Open Source in Finance Forum New York 2024

In this talk, we will discuss the Sigstore, Enterprise Contract, and GUAC projects, and how they help mitigate risks in the software supply chain.
Consuming open source is only a risky proposition if you don’t take the time to engineer a process that mitigates risk through security best practices of open source. Building a program for your organization to securely consume and contribute to open source is no different than developing new software. It is entirely determined by the practices, policies, technical controls, risk tolerance, and culture you establish and reinforce. From your software supply chain to your running services, open source can be both a reference and a guide to conducting the necessary diligence so that your investment in open source is a reward for you, your engineers, and your business. In this talk, we’ll explore assumptions about open source and open source security, tactics for managing secure open source consumption, reducing or mitigating risk presented by open source, and how to successfully use triangle composition to drive your efforts.