Zach Steindler

Zach is a principal security engineer at GitHub, where he works on supply chain security features in Actions and npm, as well as advising during incident response. He volunteers in the OpenSSF, where he co-chairs the Securing Software Repositories working group that gets together the operators of package managers like npm, PyPI, Maven Central, and others to talk about security policies, implementation, and incident response. Away from the computer he is slowly learning more about gardening and welding.

Software Supply Chain Security: Threat Models, Attacks, and Defense

As we've focused on securing source code, attackers have turned their attention elsewhere, like to user accounts and build systems. Defending against these attacks means understand the end-to-end process by which software is developed and distributed, referred to as the software supply chain. In this talk we'll go over the SLSA framework's threat model for software supply chain security, and use recent attacks against open source package managers and projects that focused on user accounts, dependencies, and build systems, to illustrate what defensive capabilities you should be thinking about and how to go about implementing them.
Proudly powered by Weebly