Overview
In 2023, Sonatype reported that 245,032 malicious open-source packages were downloaded, reflecting a 200% increase in software supply chain attacks over the previous year. Well-known attacks, such as SolarWinds, log4j, and xz utils, affected thousands of customers and hundreds of businesses and government agencies throughout the world.
All indications show that software supply chain attacks continue to rise.
We invite the community to join us for the 2024 Software Supply Chain Community Day where industry, government, and academia can network and discuss challenges, practical solutions, and the latest software supply chain security research.
Date: Friday, November 15
Time: 10AM - 4:30 PM
Place:
Frontier RTP
Building 800, Classroom A&B
800 Park Offices Dr, Research Triangle Park, NC 27709
RSVP by Thursday November 7th. Space is limited, so please RSVP as soon as possible.
Agenda Items (schedule and speakers will be published in mid-October)
Agenda
| 10:00 | Welcome |
| 10:10 | Using Artifact Dependency Graphs to Improve Software Supply Chain Resilience - Jeff Schutt, Cisco Learn how Artifact Dependency Graphs (ADGs) cryptographically identify and prove what is in any software artifact, augment SBOMs, and accelerate vulnerability impact assessments. Jeff Schutt is a Principal Engineer and technical leader of Cisco’s Trust & Compliance Office, focused on technology assurance outcomes that improve supply chain security and resilience at scale. |
| 10:40 | Software Supply Chain Vulnerability Monitoring in Production - Larry Maccherone, Contrast Security This talk explores technology and techniques to evaluate software supply chain security effectively in production which in turn fundamentally changes the economics of being able to do it well in pre-prod. Larry is a cybersecurity researcher and architect and a software development practitioner who has empowered hundreds of development teams to take ownership of the security of their software |
| 11:10 | Break |
| 11:30 | Student Ignite presentations |
| 11:30 | About the presentations |
| 11:35 | Elizabeth Lin: Everything with Software Composition Analysis |
| 11:41 | Imranur Rahman: What’s is a package? Security Sensitive API calls by Open Source Packages for Better Dependency Selection |
| 11:47 | Mahzabin Tamanna: Security Smells in Build Scripts: Towards Large-Scale Detection and Open Source Project Integration |
| 11:53 | Greg Tystahl: COSSETER: GitHub Actions Permission Reduction Using Static Analysis |
| 11:59 | Jonah Ghebremichael: Enhancing Static Call Graph Analysis Using LLMs for Greater Vulnerability Detection |
| 12:05 | Sivana Hamer: Closing the Chain: How not to be Solarwinds, Log4j, or XZ utils. |
| 12:11 | Madison Thomas: Breaking Barriers: Implementing Cybersecurity Education for Underserved Middle School Students |
| 12:17 | Nusrat Zahan: How do software security practices impact security outcomes? |
| 12:24 | Courtney Miller: Understanding the Response to Dependency Abandonment in the npm Ecosystem |
| 12:30 | Networking lunch (provided) and research poster session |
| 1:30 | Lessons Learned in Software Supply Chain Security for Government Projects - Michael Roman CEO OOKOS, Duke University |
| 2:00 | Panic at the Distro: Malware prevention in Linux distributions - Trevor Dunlap, Chainguard Trevor Dunlap is a Principal Research Scientist at Chainguard, where he researches broader aspects of open-source security. |
| 2:30 | Break |
| 2:50 | Industry Panel: Software Supply Chain Security Challenges Bill Jaeger, Lenovo Chuck Kesler, Pendo Brett Smith, SAS Erkang Zheng, JupiterOne |
| 3:45 | 10th Annual State of the Software Supply Chain Report - Stephen Magill, Sonatype |
| 4:30 | Continued networking and adjourn |