Welcome and Introduction

Keynote

Due to the widespread use of open source components, network security attacks and data breaches caused by vulnerabilities and code quality issues in open source components have become frequent, leading to a crisis of trust in the security of the open source supply chain. Various countries and regions have introduced regulations and provisions to enhance the security of the open source supply chain and improve the security of digital products. This topic discusses an enterprise-level open source supply chain security solution based on network resilience legislation.

LFAPAC open source evangelist, CDF ambassador, deputy leader of the OpenSSF China working group, and a member of the Cloud Native Community Steering Committee. He focuses on cloud native and DevSecOps fields. He has been a speaker at DevOps Community Summit, TiD Quality Competitiveness Conference, QECon, GOTC and other conferences. Currently actively promoting open source software supply chain security.

1. Overview of Challenges Faced in Using Open Source Software 2. The Foundation of Open Source Risk Management - SBOM 3. Selecting Reliable and Appropriate Software for SBOM - Open Source Software Selection 4. How to Integrate Open Source Governance into Existing Enterprise Development and Delivery Processes (SBOM Generation, Updates, Circulation, and Archiving) 5. Digitization and Automation of Enterprise Open Source Risk Management (Automatic Tracking and Issue Handling Based on SBOM) 6. In addition to SBOM, What Other Capabilities Do Enterprises Need to Improve Their Level of Open Source Governance?

The current open source development is thriving, but it also brings software supply chain security threats. Huawei embraces open source and actively invests resources in open source security tools and governance. This topic includes the following parts: 1. Industry trends and practical insights on software supply chain security. 2. Huawei's analysis and practice of software supply chain security, including sharing practices based on SBOM, as well as other security measures. 3. Some suggestions for future open source security.

For Amazon, safety is always the top priority and action guideline. The culture of safety has a profound impact on Amazon's interaction with open source. We hope to explore in depth the design concept and experience of Firecracker, an open source project, as well as share Amazon Web Services' best practices in choosing Rust for open source projects and using it extensively. This will help builders better understand Amazon's pursuit and implementation of security in all dimensions and details of open source.

This speech will introduce the background of SBOM, the global status and development direction of promoting SBOM, as well as methods and standards for building SBOM, and how to use SBOM to enhance software supply chain security. SBOM, also known as a software bill of materials, can reveal the composition of software components to software users. With the development of software technology, mixed-source development has become mainstream. More than 90% of system software and application software contain open source code. On one hand, China's information creation industry cannot do without open source software from operating systems to databases to upper-layer applications; on the other hand, open source software greatly promotes the development of an open-source ecosystem and provides a good foundation for China's information creation supply chain. China has also become the world's second-largest contributor country in open-source software and an important force in this field. However, with the popularity of open source code comes security and compliance issues that need attention. To ensure software supply chain security, industry is promoting the application of SBOM within their respective fields. Relevant laws have been introduced in America and Europe while Europe is following suit; corresponding standards are being formulated in China too. The main methods for analyzing SBOM include code snippet analysis and dependency relationship analysis which can be used to analyze license lists or vulnerability lists by means such as these technical measures so that users can understand compliance with codes or hidden safety hazards through both lists along with using technological means to resolve potential problems making their own supply chains more secure.

With the evolution of traditional physical and virtual machines to containers and container clusters, the security risks of enterprise production environment workloads have also changed. This presentation will combine experience in production environments to share with everyone the security challenges and corresponding measures for multiple workloads.

In the context of mixed-source development and agile delivery, open source software has become an important part of the software supply chain, and its security has become a key link in software supply chain security governance. For known open source risks, SCA tools can conduct a comprehensive asset inventory of third-party components involved in software and applications, while understanding the open source vulnerabilities introduced by related components to facilitate insight into and monitoring of open source risks. When new security vulnerabilities are discovered and there are no new version components available for replacement yet, RASP technology can identify and block attacks and malicious requests through hot patching without modifying the source code, achieving timely governance of unknown open source risks and buying time for vulnerability repairs. Through the combination of SCA and RASP, scenarios with known vulnerabilities as well as unknown ones can be covered to achieve closed-loop management of open-source software supply chain security from development to operation, empowering enterprise developers' code safety.

In the increasingly severe situation of network security threats and attacks worldwide, the accelerated promotion of enterprise digitization requires overall planning. Mr. Wang Yu will combine the introduction and summary of the following content to explain in simple terms the ways in which software supply chain risks are introduced and the key points for governing open source software supply chains. The speech will be practical, informative, leading-edge, empowering enterprises comprehensively. The speech will cover the following key points: Traditional software supply chain vs open source software supply chain In-depth analysis and interpretation of software supply chain security incidents Impact and harm of open source vulnerabilities Software supply chain composition and methods for introducing security risks Open source security challenges from a technical perspective Key issues in software supply chain security and OSS governance SCA tools for multiple application scenarios Trusted open-source management and operation