PostHole
Compose
Login
Episode 541: Jordan Harband and Donald Fischer on Securing the Supply Chain
Open source developers Jordan Harband and Donald Fischer join host Robert Blumen for a conversation about securing the software supply chain, especially open source. They start by reviewing supply chain security concepts, particularly as related to open..
Open source developers Jordan Harband and Donald Fischer join host Robert Blumen for a conversation about securing the software supply chain, especially open source. They start by reviewing supply chain security concepts, particularly as related to open source, and then explore: package managers and open source; attacks on open source projects; challenges in validating software that is written outside of the organization; security standards in open source projects; best practices in open source; validating compliance of open source; automating the consumption of open source standards; scanners; and generating useful information from software bills of materials (SBOMs).
Show Notes
- IconBurst NPM software supply chain attack grabs data from apps and websites by Karlo Znki of ReversingLabs
- Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies by Alex Biran
Related Episodes
- 489 Sam Boyer on Package Management
- 338 Brent Laster on the Jenkins 2 Build Server
- 498 James Socol on CI and CD
- 416 Adam Shostack on Threat Modeling
- 385 Evan Gilman and Doug Barth on Zero-Trust Networks
Transcript
Transcript brought to you by IEEE Software magazine.
This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number and URL.
Robert Blumen 00:00:17 For Software Engineering Radio, this is Robert Blumen. I have with me today two guests, Donald Fischer, who is the co-founder and CEO of Tide Lift. He’s a board member of several companies and organizations and is a graduate of Stanford University where he received his MS in Computer Science. Donald, welcome to Software Engineering Radio.
Donald Fischer 00:00:40 Thank you. Very glad to be here.
Robert Blumen 00:00:42 Donald, would you like to say anything else about your background?
Donald Fischer 00:00:45 Yeah, I think you encapsulated pretty well. I’ve been fascinated by software — in particular, open-source software and the creators and communities behind it — for most of my career, and excited to talk about some of that here with you today.
Robert Blumen 00:00:57 My second guest is Jordan Harmand. Jordan is an open-source maintainer-at-large. He’s contributed to the JavaScript specification. He is a member of the Open JS Foundations Cross Project Council, and he is formerly a developer relations engineer at Coinbase. Jordan, welcome to Software Engineering Radio.
Jordan Harband 00:01:19 Thank you. Happy to be here.
Robert Blumen 00:01:21 Would you like to expand on your background at all?
Jordan Harband 00:01:24 No, I think you’ve covered it pretty well. Thank you.
Robert Blumen 00:01:27 Let’s proceed to the content. We will be talking today about securing the software supply chain. This episode goes very well with 535, which was about software supply chain attacks, but it did not offer solutions. Today we’ll be looking more at solutions. Donald, briefly, could you tell us when we’re talking about supply chain, and keep in mind we had a whole episode in this, but a quick review of what do we mean by software supply chain?
Donald Fischer 00:01:56 Yeah, absolutely. So the so-called software supply chain is really anything that affects your software at any point in its development and release, including the original creation, writing the software, continuous integration, continuous deployment pipeline that it goes through. All of the channels through which your software flows from the moment of creation into production. And that includes a whole bunch of different systems and sources of software. In particular, one of the areas that’s been in the spotlight quite a bit recently is third party open-source software, which is one of the key ingredients that goes into most applications these days.
Robert Blumen 00:02:36 We did, as I mentioned, cover a lot of attacks on the supply chain in 535. It became clear that supply chain attacks are not any particular type of attack, like say buffer overflow or escalation of privilege. They could be any type of attack, whatever, that attacks and component of the supply chain. How can we talk about securing the supply chain when it’s not any particular type of attack that we’re defending? Jordan?
Jordan Harband 00:03:07 Yeah, I think in the same way as every time you add people to your company, you’re incurring some trade-offs. You have more eyes on your code base, you have more people who can test it, more people who can make sure it’s of good quality. You also have more people that could make mistakes that could get a laptop stolen at a coffee shop that could fall on hard times and get bribed to betray the company in some way. You also have more potential people who could be enemy state actors, right? That happened at Twitter on one or two occasions. But these are all trade-offs as you add more people, right? And it’s the same with adding dependencies to your supply chain. Each dependency is one or more people who maintain that dependency, and there are huge benefits to adding them in terms of there’s more eyes on the software, there’s more experience involved. You have more specialists who can do that, the specific task they’re charged with doing exceedingly well. You also have more points of failure. And I think that securing your supply chain is really a balancing act about how you accept the large benefits of adding people to your process while still managing the weakest link in any process on the planet: the humans.
[...]