Securing Open Source Software Supply Chain - Continuous Secure Software Ingestion

Explore the challenges and solutions for securing open-source software (OSS) ingestion in enterprise environments through this 26-minute conference talk by James Holland from Citi. Learn about the limitations of package managers in security checking and the need for additional measures to ensure safe OSS usage. Discover the Continuous Secure Software Ingestion (CSSI) application, a policy-driven system built on Tekton and Open Policy Agent (OPA), designed to perform continuous secure ingestion from various sources, including Google AOS. Gain insights into the additional constraints placed on downstream enterprise Software Composition Analysis (SCA) tooling to handle the resulting data graph. Understand the importance of automated grooming of OSS artifacts and the implementation of robust security checks during the ingestion process and beyond.

How’s Your Supply Chain with Your Insecure OSS Ingestion? - James Holland, Citi