Open Source Supply Chain Security at Google

Posted on Thursday, November 30, 2023.

I was a remote opening keynote speaker at ACM SCORED 2023, which we decided meant that I sent a video to play and I was on Discord during the talk for attendees to text directly with question as the video played, and then we did some live but still remote Q&A after the talk.

My talk was titled “Open Source Supply Chain Security at Google” and was 45 minutes long. I spent a while at the start defining open source supply chain security and a while at the end on comparisons with the 1970s. In between, I talked about various supply chain-related efforts at Google. All the Google efforts mentioned in the talk have been publicly discussed elsewhere and are linked below.

Here are the talk video and talk slides. Opinions expressed in the talk about languages and the last half century of supply chain security are mine, not Google’s.

References or acknowledgements for the slides:

• Crypto AG: Guardian and Washington Post
• Enigma photograph: personal photo, taken at Bletchley Park in 2012
• XcodeGhost: Palo Alto Networks
• Juniper Attack: CACM, Eprint, Bloomberg
• SolarWinds: Wired (Kim Zetter)
• NPM event-stream: Ars Technica, NPM
• iMessage JBIG2: Project Zero
• Log4j: Minecraft, CISA
• Kubernetes on Open Source Insights and comparing versions
• Sigstore
• “Perfectly Reproducible, Verified Go Toolchains”
• “How Go Mitigates Supply Chain Attacks”
• Two-person photograph: Air Force National Museum, public domain
• SLSA (Supply-chain Levels for Software Artifacts)
• Security Scorecards
• Capslock: blog post, repository
• Google Open Source Security Rewards
• Google Project Zero: blog post, excellent video
• OSS-Fuzz: blog post, repository
• Syzkaller dashboard
• Internet worm: New York Times
• NSA Software Memory Safety
• Go home page
• Rust home page
• SBOMs: “NTIA: Framing Software Component Transparency”, “CISA: Software Identification Ecosystem Option Analysis”
• Open Source Vulnerability database
• Govulncheck: blog post, package docs, tutorial
• Google Cloud Artifact Analysis
• Air Force Review of Multics (quotes are from pages numbered 51 and 52 on the paper, aka PDF pages 55 and 56)
• Thompson backdoor: “Reflections on Trusting Trust” (1983) and annotated code (2023)