Know Your Ingredients: Security Starts With the Source

Track: Security
Abstract
One of the most neglected parts of application security is the ingredients that go into developing software. Over 80 percent of code used in enterprise applications comes from open source dependencies, but how much attention goes towards the provenance and security of those packages. And in the pursuit of accelerated software development, developers are leveraging more and more libraries and also code “created” by generative AI algorithms, so how do you prevent defects or malicious payloads from compromising your security?

This is analogous to a restaurant where you invest in modern decor, professional chefs, and world class service. But if you don’t get fresh, quality ingredients delivered daily, the taste and hygiene of the food will suffer. Securing the software supply chain is a huge undertaking for the entire tech industry, and we will talk about some of the ongoing efforts by open source projects, foundations, and corporations to help us all know our ingredients.
Stephen Chin
Stephen Chin is VP of Developer Relations at JFrog, chair of the CDF governing board, member of the CNCF and OpenSSF governing boards, and author of The Definitive Guide to Modern Client Development, Raspberry Pi with Java, Pro JavaFX Platform, and the DevOps Tools for Java Developers title from O'Reilly. He has keynoted numerous conferences around the world including swampUP, Devoxx, JNation, JavaOne, Joker, and Open Source India. Stephen is an avid motorcyclist who has done evangelism tours in Europe, Japan, and Brazil, interviewing hackers in their natural habitat. When he is not traveling, he enjoys teaching kids how to do embedded and robot programming together with his daughters.