3rd KTH Workshop on the Software Supply Chain

Welcome to the 3rd KTH Workshop on the Software Supply Chain. This workshop is organized in the context of the CHAINS research project.

Program

Time Event
0900 Introduction by Martin Monperrus
0930 Keynote: Understanding and Preventing Open-Source Software Supply Chain Attacks by Piergiorgio Ladisa
1030 Break + Poster Session (Elias + Master students)
1120 SBOM.exe: Runtime Integrity for Java by Aman Sharma
1140 SBOM2Sandbox: convenient sandboxing for Node.js by Eric Cornelissen
1200 Lunch at Syster o Bror
1400 Applying consistent supply chain policies at scale with Minder and Trusty Jakub Hrozek
1500 Fika
1530 Capslock: Capability Analysis in Golang ecosystem by Carmine Cesarano
1550 BUMP: A Benchmark of Reproducible Breaking Dependency Updates by Frank Reyes-García
1610 VEX-generation for containers by Yekatierina Churakova
1630 Closing

Talks

Understanding and Preventing Open-Source Software Supply Chain Attacks,Piergiorgio Ladisa), ING

Piergiorgio Ladisa

Abstract: In this talk, we explore open-source supply chain attacks, aiming to understand and prevent them. We present a comprehensive, technology-agnostic taxonomy of these attacks and the mapping of existing safeguards that mitigate them. We also detail how third-party dependencies gain execution on downstream systems and suggest automated detection methods for malicious packages within open-source supply chain attacks. First, we present the evaluation of a machine learning-based approach for detecting malicious packages in JavaScript and Python. Then, we present the evaluation of a static approach to identify malicious packages in Java.

Applying consistent supply chain policies at scale with Minder and Trusty, Jakub Hrozek, Stacklok

Jakub Hrozek

Managing the security settings of a single repository can be done with a bit of scripting. But what do you do when your organisation has more repositories than developers and every developer team wants to apply their settings to meet their own definition of “secure”? In addition, how do you make sure that the dependencies your repositories are consuming are trustworthy and should be used as the foundation of your software?

In this talk, we’ll demonstrate two tools we have been developing at Stacklok - Minder which addresses the repository sprawl and allows users to secure their repositories by using an extensible policy engine and Trusty which allows to assess the quality of a software package by going beyond metrics like CVEs and instead focusing on how “trusted” a dependency can be.

Poster submission

If you indicated “Yes” to present a poster, you are already accepted! Please email the PDF of the poster to amansha@kth.se by 15th April, 2024 with title and abstract and we will get it printed. The size of the poster should be A1. After the workshop, we will also host the posters on this website.

Sponsors

Imagen 2 Imagen 1

Previous editions