Don’t Take Code from Strangers
Supply Chain Security WhitepaperThis white paper is designed to help organizations, management teams, security practitioners, and developers understand dependency integrities that exist within open source code packages and why they represent the weakest link within a software supply chain. It explores the relationship between the digital economy and open source software (OSS), with a focus on why open source code is a popular attack vector. It then introduces SLSA as a framework for supply chain integrity, discusses why traditional software composition analysis is insufficient when it comes to detecting code with malicious intent, and introduces a way forward to avoid taking malicious code from strangers.
Report Snap Shot
- Code repository
- Contributor reputation
- Code behavior