Open Source Summit + Embedded Linux Conference + OSPOCon 2021

Build and deployment practices have come a long way over the past few years: practice such as devops, continuous integration / continuous deployment and the like are no longer considered exotic. Unfortunately the Solarigate incident in 2020 made it very clear to even non-technical folk how susceptible our digital world is to an exploit of subverting build servers. Supply chain hardening is now a very big deal in security, partly motivated by a sweeping executive order from the US Government to address some of these vulnerabilities at warp speed. But the wide variety of build-and-deploy practices can make it a real headache to figure out how to secure the supply chain. This talk will provide a method to analyze an open source project for exploitable supply chain weaknesses. These weaknesses can pop up throughout the software development chain, from source code control, build system management, code signing and distribution and even in the tools used for development. Then for each area of concern, an open source tool or technique will be outlined to address the issue. David Stewart has worked both in project development and more recently as a security lead, so has experience in both worlds. Currently helping folks address supply chain shortcomings.