Supply-Chain

I take a bike ride every morning, it’s a nice way to think about topics of the day. I’ve been wondering lately why software supply chain security has exploded in popularity in the last year or so. Nothing happens by accident, so there must be some series of events we can point at that has led to everyone suddenly making this a priority. Software supply chain security is not new, I’ve been doing it since about 2002 when I was helping track and coordinate security vulnerabilities in Linux distributions. We didn’t call it a supply chain back then, and nobody really paid attention to it. So what changed between then and now? ...

Josh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it’s not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episode should have something for everyone on all sides of this discussion to violently disagree with. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_332_PyPI_2FA_or_not_2FA_that_is_the_question.mp3 Show Notes PyPI announcement NPM expired domains Morten Linderud Tweet Congratulations: We Now Have Opinions on Your Open Source Contributions

Josh and Kurt talk to Dan Lorenc from Google about supply chain security. What’s currently going on in this space and what sort of new thing scan we look forward to? We discuss Google’s open source use, Project Sigstore, the SLSA framework and more. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_286_Open_source_supply_chain_with_Googles_Dan_Lorenc.mp3 Show Notes Dan’s Twitter Sigstore SLSA Framework

I listen to a lot of podcasts. A lot of podcasts. I was listening to the Dave and Gunnar Show podcast episode 212 with guest David A. Wheeler. The Titanic was used as an example of changing process after a security incident. This opened up a flood of thoughts to me, but not for the reasons intended in the conversation. The point of the suggestion was the Titanic sinking created changes to international requirements to help avoid a similar disaster next time, and we should be viewing SolarWinds in a similar way. The idea being we should use the SolarWinds event to drive meaningful change to make security better. Why no change will come of this is a different conversation: TL;DR it’s because nobody important died from SolarWinds, the Titanic killed a lot of important people. But I think this is an interesting way to talk about how we tend to deal with problems in software and how we deal with them in real life. ...