Michael Granitzer
University of Passau
Biography
Organisation
University of Passau
Educational institution
Speaker session
PLENARY 4 : Securing the Open-Source Frontier: Navigating Supply Chain Risks
Open-source components are literally everywhere in the digital infrastructure, products and services. The modern ecosystem offers a wealth of advantages for an open-source software developer, enabling fast, permission-less innovation However, incorporating third-party code, even from trusted sources, introduces an element of uncertainty. This uncertainty is precisely where supply chain attacks come into play and underscore the need for a proactive approach to security.
When contributing to or relying on open-source or any software development projects, it is essential to consider the integrity of the entire supply chain and ensure that all contributors across the chain adhere to best security practices. Collaborative efforts within the open-source community, such as code audits and timely updates, are essential in maintaining a robust defence against supply chain threats.
The panel will bring together experts in the area of software supply chain, open source and the software industry. It will discuss how open source empowers developers, but also obliges them to be vigilant guardians of the software supply chain and how, balancing the benefits with the risks, security measures are essential to uphold the trust placed in open-source development.
Philippe Ombredanne
nexB Inc.
Biography
Philippe Ombredanne is a FOSS hacker on a mission to make it easier and safer to reuse FOSS code. He is the maintainer of ScanCode, the industry standard licence detection tool, and other open-source tools for software composition analysis and licence & security compliance at AboutCode.org.
Philippe is the project lead in two supply chain projects funded by NGI0: FOSS Code Supply Chain Assurancewhich is building a new system to help verify the integrity of deployed code packages and validate their origin with external data sources, with the potential to mitigate attacks on open-source packages supply chains such as detecting if a package in use is matching verified code by matching source and binaries exactly and approximately; and Free Software Vulnerability Database which is a resource set up to aggregate software updates.
Organisation
nexB Inc.
SME
We are on a mission to make it easier to reuse free and open source software to build better apps and system, faster and more efficiently. For this we are creating the best-in-class open source tools and open data for software origin, license and security determination to help secure your software supply chain.
Speaker session
PLENARY 4 : Securing the Open-Source Frontier: Navigating Supply Chain Risks
Open-source components are literally everywhere in the digital infrastructure, products and services. The modern ecosystem offers a wealth of advantages for an open-source software developer, enabling fast, permission-less innovation However, incorporating third-party code, even from trusted sources, introduces an element of uncertainty. This uncertainty is precisely where supply chain attacks come into play and underscore the need for a proactive approach to security.
When contributing to or relying on open-source or any software development projects, it is essential to consider the integrity of the entire supply chain and ensure that all contributors across the chain adhere to best security practices. Collaborative efforts within the open-source community, such as code audits and timely updates, are essential in maintaining a robust defence against supply chain threats.
The panel will bring together experts in the area of software supply chain, open source and the software industry. It will discuss how open source empowers developers, but also obliges them to be vigilant guardians of the software supply chain and how, balancing the benefits with the risks, security measures are essential to uphold the trust placed in open-source development.
Anthony Harrison
APH10
Biography
Anthony Harrison is an experienced independent consultant from the UK delivering and securing mission critical systems. He founded and is currently the director of APH10, a consultancy focused on helping organisations manage software risks more effectively.
He has been involved in promoting the software bill of materials (SBOM) since 2021 as a way of supporting vulnerability management, and taken part in various working groups related to SBOM, including the SBOM Forum, SPDX Defects and OpenSSF SBOM Everywhere initiative.
Anthony has also been actively promoting open-source for many years and regularly contributes to an increasing number of related projects.
Organisation
APH10
Start-up
APH10 was founded in 2022 to help organizations identify, assess, and mitigate software risks, especially those related to security and resilience.
Currently developing a product to reduce the time and effort required to assess and manage software vulnerabilities by providing an automated process which prioritises the vulnerabilities.
Speaker session
PLENARY 4 : Securing the Open-Source Frontier: Navigating Supply Chain Risks
Open-source components are literally everywhere in the digital infrastructure, products and services. The modern ecosystem offers a wealth of advantages for an open-source software developer, enabling fast, permission-less innovation However, incorporating third-party code, even from trusted sources, introduces an element of uncertainty. This uncertainty is precisely where supply chain attacks come into play and underscore the need for a proactive approach to security.
When contributing to or relying on open-source or any software development projects, it is essential to consider the integrity of the entire supply chain and ensure that all contributors across the chain adhere to best security practices. Collaborative efforts within the open-source community, such as code audits and timely updates, are essential in maintaining a robust defence against supply chain threats.
The panel will bring together experts in the area of software supply chain, open source and the software industry. It will discuss how open source empowers developers, but also obliges them to be vigilant guardians of the software supply chain and how, balancing the benefits with the risks, security measures are essential to uphold the trust placed in open-source development.