Securing the Software Supply Chain - Go Checksum Database
Offered By: USENIX Enigma Conference via YouTube
Course Description
Overview
Explore the critical issue of securing the software supply chain in this 22-minute conference talk from USENIX Enigma 2020. Delve into the challenges posed by widespread code reuse and third-party dependencies in modern software development. Examine high-profile security incidents and their patterns, including compromised developer credentials and ecosystem access issues. Learn about the innovative Go checksum database, designed to secure the Go modules ecosystem without additional work from module authors. Discover how this centralized log system employs Certificate Transparency technology to ensure accountability and enables third-party auditors to provide new version notifications. Understand the database's cacheability features and their implications for resource management and privacy. Gain insights into applying these concepts to other software package ecosystems to enhance overall software supply chain security.
Syllabus
Intro
Three supply chain security players
Provenance
Go Modules
Availability
Go Module Proxies and Mirror
Integrity
Merkle trees for accountability
Tiles for caching
The Go Checksum Database
Go build dependencies
Vulnerability tracking
Security practices
Auditing
Questions?
Taught by
USENIX Enigma Conference
Related Courses
Hardening Your Soft Software Supply ChainPluralsight DevOps with GitHub and Azure: Implementing Software Supply Chain Security with GitHub
Pluralsight Securing Your Software Supply Chain with Sigstore
Linux Foundation via edX GitHub Supply Chain Security Using GitGat
Linux Foundation via edX Kyverno - Deep Dive - Tech Talks
Mirantis via YouTube