Software supply chain security in the Rust ecosystem

Transcript

1. Software supply chain security in the Rust ecosystem Paris Rust

   Meetup #73 December 4th, 2024 amousset

2. SOFTWARE SUPPLY CHAIN A software supply chain is the components,

   libraries, tools, and processes used to develop, build, and publish a software artifact. Wikipedia (I would add the people too)

3. slsa.dev (Supply-chain Levels for Software Artifacts)

4. xkcd.com/2347/

5. RUST awesome cargo tooling + language composability > a lot

   of dependencies compiled language, static dependencies > traceability & maintenance issues

6. WHAT DOES YOUR BINARY INCLUDE? all dependencies all artifacts in

   crates (binaries, data, etc.) C libraries built automatically in crates

7. TOOLING FOR DEPENDENCIES # list people who have # write

   access to your artefacts cargo supply-chain # audit and share crate audits cargo vet # look for known vulnerabilities cargo audit cargo deny

8. TOOLING FOR BUILD # respect Cargo.lock cargo build --locked #

   include dependencies in binary cargo auditable build # build a SBOM cargo cyclonedx

9. WHO WORKS ON IT? Linux Foundation Rust Foundation Google /

   Microsoft (GitHub) Specialized companies Rust Secure Code WG / RustSec

10. FUTURE? Technical improvements Better integration Attestation, etc. Community & FOSS?

11. THANKS! Alexis Mousset / amousset Rust Secure Code WG /

    RustSec lettre email library rudder.io > open-source infra security & automation > open 6 months Rust internship 🦀