Customers often highlight supply chain security is a regular pain point. Very few would claim to state they understand the problem let alone how to solve it. All have heard from vendors (including my employer) who are offering to solve the problem. This talk by Russ Cox is excellent. It attempts to define, with examples, the problem of open-source supply chain security.
“Open-source supply chain security is the engineering of defences against both open-source supply chain attacks and open-source supply chain vulnerabilities.”
In some areas, customers I speak to are confident. Everyone is doing some form of vulnerability scanning. Yet Russ has this to say.
“Vulnerability scanning is far from a solved problem more research is needed into how to avoid the many kinds of false positives and into effective ways to present the information.”
Russ is core member of the Go team at Google. The talk highlights work to secure the supply chain within the Go ecosystem, but is not constrained to Go. The principles and solutions offered are applicable to all open-source software. The talk is well worth a watch.