In a recent article published on The New Stack, Mary Branscombe takes an in-depth look at the role of security in the open source software supply chain.
Popular open source packages are at risk of compromise, which means the organizations using those packages are at risk also. Branscombe notes that these problems are not unique to open source, but as Microsoft Azure Chief Technology Officer Mark Russinovich states, “open source is such a massive ecosystem that we need to go after it specifically and there are some specific implementation points in the supply chain that need to be addressed for open source.”
Fortunately, as Branscombe states, “there are multiple steps the open source community can take, starting with good hygiene software development and package management, all the way up to defining a ‘bill of materials’ for software the way we do for physical products to make dependency tracking more effective.” She describes various tools that can help improve code quality and describes how a Software Bill of Materials (SBOM) can provide transparency and thus strengthen the software supply chain.
Read the complete article at The New Stack