Building a Secure, Efficient, Compliant OSS Supply Chain at Scale - Lecture

Explore a conference talk on constructing a secure, efficient, and compliant open-source software (OSS) supply chain at scale. Learn about the challenges and importance of managing FOSS within large companies, including security risks, massive demands, and engineering habits. Discover strategies for implementing internal Maven and NPM servers, conducting essential training, and establishing security fixing processes. Gain insights into the long-term journey of building a robust FOSS supply chain that goes beyond compliance, using Baidu's experience as a case study.

Intro
What is FOSS supply chain FOSS supply chain means the operation of consuming FOSS within a company when running its daily business - The challenge is just like any supply chain within a company
Case: Security holes cause business losses The Equifax breach and underlying Apache Struts vulnerability cost more than $400m and affected 140 million people
Massive FOSS supply and demands Java: 3.7 Million unique plugs in central Maven repository (downloads increase 68% in 2018)
So many engineers and Repos - My company has over 15K engineers
Bad engineering habits Engineers are not aware of FOSS risks, so they chose whatever code they like to use
1. Set up internal Maven server and NPM server first
Why we chose this - Baidu is an Internet Company, most of our business is online service and the risk of license compliance is low
Training is very very important Executed Offline training in several sites Beijing shanghai
Setup OSS security tickets system Set security fixing process
Building FOSS supply chain is a long journey It is more than compliance