# Supply Chain Security in Open Source
**Location:** University of California Santa Cruz, Engineering Building 2, Room 506
**Date:** September 28th from 2:50 PM – 4:15 PM PDT
https://ucospo23.sched.com/event/1RHfi/track-2-panel-supply-chain-security-in-open-source
**Hosts:** Alvaro Cárdenas and Juanita Gómez
**Panelists:**
[Jay White](https://www.linkedin.com/in/jautauwhite/)
[Gary O'Neal](https://www.linkedin.com/in/goneall/)
[Jeff Shapiro](https://www.linkedin.com/in/jeffcshapiro/)
## Description
Join our panel discussion to learn about supply chain security threats in open source software, their potential impact on university research, and how to respond to them given upcoming software regulations.
### Key Discussion Points
- Supply Chain Threats in Open Source Software: Risks within open source software and their potential to disrupt software projects and data integrity.
- Impact on Research Enterprises: How security threats can directly affect universities' research operations and confidentiality.
- Role of Software Regulations: Implications of emerging regulations like the EU's Cyber Resilience Act on open source software and academic research.
- Mitigating Supply Chain Risks: Strategies and best practices to safeguard research projects and data.
- Collaborative Solutions: Potential partnerships between academia, industry, and government entities in addressing these security challenges.
## Bios
### Jay White
Jay has 20+ years of IT/information security experience dedicated to cyber risk, security, privacy, and compliance. He provides a combined tactical and strategic balance towards the implementation of security and compliance requirements that aligns to an organization’s broader business strategy. Jay believes we should exceed the standard for our customers and partners and take the community approach to understanding business needs. Jay is a trusted advisor, and proud US Army retiree.
### Gary O'Neall
Gary is a co-lead of the technical workgroup for the Software Package Data Exchange® (SPDX™) - an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open-source tools including the SPDX Java Libraries and Tools which can be found at https://spdx.dev/spdx-tools/.
Gary O’Neall is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open-source software.
### Jeff Shapiro
Jeff Shapiro is the license scanning manager for The Linux Foundation. He has 30 years of experience in the software industry, including 10 years in software auditing, open source scanning, and training developers in OSS license compliance.
## Topic presentations
**Gary** ---> Software Provenance, Source code vs 3rd party dependencies
**Jeff** ---> SBOMs and SPDX
**Jay** ---> OpenSSF initiatives and tools
## Questions
Supply chain security is not only a technical problem, it is an organizational, education, and risk assessment problem. We have questions in each of these topics.
### Risks within open source
**What are the main challenges for integrating these tools and practices into the development lifecycle?**
**Could you talk about the challenges that researchers may encounter when relying on open source tools for their research projects, especially in terms of security and data privacy concerns?**
**What measures can academic institutions take to mitigate these risks and incentivize secure practices within open source communities?**
**As reseachers, what are the main technical barriers or tools that we need to develop to automate open source security? (Where's the gap?)**
**How do you see the supply chain security field evolving in the near future?**
- How can we better educate developers and researchers about the importance of supply chain security in open source development?
- What organizational structures or models can be implemented to incentivize secure practices within open source communities?
- What are the main challenges in the area of supply chain security, and what are our main opportunties to address them?
- Could you elaborate on the risks associated with third-party dependencies in open source software development?
- **How do you see the supply chain security field evolving in the near future?**
### Technical solutions
- **We are researchers (phd researcher in my case) and we are looking at the technical research challenges. What are the main technical barriers or tools that we need to develop to automate open source security?
- How do Software Bill of Materials (SBOMs) and SPDX play a role in mitigating risks within open source? Can you provide some practical examples?**
- What tools, practices, or frameworks do you recommend for mitigating risks within open source, and how can these efforts be integrated into the development lifecycle?**
- What are some best practices for tracking and managing code dependencies, especially in projects involving multiple languages?
- What role does the OpenSSF Scorecard play in enhancing supply chain security in open source projects?
### Organizational solutions
- **How can organizations proactively identify and assess potential supply chain threats in their open source dependencies?**
- What organizational structures or models can be implemented to incentivize secure practices within open source communities?
- What are some emerging trends or technologies that developers and organizations should keep an eye on to enhance supply chain security in open source projects?
### Education
- **How can we better educate developers and the workforce about the importance of supply chain security in open source development?**
- **How can education and awareness-building initiatives contribute to improving the overall security posture of open source projects? (If there was a classs you would design, what would you teach the next generation of open source developers)**
- **Could you talk about the challenges that researchers may encounter when relying on open source tools for their research projects, especially in terms of security and data privacy concerns?**
- What measures can academic institutions take to mitigate these risks while leveraging open source solutions for research purposes?
### Risks within open source
- What are the main challenges in the area of supply chain security, and what are our main opportunties to address them?**
- Could you elaborate on the risks associated with third-party dependencies in open source software development?
- **How do you see the supply chain security field evolving in the near future?**
### Technical solutions
- **We are researchers (phd researcher in my case) and we are looking at the technical research challenges. What are the main technical barriers or tools that we need to develop to automate open source security?
- How do Software Bill of Materials (SBOMs) and SPDX play a role in mitigating risks within open source? Can you provide some practical examples?**
- What tools, practices, or frameworks do you recommend for mitigating risks within open source, and how can these efforts be integrated into the development lifecycle?**
- What are some best practices for tracking and managing code dependencies, especially in projects involving multiple languages?
- What role does the OpenSSF Scorecard play in enhancing supply chain security in open source projects?
### Organizational solutions
- **How can organizations proactively identify and assess potential supply chain threats in their open source dependencies?**
- What organizational structures or models can be implemented to incentivize secure practices within open source communities?
- What are some emerging trends or technologies that developers and organizations should keep an eye on to enhance supply chain security in open source projects?
### Education
- **How can we better educate developers and the workforce about the importance of supply chain security in open source development?**
- **How can education and awareness-building initiatives contribute to improving the overall security posture of open source projects? (If there was a classs you would design, what would you teach the next generation of open source developers)**
- **Could you talk about the challenges that researchers may encounter when relying on open source tools for their research projects, especially in terms of security and data privacy concerns?**
- What measures can academic institutions take to mitigate these risks while leveraging open source solutions for research purposes?
Identify the software:
Discovery protocols
Sign in with Wallet
Connect another wallet