Software supply chain -- how deep does the problem go? François is here to help us realize how deep the rabbit hole of the supply chain is and enlighten us with strategies to get out of the hole.

François emphasizes the importance of branch protection in source code repositories as the cornerstone of any supply chain, highlighting the need for peer review and static code analysis before merging. He also discusses the concept of tag protection, which prevents anyone with rewrite access to the repository from modifying a tag. This is particularly important in the context of build systems, where an overwritten tag could compromise the entire system.

The conversation then shifts to a "Let's Encrypt" equivalent for package signing, which François believes is being addressed by the SIG store project. This project introduces the concept of keyless signatures, which eliminates the need to manage private keys, a process that can be risky and cumbersome.

François also discusses the importance of understanding your dependency tree and using package manager lock files to ensure that the version of a package you're downloading is the one you expect. He mentions the Terraform modules, where the lack of a lock file for modules can lead to security vulnerabilities.

Toward the end of the episode, François recommends listeners explore the OpenSSF (Open Source Security Foundation) and its various projects, such as the Scorecard project, which provides a security posture for your repo. He also mentions https://deps.dev, a free Google service that scans open-source repos and runs the Scorecard on those projects.

Look up towards the light if you find yourself at the bottom of the rabbit hole.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~