OPEN TALK: Cybersecurity at a Global Scale: Addressing Next Generation Supply Chain Issues in Open Source Ecosystems


Sal Kimmich
Sonatype, Developer Advocate

Sal is a developer advocate for open source at Sonatype and passionate about helping engineers, ethical hackers and digital enthusiasts understand the complexity of modern software development. With over a decade of experience as building cloud-native machine learning pipelines in the healthcare and tech for good sectors, their work is now focused on filling the cracks in the open source software supply chain to build a better digital future for all of us. By day, you'll find Sal working with site reliability engineers, DevOps and cybersecurity specialists to implement best tools and practices to remove toil from developer workflows. By night, you'll find Sal mentoring the next generation of engineers in cloud computing from around the globe, helping them to make the world a better place through the clever use of math.


The landscape of cybersecurity is rapidly changing. Traditional, or “Legacy Attacks” used to target code downstream in open source code running in production, but the next generation of attacks is in manufacturing upstream Typo-squatting campaigns, Malicious Code Injection directly at source and Tool Tampering in development stream, all of which pose risks from the biggest corporations to the smallest hobbyist project as we all rely on the same open source ecosystems to do our work. The reality of the modern development landscape is that in a world of continuous integration and delivery, we have to start thinking about continuous security in open source security. This talk will describe the security taxonomy that offers the ability to detect, report and resolve vulnerability and malware attacks before they make their way into our applications, and to provide actionable recommendations when new vulnerabilities in distributions are surfaced in open source repositories.