Software Supply Chain is loosely defined as everything it takes to get software running for users. One of the important things to think about is what threats you are trying to protect against.
The Update Framework TUF enhances security by adding verifiable records about the state of a repository or application. By adding metadata containing information about which signing keys are trusted, the cryptographic hashes of files, signatures on the metadata, metadata version numbers and the date after which the metadata should be considered expired, it creates a record that can be checked to verify the authenticity of updated files.
The two Josh’s talk about use cases and how it came to be developed for the open source community. They explore what developers can do to improve their software supply chain security by using multi- factor authentication, keeping dependencies up-to-date and include a bit of due diligence in software development.
Github Security Lab, was discussed in detail, as Lock talks about his hopes for the consortium and its new charter. Additionally, Lock shares his insights on Pypi, Docker, Bottlerocket, Winpackage and more.
Listen to the full podcast to hear more about some of the historical software security accidents that have led to some of the current projects in the community today.