Safe and Secure Consumption of OSS Components

Open Source software is the foundation of modern software projects. Any software written today consists of 70-90% of open source code in form of libraries and other components. These open source libraries often comes with security risks and introduce technical debt over time in consumer software projects. These risks include

1. Vulnerability

2. Malware

3. Unmaintained / unpopular projects

4. License

We will start by looking at some of the risks in open source software supply chain that consumers often face. We will establish the need for secure OSS consumption using recent case studies and highlight common best practices for vetting OSS before use.

This talk will also introduce "vet", an open source tool for vetting open source libraries for security risks before use by software consumers. We will look at how "vet" can be used to scan source code and dependencies (libraries) of a software project and identify potentially risky libraries that are direct or indirect (transitive) dependencies of the project.