Scanner mentality getting in the way of securing the software supply chain
HTML-код
- Опубликовано: 26 июн 2024
- In his Upstream session, James Berthoty CEO of Latio Tech provides an overview of what the problem is with submitting CVEs to GitHub issues-why it's frustrating for compliance teams and maintainers both. In this clip, he discusses why the scanner mentality is preventing us from securing the software supply chain.
Watch the full talk here: explore.tidelift.com/upstream...
Transcript:
And what's interesting is that the scanner mentality has actually diminished a little bit of how we think of this correctly, I would argue. Because when we scan open source repos, we're being told by the vendors that this is part of doing security, right? We're looking for CVE issues so that we know that our Upstream repos are secure, that we're secure against attacks. But this really revealed that it's not really a scanner problem, to achieve upstream security. Upstream security is about building meaningful relationships with maintainers, whose software you're using, to make sure that you can actually trust and reduce risk of supply chain takeover. As well as when CVEs happen-you actually have someone to talk to to get a fix published. That there's actually some sort of guarantee, first of all, that there are some ongoing security processes that are in place beyond the security policy and what's written, but then that you can also have fixes that will get published in a reasonable amount of time. So all of this really points more and more to if we want to solve the heart of this problem, it's not just additional scanners. 
Наука
