3rd KTH Workshop on the Software Supply Chain
Welcome to the 3rd KTH Workshop on the Software Supply Chain. This workshop is organized in the context of the CHAINS research project.
- Location: Salongen, Osquars backe 31, KTH Campus
- Date: April 26, 2024
- Time: 9h-17h
Program
| Time | Event |
|---|---|
| 0900 | Introduction by Martin Monperrus |
| 0930 | Keynote: Understanding and Preventing Open-Source Software Supply Chain Attacks by Piergiorgio Ladisa (slides) |
| 1030 | Break + Poster Session (Elias + Master students) |
| 1120 | SBOM.exe: Runtime Integrity for Java by Aman Sharma (slides) |
| 1140 | SBOM2Sandbox: convenient sandboxing for Node.js by Eric Cornelissen (slides) |
| 1200 | Lunch at Syster o Bror |
| 1400 | Applying consistent supply chain policies at scale with Minder and Trusty Jakub Hrozek (slides) |
| 1450 | Maven-lockfile: Lockfiles for Maven by Yogya Gamage |
| 1500 | Fika |
| 1530 | Capslock: Capability Analysis in Golang ecosystem by Carmine Cesarano (slides) |
| 1550 | BUMP: A Benchmark of Reproducible Breaking Dependency Updates by Frank Reyes-García |
| 1610 | VEX-generation for containers by Yekatierina Churakova |
| 1630 | Closing |
Talks
Understanding and Preventing Open-Source Software Supply Chain Attacks, Piergiorgio Ladisa), ING
Abstract: In this talk, we explore open-source supply chain attacks, aiming to understand and prevent them. We present a comprehensive, technology-agnostic taxonomy of these attacks and the mapping of existing safeguards that mitigate them. We also detail how third-party dependencies gain execution on downstream systems and suggest automated detection methods for malicious packages within open-source supply chain attacks. First, we present the evaluation of a machine learning-based approach for detecting malicious packages in JavaScript and Python. Then, we present the evaluation of a static approach to identify malicious packages in Java.
Applying consistent supply chain policies at scale with Minder and Trusty, Jakub Hrozek, Stacklok
Managing the security settings of a single repository can be done with a bit of scripting. But what do you do when your organisation has more repositories than developers and every developer team wants to apply their settings to meet their own definition of “secure”? In addition, how do you make sure that the dependencies your repositories are consuming are trustworthy and should be used as the foundation of your software?
In this talk, we’ll demonstrate two tools we have been developing at Stacklok - Minder which addresses the repository sprawl and allows users to secure their repositories by using an extensible policy engine and Trusty which allows to assess the quality of a software package by going beyond metrics like CVEs and instead focusing on how “trusted” a dependency can be.
Poster session
List of posters:
- Secured ( defined ) or Compliant ( declared ) SBOM by Hans Thorsen Lamm
- Implementing SBOM Attestations in an Enterprise Context: An Exploration of the Benefits and Challenges by Christofer Vikström
- Strengthening the Go Ethereum Supply Chain by Build Integrity by Vivi Andersson
- Embedding the Software Supply Chain in Java Class Files by Daniel Williams
- Analysis of the software supply chain of cryptocurrency wallets by Raphina Liu, Sofia Bobadilla
- Fracturiser: Attack on Minecraft Mods by Elias Lundell
- An Evaluation of Air-gapped Software Builds by Oliver Schwalbe Lehtihet
- Slowdown breaking dependency updates with Bumper by Federico Bono
Sponsors
