Building trust through security: How FreeBSD helps set the standard for supply chain protection

Explore these strategies from FreeBSD to mitigate supply chain vulnerabilities in your open source project.

Supply chain attacks have become a major challenge in the open source ecosystem, making it essential for projects to secure their software dependencies. FreeBSD‘s approach to supply chain security, through strategies like Zero-Trust Builds and Software Bill of Materials (SBOMs), offers valuable insights for other projects. At All Things Open (ATO) 2024, numerous sessions will focus on securing the software supply chain and providing practical advice for developers looking to fortify their projects.

Understanding the threats to supply chain security

As open source projects grow in prominence, so too does the risk of supply chain attacks. According to Sonatype’s 2023 State of the Software Supply Chain report, these attacks have grown significantly, with a 742% increase over the past three years. Attackers specifically target vulnerabilities in open source dependencies to compromise entire ecosystems. At ATO 2024, Josie Anugerah and Eve Martin-Jones will lead a session titled “Dependency management: The cause of—and solution to—all supply chain problems.” This session will explore strategies for managing dependencies and mitigating risks, which align closely with FreeBSD’s efforts to secure its software components and ensure that vulnerabilities in dependencies don’t compromise the broader system.

FreeBSD’s role in securing the future with Zero-Trust Builds

FreeBSD, with support from the Sovereign Tech Fund (STF), is integrating Zero-Trust Builds into its infrastructure to address the growing risk of supply chain attacks. By ensuring that all builds are reproducible and don’t require special privileges, FreeBSD minimizes the risk of tampering. This method enhances transparency and security, allowing third parties to verify that the final binaries match their source code.

At ATO 2024, Seth Michael Larson’s session, “The unseen, underappreciated security work your maintainers may already be doing,” will explore similar efforts in securing open source projects through improved build processes and security checks.

Sessions on emerging security technologies

In addition to SBOMs and dependency management, ATO 2024 will explore the future of security, including quantum-safe technologies. Paul Schweigert’s session, “Building quantum-safe applications with open source tools,” will cover securing applications against emerging threats, a focus that aligns with FreeBSD’s goal of building a resilient and forward-looking security architecture. These proactive measures ensure that FreeBSD is prepared for both current and future risks.

Another key session to attend is “Secure by design: Elevating OSS integrity through proactive vulnerability management” with Alua Beisekulova and Eugeny Grebenshchikov from Deutsche Bank. They will discuss how projects can secure their systems by integrating proactive vulnerability management, which FreeBSD has long embraced through its continuous auditing processes.

Securing your open source project at ATO 2024

The security track at ATO 2024 offers a wealth of knowledge on supply chain security, dependency management, and emerging technologies. By attending these sessions, developers can learn how to adopt strategies like FreeBSD’s, ensuring their projects remain secure and trustworthy. With expert insights on SBOMs, Zero-Trust Builds, and quantum-safe technologies, ATO 2024 is the perfect opportunity to strengthen your project’s security.

For more on FreeBSD’s approach to supply chain security, visit the FreeBSD Foundation’s blog.