockfiles, and caching and bundling dependencies. Darcy then discusses the existing solutions and tools available, such as security companies, advisory tools, software bill of materials (SBOMs), cryptography, scorecards, and badging. Future state solutions and tooling are also explored, focusing on introspection and validation. The session concludes with a short Q&A session and key takeaways.

Main Sections

0:00 Introduction

3:30 Why? Open Source software security is critical to our long-term success

4:04 Current state ecosystem

5:07 How? Dependencies 

7:01 Transitive dependencies 

11:01 Supply chain threats

17:07 Less talked about supply chain threats

18:07 Nondeterminism and mutability

18:57 Create react app [project 

21:00 Key: accuracy is very important 

24:24 Avoid mutable package references

26:00 Use lockfiles

27:05 Cache and bundle and dependencies

27:21 Current state of solutions and tooling with example 

30:00 Security companies and tools, advisory tools, SBOMs, cryptography, scorecards brands and badging, and panaceas

33:13 Future state solutions and tooling

36:06 Introspection

38:41 Validation

39:03 Wrap up Q&A and key takeaways 

OpenJS Resources

About the OpenJS Foundation

• OpenJS Foundation Website
• OpenJS Foundation Blog
• OpenJS + Node.js Training and Certification

Join the OpenJS Foundation

• Join OpenJS as a Member Company
• Join OpenJS as an Individual Contributor
• Join our public calendar meetings

Follow Us on Social

• OpenJS Foundation Twitter
• OpenJS Foundation LinkedIn
• OpenJS Foundation Mastodon