Improving the security of the open source software supply chain will require better understanding of dependencies, and cooperation from developers and users.
The nature of modern software development is that development teams have to rely on "blind trust" for some of the code components written by someone else. A new attack method showed how build systems could be tricked into pulling code from the wrong projects.
Attackers have increasingly targeted the software supply chain by populating package managers such as RubyGems and npm with malicious code.
Protecting data while in use is a challenge. IBM released an open source toolkit to help developers implement fully homomorphic encryption in their applciations.
Modern software development relies on open source libraries, even for those applications that are sold commercially and aren’t open source. A pair of reports from Veracode and Synopsys illustrate how these components are introducing vulnerabilities into these applications.