Choose your open source package like you choose a hotel
Securing our software supply chains has become one of the biggest stories of recent years. From code injection to typo squatting, bad actors are realising that getting code into the upstream supply chain may be an easier route than targeting vulnerabilities in downstream applications. So how do we manage this in open source communities? Well, one way is to be more considered about code and packages which we include in our applications. Modern applications typically consist of a small amount of ‘homegrown’ code together with large amounts of modules, many of which can contain vulnerabilities. This is a familiar pattern to anyone developing in python, node, java or go. But how much time do we spend actually investigating these dependencies before we use them? Snyk Advisor ( https://snyk.io/advisor/ ) is a free tool which assesses the overall health of packages in many open source communities, combining security vulnerability information with an assessment of the health of the community around the software, looking at commit frequencies, licenses compliance, and a range of other factors. In this talk, we will introduce the problem space of software supply chain issues in open source package libraries and walk you through how tools like Advisor can help you make informed choices.
Matt Jarvis is a Director of Developer Relations at Snyk. Matt has spent more than 15 years building products and services around open source software, on everything from embedded devices to large scale distributed systems. Most recently he has been focused on the open cloud infrastructure space, and in emerging patterns for cloud native applications. Matt is a regular speaker at conferences across the world, including KubeCon, DockerCon, FOSDEM and All Things Open, a past winner of the OpenStack Outstanding Community Contributor award, and in 2021 was named one of the Top 100 influencers in Open Technologies in the UK. Matt is also a board director of OpenUK, and the founder of Cloud Native Manchester, Kubernetes Community Days UK, and Cloud Natives UK.