Lessons from Covid-19: A Community-Based Approach to Securing Open Source Software
In 2020, as the Covid-19 pandemic unfolded and changed community activities across the world, another unexpected threat was also surfacing: software supply chain attacks. The number of these attacks has risen exponentially in the past few years, and many have targeted open source software as a way of magnifying the blast radius. In the same way that containing Covid-19 required coordinated action, protecting open source software from these increasing attacks will also require community efforts.
Open source developers have long been referred to as members of communities, and new discoveries from researchers who analyze open source dependencies are showing just how tightly interconnected projects have become. But as the use of open source software continues to grow, the complex webs of shared code and dependencies that support innovation can also pose more widespread risk: a threat to one project can become a threat to thousands. Unfortunately, traditional secure coding practices and tests are not enough; supply chain attacks target not just code itself, but also the many channels involved in creating and sharing that code, which could be hundreds of attack surfaces for an open source project.
This talk builds on lessons learned from community health efforts during the Covid-19 pandemic and applies them to open source software security efforts. It describes new findings that show how truly interconnected open source communities are and makes the argument that such intermingling requires a community approach to security. As we learned during the pandemic, you don’t have to be a healthcare worker to take steps to protect yourself and those around you; likewise, in the open source world, you don’t need to be a security engineer to make small changes that have real impact.
In addition to introducing common methods of supply chain attacks on open source projects, this talk will share actionable ways to improve the supply chain security of not only your own projects, but also the projects that depend on them. It will also look at lessons learned from recent successful (and sometimes not-so-successful!) community-based efforts in this space, and conclude with ideas about how the unique aspects of open source development can require contributing to your community beyond just code.
