Zach Steindler, GitHub
There's a new pattern of supply chain attacks on open source, where malware exfiltrates secrets from build processes in order to publish more malicious packages from attacker-controlled machines to propagate the attack. These attacks happen at the intersection of how open source projects are maintained, what security capabilities build platforms and package repositories have, what steps consumers of open source take to protect themselves, and how ready we all are to do incident response when an attack happens.
But there are things we can do today to make things better. We'll cover how to secure your build process including removing secrets altogether, how to prepare for an attack by tracking your open source dependencies and putting together an incident response playbook, and where to go for information during an attack and how to minimize impact. Lastly we'll talk about potential signals to proactive detect when a package might be compromised.
Zach is a Principal Security Engineer at GitHub, where he helps secure open source users and enterprise customers. In the OpenSSF he chairs the Technical Advisory Council and co-chair of the Securing Repositories Working Group which helps coordinate security improvements in programming language package repositories like PyPI and npm. Away from computers he enjoys gardening and welding.
