CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Protecting the supply chain in 2023 - Interview with Feross Aboukhadijeh

CEO of Socket discusses the supply chain as the top risk for 2023 and ways to secure it in an interview for The Security Repo podcast. The episode focuses on insights from the 2023 RSA conference. Visit Socket's website for more information.

Video Transcript

foreign [Music] you know obviously I have some interest in saying this but you know Supply Chain's been in the news for a reason I think people are waking up to the fact that their applications depend on hundreds or thousands of individuals and organizations around the world and you know in the case of uh you know open source you know we build our apps on the shoulders of giants we depend on you know hundreds or thousands of Open Source packages and this is great but with it there's some risk that comes you know with that approach um and that means that you know if you have one bad apple one maintainer that loses control of their package goes Rogue or you know a package that gets hijacked that can affect thousands of organizations so so I think supply chain it has to be the you know the thing that it's the thing that everybody's taking a look at right now for a good reason the the first uh most important thing is to realize that uh open source security is about more than uh vulnerabilities so expand your Thinking Beyond known vulnerabilities and uh take a take a broader more holistic look at how you secure your open source and so that should include threats like malware threats like protest where other types of supply chain attacks compromised packages obfuscated code you know you really got to think of why you know why do you trust these open source packages um so so the first thing is the mindset shift um the second thing I would say is introduce a process around how you bring open source dependencies into your organization I've spoken to just far too many teams and organizations where basically any developer can just add a dependency uh if they feel like it so I think that that if you could change the way you think about that and you introduce some some sort of check or um you know analysis obviously socket can help you with that um that's that's a that's a great tip and then finally I think State Village Vigilant and just sort of keep keep your mind uh aware of just all the different uh sources of threats that there are out there and and stay curious foreign