September 27-30, 2021
Seattle, Washington, USA + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit + Embedded Linux Conference + OSPOCon 2021 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Wednesday, September 29 • 3:55pm - 4:45pm
(IN-PERSON) Protect Yourself from Malicious Dependencies with One Cool Trick - Kim Lewandowski & Christie Wilson, Google

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Software supply chain attacks are on the rise! As the entire industry shifts toward longer term solutions, what can you start doing today to improve the situation and protect yourself? Ask a room full of security engineers what keeps them up at night and there’s a good chance they’ll tell you “malicious dependencies”. But using other libraries is a good practice, right? And what if your codebase is already depending on all kinds of open source software? Since throwing away your codebase probably isn’t an option, we have another cool trick to help! In our talk we’ll teach you how to combine Security Scorecards and Tekton Pipelines to harden your software supply chain, and better protect yourself from risky dependencies. Given a GitHub repo, Security Scorecards performs a number of security checks to assess the security posture of the project. Scorecards checks for things like branch protection, a defined security policy, and continuous test coverage with fuzzing and static code analysis tools. Combined with Tekton Pipelines, you get access to a catalog of community contributed Tasks, including one that runs the Security Scorecard. We’ll show you how you can include this as part of your CI and feel confident about your supply chain.

avatar for Christie Wilson

Christie Wilson

Software Engineer, Google
Christie Wilson (she/her) is a software engineer at Google and co-creator of the Tekton project. Over the past decade+ she has worked in the mobile, financial, and video game industries. Prior to working at Google she built load testing tools for AAA video game titles, and founded... Read More →
avatar for Kim Lewandowski

Kim Lewandowski

Product Manager, Google
Kim Lewandowski (she/her) is a product manager at Google and a lead for Google’s Open Source Security Team (GOSST). She is focused on improving the security of critical open source software we all depend on. Prior to joining Google, Kim wrote code for the world’s most powerful... Read More →

Wednesday September 29, 2021 3:55pm - 4:45pm PDT