September 27-30, 2021
Seattle, Washington, USA + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit + Embedded Linux Conference + OSPOCon 2021 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Wednesday, September 29 • 1:45pm - 2:35pm
(VIRTUAL) Supply Chain Armoring: Tools and Techniques for Open Source Projects - David C Stewart, Intel Corporation

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Build and deployment practices have come a long way over the past few years: practice such as devops, continuous integration / continuous deployment and the like are no longer considered exotic. Unfortunately the Solarigate incident in 2020 made it very clear to even non-technical folk how susceptible our digital world is to an exploit of subverting build servers. Supply chain hardening is now a very big deal in security, partly motivated by a sweeping executive order from the US Government to address some of these vulnerabilities at warp speed. But the wide variety of build-and-deploy practices can make it a real headache to figure out how to secure the supply chain. This talk will provide a method to analyze an open source project for exploitable supply chain weaknesses. These weaknesses can pop up throughout the software development chain, from source code control, build system management, code signing and distribution and even in the tools used for development. Then for each area of concern, an open source tool or technique will be outlined to address the issue. David Stewart has worked both in project development and more recently as a security lead, so has experience in both worlds. Currently helping folks address supply chain shortcomings.

avatar for David C. Stewart

David C. Stewart

Sr Director, Security & Privacy, Intel Corporation
David Stewart is Senior Director of Security & Privacy. David has been an operating systems and compiler expert for his whole career. David serves on the Yocto Project Advisory Board (Emeritus) and the Open Source Security Foundation Working Group on Critical Infrastructure. Prior... Read More →

Wednesday September 29, 2021 1:45pm - 2:35pm PDT
MeetingPlay Platform + Virtual Learning Lab