Minimise the risk of open source usage by using healthy open source projects

Transcript

1. A rant on open source project vetting Minimise the risk

   of open source usage by using healthy open source projects

2. Who am I? Juan Antonio “Ozz” Osorio Staff Security Beard

   2 ©Stacklok, Inc 2024 Mexican living in Finland Talk to me about: • Supply chain security • Vulnerability management • Cloud security • Craft beer • Running • Heavy metal

3. Who are we? Stacklok est. May 2023 3 ©Stacklok, Inc

   2024 We're passionate about making open source software safer. We help you • Build safer software • Make safer dependency choices • Keep your software pipelines secure We aim to simplify supply chain security

4. Open Source is everywhere • It’s in your infrastructure •

   You’re third party providers use it • It’s in your dependencies • It’s the software you build • It even runs on your work or personal machine 4 ©Stacklok, Inc 2024 We’ve won!

5. Who has a say about open source in your organization?

   5 ©Stacklok, Inc 2024 Question

6. Make an informed decision on what open source project(s) to

   allow and promote within your organization 6 ©Stacklok, Inc 2024 The challenge

7. Problem solved… Right? 7 ©Stacklok, Inc 2024 Just use GitHub

   stars…

8. 8 ©Stacklok, Inc 2024 … Wait a minute…

9. 9 ©Stacklok, Inc 2024 Just Google it!

10. 10 ©Stacklok, Inc 2024 … or not

11. 11 ©Stacklok, Inc 2024 … or not * Side note:

    ChatGPT actually returned better results

12. 12 ©Stacklok, Inc 2024 … or not * Side note:

    ChatGPT actually returned better results… NO! Don’t rely on it to make these decisions for you…

13. 13 ©Stacklok, Inc 2024 … or not * Side note:

    ChatGPT actually returned better results… NO! Don’t rely on it to make these decisions for you… yet

14. 14 ©Stacklok, Inc 2024 Alright… But, stay away from CVE’s

    right?

15. Are CVEs a bad thing? 15 ©Stacklok, Inc 2024 Should

    I be scared?

16. 16 ©Stacklok, Inc 2024 Tell me already!

17. Things to look for • Good habits/code hygiene • Active

    development • Developers we trust • Responsible disclosure encouraged • CVE and SCA clear … Not talking about licenses today as your mileage may vary 17 ©Stacklok, Inc 2024 Tell me already!

18. 18 ©Stacklok, Inc 2024 Hygiene

19. 19 ©Stacklok, Inc 2024 Active Development

20. 20 ©Stacklok, Inc 2024 Developers we trust

21. 21 ©Stacklok, Inc 2024 Responsible disclosure encouraged

22. 22 ©Stacklok, Inc 2024 CVE and SCA clear

23. 23 ©Stacklok, Inc 2024 Cool! Are we done yet?

24. Supply Chain Security • Do you know where your container/package/artifact

    comes from? • How was it built? • Do they follow best practices? • How do I know what was included in the build? • How do I know that it’s the right one? 24 ©Stacklok, Inc 2024 OK… Now what?

25. Supply Chain Security 25 ©Stacklok, Inc 2024 Open Source to

    the rescue!

26. Supply Chain Security 26 ©Stacklok, Inc 2024 Where do I

    start?

27. Shameless self-promotion! Minder Trusty 27 ©Stacklok, Inc 2024

28. We all love numbers!! 28 ©Stacklok, Inc 2024 Trusty

29. We all love numbers!! 29 ©Stacklok, Inc 2024 Trusty

30. … Suspicious… 30 ©Stacklok, Inc 2024 Run!

31. Minder policy as code 31 ©Stacklok, Inc 2024 Minder

32. Minder policy as code 32 ©Stacklok, Inc 2024 Enforce on

    the spot

33. Fix suggestion in the PR 33 ©Stacklok, Inc 2024 Vulnerability

    scanning

34. Information straight in GitHub 34 ©Stacklok, Inc 2024 Trusty score

    scanning

35. Minder is OSS • Try it out! ◦ We have

    a running production instance • Check it out! ◦ https://github.com/stacklok/minder • Give us feedback! ◦ You can issue a GitHub issue or even talk to us on Discord • Document or code! ◦ We’re happy to review 35 ©Stacklok, Inc 2024 How you can help!

36. Thank you! Minder in GitHub Join us in Discord! Try

    out Trusty! We’re hiring! 36 ©Stacklok, Inc 2024