How Much Do You Trust That Package? Understanding The Software Supply Chain

C2 | Mon 21 Jan | 1:55 p.m.–2:15 p.m.


Presented by

  • Benno Rice
    @jeamland

    Benno has been bouncing around the IT industry for decades. Starting off as a system/network admin he moved into software engineering and has worked at every level of the stack from early boot code through kernel and device drivers into low-level server code all the way via backend code to frontend Javascript. After spending the last few years working on FreeBSD for companies both small and large he's now working for Yubico on various aspects of their security tokens and supporting bits and pieces.

Abstract

Did you hear the one where someone gave the maintainership of an npm module to some rando who stuck a cryptocurrency miner in it? Hilarious, right! Well did you also hear the one where someone uploaded malicious packages to PyPI with similar names to popular packages? Supply chain security is a huge issue in modern software development, and not just for node.js developers. The prevalence of third-party modules, the lack of maintainer time and compensation, and the speed at which we try to develop means that there are many ways that the software supply chain can cause you headaches. This talk will discuss the history of the software supply chain, the issues that have cropped up in it and why, and discuss some ways to deal with the risks these create.