Kusari blog

Open Source Summit 2022

Takeaways & Learnings

Tim Miller

June 23, 2022

We just attended the Open Source Summit in June 2022, hosting in Austin TX. First I wanted to start of by thanking the Linux Foundation for having this conference. The LF events in particular are my favorites. The content surrounding the Open Source Summit strikes particularly close to our hearts. I’m thrilled to see so much activity around improving the security of the open source ecosystem. Based on the talks we attended, here are some of my key takeaways from this event.

Supply Chain Security is Becoming a Buzz-word

It was hard to walk around the vendor floor and NOT find companies pushing Supply Chain Security in one way or another. I personally find it interesting how many different interpretations folks have on what this means. I see this as a bit of a double-edged-sword. On one hand, it’s helping the topic get out there, and it is critically important that this happens. On the other hand, if there were 20 different vendors selling Supply Chain Security, there were 20 different explanations of what the problem is. We need to be coming together a bit more to really drive home what Supply Chain Security actually means. In my humble opion, it’s more than just scanning for CVE’s on artifacts you already have in your repository. I’d love to work with others in the field to push for more clarity and agreement around this. If we want to collectively solve this problem we first have to agree on what the problem actually is first, and I think we have some work to do there.

Companies are Wrestling with how to Secure their Supply Chain

If you are returning to work on Monday and confused on how to take action on all the things you learned here, you’re definitely not alone. From organizing internal teams and getting difficult processes changed to the inner workings of SPIRE and what even is an SVID anyway, the confusion is real. This is a massively complicated area, and feeling lost should not make you feel bad. You should be proud of yourself for being on the leading edge of a problem that has both too few and too many answers for every question you come across.

The issues and threats arounds supply chain security are many and can be complex to comprehend. It cannot be solved by adding another vulnerability scanner but need a more comprehensive approach. In the near future we hope to bring forth solutions that provide this comprehensive solution without being overly complicated to implement. Supply chain security (as with any security implementation) should not be a burden on the organization or the developers, but rather a seamless piece in an ever evolving ecosystem.

Curation and Establishing Trust

One of the more interesting technical keynotes I enjoyed was from Eric Brewer, Vice President of Infrastructure at Google. The tl;dw is that Google is going to be building a curated open source repository where they will be monitoring vulnerabilities in common libraries, and more importantly patching them as they need. The focus on a curated Open Source repository is a very exciting prospect for all of us. Additionally I think it should make everyone ask - why do you trust what you trust? Are you confident that the team managing the libraries you use are doing a good job? Do you trust how they are taking in their dependencies? Have you looked at the processes that they follow, or do you trust their reputation? I’m excited to see someone with the scale and engineering horsepower of Google to take on such a big piece of the infrastructure for Open Source Software. But as a second order consequence, I’m hoping more folks look at their own dependency sources with far more scrutiny.

Shameless Plug for Parth & Brandon

If you weren’t able to attend in person - I would highly recommend watching the Road to SLSA3: Non-falsifiable Provenance in Tekton with SPIFFE/SPIRE. This was given by our own Parth Patel, as well as Brandon Lum from Google. It was a great practical demonstration of some of the work they’re pushing into the open source community to facilitate the level of assurance SLSA 3 can bring.

I will update this blog with the youtube link once it is made available.

Personal Connections are Invaluable

As much as I love remote work - while I was in Austin I met many folks who I had worked for over a year for the first time. To all who took the time to connect with me while I was out there, thank you. Even if it was brief it meant the world to me to see all of you in person again.

Like what you read? Share it with others.

Other blog posts 

The latest industry news, interviews, technologies, and resources.

View all posts

Open Source Summit 2022

Takeaways & Learnings

June 23, 2022
Tim Miller

SPIFFE/SPIRE CSI Driver

Overview of the SPIFFE/SPIRE tool

June 27, 2022
Parth Patel

Not Just Third Party Risk

There’s a misconception in Cybersecurity among some that Software Supply Chain Security is just Third Party Risk Mana...

July 20, 2022
Michael Lieberman

Government Memo for Enhancing the Security of the Software Supply Chain

Executive Order (EO) 14028, Improving the Nation’s Cybersecurity was released last year in May.

September 19, 2022
Parth Patel

A High Fidelity View of Software Supply Chain

Understanding and maintaining your software supply chain can be a task that needs 24/7 vigilance.

October 20, 2022
Michael Lieberman

Kusari presenting at KubeCon and Cloud Native SecurityCon NA 2022

KubeCon + CloudNativeCon is right around the corner and we are excited to be attending in person!

October 21, 2022
Parth Patel

The Next Heartbleed?

Heartbleed (CVE-2014-0160) in 2014 left the industry in a scramble...

October 31, 2022
Parth Patel

Kusari's Software Supply Chain Security Overview

What is Software Supply Chain security, and why should I care?

March 14, 2023
Michael Lieberman

Applying Zero Trust to the Software Supply Chain

Understanding Zero Trust and Its Benefits

March 28, 2023
Michael Lieberman

Figure Out Who's Lurking in Your Supply Chain With Signatures and Attestations

A Story of Software and Cats

April 4, 2023
Michael Lieberman

Kusari Open-Sources Spector

We’re excited to announce the open-sourcing of Spector.

April 26, 2023
Michael Lieberman

GUAC v0.1 Beta Release

Kusari is excited to announce the v0.1 beta release of GUAC — Graph for Understanding Artifact Composition.

May 23, 2023
Tim Miller

Quest to determine the 'G' in GUAC

Working towards determining a persistent database for GUAC

June 27, 2023
Parth Patel

daBOM Podcast with Tim & DJ

Tim appeared as a guest on the daBOM podcast.

July 5, 2023
Tim Miller

Announcing Helm Chart for GUAC

Helm Chart for GUAC

July 12, 2023
Tim Miller

Case Study: A discussion with Guidewire on GUAC

A look into Guidewire's software supply chain security use case and why they are using GUAC

August 2, 2023
Michael Lieberman

Announcing the Kusari YouTube Channel and GUACademy

Kusari have just launched a YouTube Channel!

August 23, 2023
Jeff Mendoza

Terror of cURL - Preparation is Half the Battle

CVE-2023-38545 - HIGH Severity Vulnerability

October 16, 2023
Parth Patel

Spooky Enhancements: Unveiling GUAC's OpenVEX Feature

GUAC's OpenVEX Integration

October 31, 2023
Nathan Naveen

What the NSA Missed in its SBOM Management Recommendations

The missing first step that most organizations are still struggling with

December 22, 2023
Parth Patel

Contributor to Leader: Securing Open Source Software at OpenSSF

Kusari elected to OpenSSF leadership roles

January 16, 2024
Michael Lieberman

Our $8M Funding Round Fuels our Mission to Make the Software Supply Chain Transparent and Secure

Kusari raises seed funding

January 18, 2024
Tim Miller

Kusari Soaks up Community at FOSDEM and Beyond

Kusari speaking at FOSDEM and other EU community venues

January 26, 2024
Jeff Mendoza

From Open Source Community to Joining a Start-up – while in High School

Nathan Naveen, a 17-year-old high schooler, shares his journey to becoming an intern at Kusari

February 8, 2024
Nathan Naveen

Unveiling GUAC as an OpenSSF Incubating Project for Software Dependency Management

Today, we find ourselves in a moment akin to proud parents, as we witness a significant milestone in the journey of Graph for Understanding Artifact Composition (GUAC).

March 7, 2024
Parth Patel
Michael Lieberman

Graph for Understanding Artifact Composition (GUAC) Joins OpenSSF as Incubating Project

The GUAC maintainers are pleased to announce the project has joined the Open Source Security Foundation (OpenSSF) as an Incubating Project.

March 7, 2024
Michael Lieberman
Brandon Lum

XZ Backdoor: Software Security Lessons

The recent incident involving the XZ backdoor brings to light the critical importance of vigilance and proactive security measures, while not losing sight of the human element.

April 5, 2024
Michael Lieberman

Proactive Security in the Post-Log4j Era

Gone are the days when signing containers and running vulnerability scans through CI processes provided a sense of security.

April 23, 2024
Tim Miller

Graph for Understanding Artifact Composition (GUAC) adds persistent storage in v0.6.0 release

Open source supply chain observability tool standardizes on PostgreSQL

May 6, 2024
Jeff Mendoza
Dejan Bosanac

Previous

No older posts

Next

No newer posts

Want to have a conversation about your software supply chain?

We’d love to hear from you.  Get in touch and we'll get back to you.

Say Hello
About KusariOpen SourceGUACResourcesContactOpen RolesMedia Kit
© 2024 Kusari Inc. All rights reserved.
Terms
Privacy
Cookies
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept