Name: Supply-Chain Security, Outside in: What Helping ~200 Projects Improve Their Security Looks Like - Pedro Nacht & Diogo Teles Sant'Anna, Google
Start: 2024-10-23T14:40:00-0400
End: 2024-10-23T15:10:00-0400

October 22-23, 2024 | Atlanta, Georgia USA
View More Details & Registration

The Sched app allows you to build your schedule but is separate from your event registration. You must be registered for SOSS Fusion 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Eastern Daylight Saving Time. To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

Wednesday October 23, 2024 2:40pm - 3:10pm EDT

Salon 4-6

The greatest challenge in open-source supply-chain security is how unrewarding it feels. Maintainers have to do the vast majority of the work necessary to improve a repository's supply-chain security. But – other than the satisfaction of a job well done – they get almost no benefit from it. Supply-chain security improvements don't add features, squash bugs, or improve performance, etc… Instead, the benefits fall entirely on the package's consumers, who can feel safe depending on that package. In 2023, the Google Open Source Security Team (GOSST) began work to help maintainers carry this burden. We approached ~200 open-source projects of critical importance to the ecosystem, hoping to help them improve their supply-chain security. This presentation will describe the philosophy behind the team's approach, our overall results (500+ contributions, 90% accepted!), and key lessons learned. We hope to inspire you – consumer, maintainer, or someone who's just interested in this sort of thing – to learn from our mistakes and outdo our successes. Help us help maintainers keep open-source secure.

Speakers

Pedro Nacht

Software Engineer, Google

Professionally... I've been around. A structural engineer by training, I quickly moved to writing engineering software. After completing an MBA, I became a financial data analyst. Hoping to make more of an impact, I joined Google's Open Source Security Team (GOSST). In GOSST's Upstream... Read More →

Diogo Teles Sant'Anna

Software Engineer at Google, Google

Passionate about technology, I began my studies on Computer Engineering in 2016 at University of Campinas(UNICAMP, Brazil), and now I'm working as a Software Engineer at Google. Since 2022, I work at Google Open Source Security Team(GOSST).

Supply Chain Security, Outside In (SOSS Fusion) pdf

Wednesday October 23, 2024 2:40pm - 3:10pm EDT
Salon 4-6

SW Development + OSS

Session Slides Attached yes

Feedback form is now closed.

SOSS Fusion 2024

Pedro Nacht

Diogo Teles Sant'Anna

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!