Securing the Software Supply Chain - Go Checksum Database

Explore the critical issue of securing the software supply chain in this 22-minute conference talk from USENIX Enigma 2020. Delve into the challenges posed by widespread code reuse and third-party dependencies in modern software development. Examine high-profile security incidents and their patterns, including compromised developer credentials and ecosystem access issues. Learn about the innovative Go checksum database, designed to secure the Go modules ecosystem without additional work from module authors. Discover how this centralized log system employs Certificate Transparency technology to ensure accountability and enables third-party auditors to provide new version notifications. Understand the database's cacheability features and their implications for resource management and privacy. Gain insights into applying these concepts to other software package ecosystems to enhance overall software supply chain security.

Intro
Three supply chain security players
Provenance
Go Modules
Availability
Go Module Proxies and Mirror
Integrity
Merkle trees for accountability
Tiles for caching
The Go Checksum Database
Go build dependencies
Vulnerability tracking
Security practices
Auditing
Questions?