SupplyChainSecurityCon hosted by CNCF + CDF 2021

The new technologies such as cloud, containers, virtual & cloud native network functions result in tremendous advances in the telecommunications industry.
With the help of these new technologies, the 5G networks that are currently being rolled out all around the world are developed rapidly in heavily disaggregated manner, allowing communications service providers to introduce new services to their users much faster than before.

However, the new technologies and resulting disaggregation is not without their challenges and the security of the software supply chain is one of them.
The components that are part of the 5G networks originate from multiple sources, including but not limited to vendors and open source communities with many integration points and deployed into different environments such as public and private clouds, increasing the risk of breaking the chain of trust.

This session will give a short overview of the next generation telecommunications networks, highlight the challenges, and talk about the opportunities to tackle them in a collaborative manner.

The Python Package Index (PyPI) is one of the oldest software repositories for a language ecosystem and the canonical place to publish Python code. It serves more than 2 billion requests a day, and is almost entirely supported by volunteers and the non-profit Python Software Foundation.

In this talk, we'll review some recent supply-chain attack and how they relate to PyPI specifically. In addition, we'll take a look at some in-progess projects to make PyPI more resilient, secure and sustainable.

With the explosion of interest in SBOMs, it's likely that you've just heard of a few projects for the first time -- even if those projects aren't new, they may be new to you, and you might be asking yourself, "how is X different from Y?" You might also be wondering which projects you should select in order to satisfy the requirements of the Executive Order!
As when starting out on any journey, before entering unfamiliar territory, it is important to understand the lay of the land, pack the right supplies, and get to know your traveling companions.
In this talk, a few maps of the open source supply chain landscape will be shared. Attendees will gain a sense of both the breadth and depth of the challenges ahead, and learn to identify a few essential types of tools for their journey.

If you've analyzed or responded to software vulnerabilities like BadAlloc, KRACK, or the PROTOS SNMP test suite from 2002, then you've encountered the intersection of vulnerabilities and supply chains. Without supply chain knowledge, multi-party coordinated vulnerability disclosure efforts are largely limited to manual investigation, one-offs, and guesswork. Follow-on activities like vulnerability management and risk assessment are also hindered. To what extent are vulnerabilities in upstream dependencies inherited? What happens when build tools have or create vulnerabilities? How might we effectively perform coordinated disclosure and share supply chain knowledge at scale? What part will SBOM (software bill of materials) play?