Our dependency on Open Source is scary. SLSA, SBOM and Sigstore to the rescue

We depend on OSS so much; no one is writing a cURL or Math Library anymore; everyone is just maven or npm pulling a bunch of stuff from the Internet, and that’s scary. How do you know your dependencies are free of backdoors or vulnerabilities? Have you heard of SLSA, SBOM, or the new fuzzy word in the street, “Software Supply Chain Security' before? Maybe yes, if you are an avid reader of some tech publications. But what does this all mean? Or rather, should you care? Well, the answer is it depends. In this talk, the speaker will attempt to clarify these words and what they mean and present a state of the security world with tools and methodologies people and organizations are implementing to ensure the software is secured from dev to production.