In recent years, we have seen an increase in the number of catastrophic supply chain attacks in both open source software (such as with event-stream and recent dependency confusion vulnerabilities) and in the proprietary software world (with the SolarWinds and Hafnium exploits).

Dealing with open source supply chain attacks can be particularly daunting due to the simple fact that rather than working with a single supplier (like SolarWinds), there can be dozens of suppliers (open source maintainers with commit privileges) for a single component. This means that your open source supply chain can include thousands of discrete suppliers when you consider that at least 70% of the code that makes up the average modern application is open source. To manage open source effectively, you need to have a strategy to address at scale a wide array of potential attack vectors and software maintenance issues.

In this presentation, Tidelift CEO Donald Fischer will give application development leaders a frank assessment of the current state of software supply chain security, including an overview of common vulnerability types and an analysis of recent US government policy designed to secure the software supply chain. He’ll then share the best practices top organizations are using for open source software supply chain management and governance today, along with a set of immediately actionable recommendations organizations can implement as part of a comprehensive strategy for managing open source health and security.