Open Source Supply Chain Threat Landscape - A Moving Target

Explore the evolving landscape of open source supply chain threats in this 31-minute conference talk by Brian Fox from Sonatype. Gain insights into the growing number of organized attackers exploiting vulnerabilities in open source ecosystems and their tactics to make malware appear legitimate. Learn about the cascading impacts of these exploitations and the importance of implementing developer-first security tools. Trace the evolution of attacks over the past 15 years, from old school vulnerabilities to modern sophisticated techniques targeting developers. Understand the economic motivations behind these attacks, including VC funding for attackers and the comparison to the global drug trade. Discover strategies to counter the latest types of attacks, including the importance of fixing open source vulnerabilities, implementing proper vulnerability analysis, and adopting factory Deming principles for security. Recognize the critical role of understanding your supply chain and empowering people to enhance security measures.

Introduction
Context
Supply Chain
Edward Reever
Chevy Cobalt
Boeing 787
Lettuce
Old School Vulnerabilities
First Vulnerabilities
Shell Shock Heartbleed
Commons Collection
Log for Shell
China
National Security Agency
New Rise of Open Source
typo squatting attacks
evolution of attacks
attacks on developers
Jenkins
Vercata
Code Cub
Inversion
White Hat Research
Bug Bounties
The attackers are still focused
Global drug trade 2016
VC funds investing in attackers
Theyre looking for the easy way
For the attackers right now
This rise is not a coincidence
Credit card fraud detection
What do we do about it
They were freaking out
Theyre amateurs
Fix Open Source
Takata Airbag
JYear on View
Vulnerability Analysis
Solving 4 of the Problem
The Good News
The Point
You have a supply chain
How to avoid the next malicious release
Factory Deming principles
Security is most important
People are faster and more secure
Conclusion