We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Securing OSS across the whole supply chain and beyond

00:00
subtitles
off
playback rate
1
quality
1080p
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
1080p
720p
480p
360p
240p
0
 Cite
 Share
 Download Purchase
No logo availablePlain Schwarz
 Vidal, Nick

Formal Metadata

Title
Securing OSS across the whole supply chain and beyond
Title of Series
Number of Parts
38
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
As we celebrate the triumph of open source software on its 25th anniversary, at the same time we have to acknowledge the great responsibility that its pervasiveness entails. Open source has become a vital component of a working society and there's a pressing need to secure it across the whole supply chain and beyond. In this session, we'll take the opportunity to look at three major advancements in open source security, from SBOMs and Sigstore to Confidential Computing. Open source plays a vital role in modern society given its pervasiveness in the Cloud, mobile devices, IoT, and critical infrastructure. Securing it at every step in the supply chain and beyond is of ultimate importance. As we prepare for the "next Log4Shell", there are some technologies that are emerging on the horizon, among which SBOMs, Sigstore, and Confidential Computing. In this session, we'll explore these technologies in detail. While SBOMs (Software Bill Of Materials) allow developers to track the dependencies of their software and ensure that they are using secure and reliable packages, Sigstore allows developers to verify the authenticity and integrity of open source packages, ensuring that the code has not been tampered with or compromised, Confidential Computing, on the other hand, protects code and data in use by performing computation in a hardware-based, attested Trusted Execution Environment, ensuring that sensitive code and data cannot be accessed or tampered by unauthorized parties, even if an attacker were to gain access to the computing infrastructure. SBOMs, Sigstore, and Confidential Computing provide a powerful combination to address security concerns and ensure the integrity and safety of open source software and data. They focus on “security first,” rather than perpetuating existing approaches which have typically attempted to bolt on security measures after development, or which rely on multiple semi-connected processes through the development process to provide marginal improvements to the overall security of an application and its deployment. As we celebrate the 25th anniversary of open source, these three technologies emerging represent a step forward on securing OSS across the whole supply chain and beyond. We foresee them playing a key role on minimizing the risk of vulnerabilities and protecting software and data against potential attacks, providing greater assurances for society as a whole.
00:00
Open sourceComputerDigital rights managementRight angleInformation securityType theoryMereologyMarkov chainInformationOpen sourceProcess (computing)Open setComputer animationLecture/ConferenceMeeting/Interview
01:06
Open sourceMarkov chainComponent-based software engineeringUbiquitous computingSoftware developerBuildingSoftware repositoryStochastic processData integrityOpen sourceCodeLevel (video gaming)Markov chainWebsiteInformation securityVulnerability (computing)Right angleSoftware repositoryGroup actionMereologyGraph (mathematics)BuildingDigital rights managementData storage deviceComputing platformMathematicsNumberThread (computing)Descriptive statisticsSoftware developerSource codeFigurate numberEvent horizonComponent-based software engineeringComputerPower (physics)CommutatorMachine codeProjective planeKernel (computing)Hacker (term)RecursionStochastic processFuzzy logicComputer animationDiagram
08:33
Stochastic processComputing platformInformation securityOpen sourceData integritySoftwareComponent-based software engineeringFile formatStandard deviationMetadataRevision controlUniqueness quantificationInformation securitySoftwarePosition operatorDatabaseStandard deviationMarkov chainVulnerability (computing)File formatStreaming mediaEvent horizonNatural numberMereologyGame controllerPower (physics)Stochastic processSoftware repositoryNumberHacker (term)TwitterComputing platformType theoryWeb browser1 (number)Multiplication signProjective planeSoftware bugRight anglePoint (geometry)FrequencyLevel (video gaming)Term (mathematics)Uniqueness quantificationRevision controlMetadataRecursionSuite (music)Thread (computing)Query languageComputer animation
15:42
Vulnerability (computing)Patch (Unix)Software developerData integrityComputer fileComputer-generated imageryBinary fileOpen sourceSurfaceHacker (term)BefehlsprozessorAuthorizationCodeIntegrated development environmentSign (mathematics)MereologyCodeData storage deviceData recoveryCloud computingBitRight angleOperating systemPhysical systemSystem administratorPoint cloudComputer fileWorkloadInternet service providerHacker (term)Patch (Unix)Thread (computing)Key (cryptography)Flow separationCartesian coordinate systemDigital rights managementSurfaceProjective planeComputerLevel (video gaming)BefehlsprozessorBinary codeMedical imagingSoftware developerSpacetimeOpen sourceIdeal (ethics)TwitterMarkov chainPoint (geometry)Stress (mechanics)System callImmersion (album)Spectrum (functional analysis)FirmwareBootingKernel (computing)Logical constantWordOperator (mathematics)Computer animation
22:49
Open sourceAuthorizationCodeIntegrated development environmentStochastic processEncryptionComputer networkMeasurementBefehlsprozessorOperations support systemMarkov chainCodeInformation privacyIntegrated development environmentComputer hardwareWordInformation securityTrigonometric functionsSign (mathematics)Cartesian coordinate systemPoint cloudComputerComplex (psychology)ArmMechanism designBefehlsprozessorServer (computing)Web browserSemiconductor memoryService (economics)MereologyRight angleComputer architectureCombinational logicHard disk driveData storage deviceMarkov chainStochastic processCloud computingOperating systemLattice (order)Dependent and independent variablesBitAuthorizationGroup actionComputer fileMedical imagingOpen sourceNetwork topologyLevel (video gaming)Moment (mathematics)Multiplication signOpen setOperator (mathematics)Computer animation
29:56
Lattice (order)Particle systemOpen sourceCodeStochastic processSoftwareLevel (video gaming)Computer architectureEndliche ModelltheorieDemosceneCryptographyMusical ensemblePerspective (visual)File formatSign (mathematics)Right angleRow (database)ComputerBefehlsprozessorAuthenticationCartesian coordinate systemBuildingKey (cryptography)Modul <Software>Operating systemData storage deviceConfidence intervalSelf-organizationWorkstation <Musikinstrument>Phase transitionMultiplication signServer (computing)Projective planeOpen sourceMereologyInformation securityTrigonometric functionsElectronic signaturePresentation of a groupSide channel attackDistribution (mathematics)QuicksortPublic-key cryptographyLecture/ConferenceComputer animationMeeting/Interview
Transcript: English(auto-generated)