Presentation: Securing Software From the Supply Side

In 2019, almost all software is built on open-source. From beginners’ hack projects, to mission-critical software built by huge enterprises, we’re all standing on the shoulders of giants. But this also means that we’re all inviting a huge crowd of people we’ll never even meet to contribute code into our codebases, and we’re only beginning to grapple with the implications of that and how to do it safely.  

At GitHub, we’re building towards a future where it’s easy for Open Source maintainers to keep their users safe and easy for Open Source consumers to understand and use third party code with confidence. In this talk, we’ll follow a vulnerable package from initial report of a vulnerability, through the process of resolution and publishing a new package, and finishing with updating your codebase to use the fixed version, with demos along the way. You’ll learn about the tools GitHub provides Open Source maintainers to improve the safety and security of the software supply chain at the source and how you can leverage their work to make your own codebase more secure.