Securing the software supply chain for Infra management tools
2023-02-07, 14:00–14:50, B.3.037

Infrastructure management tools have a special place among software regarding security, as they usually run ubiquitously, with high privileges and a relatively high attack surface. This makes them targets of choice, especially in the current context of increased threats on software supply chains.

What are our (new) responsibilities as software editors in an open source ecosystem? They include a precise identification and authentication of all software components (to provide a Software Bill of Material) and constraints on the build process and software distribution models.

This talk will give an overview of the current state of the rapidly evolving software supply chain standards and tooling (e.g. SLSA, SBOMs, etc.). It will also explore more concrete items, focused on dependencies management in open source ecosystems and our experience with Rudder.

See also: Slides

Coming from a system administration background, Alexis switched to doing mostly software engineering. He is currently lead developer on the system parts of Rudder, including networking, configuration management agents and security.
He is also part of the Rust language Secure Code working group, which promotes tooling to help writing secure code in Rust and manages the Rust ecosystem vulnerability database.

