Gary O'Neall
Gary is a contributor to the Software Package Data Exchange® (SPDX™) - an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open source tools including the SPDX Java Libraries and Tools which can be found at https://spdx.dev/spdx-tools/.
Gary O’Neall is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open-source software.
Sessions
The software supply chain has been an increasingly vulnerable target due to the downstream users of open source software not being aware that they are using compromised or vulnerable components. Log4Shell and SolarWinds are just two prominent examples of supply chain attacks causing significant damage to a large population of downstream users.
Package Managers already provide critical information through package metadata, however most software developed crosses several package manager boundaries (e.g. using Gradle in the back-end and NPM in the front-end). To really provide a solution to supply chain vulnerabilities, an integrated view of software dependencies need to be provided..
In this talk, we will provide practical advice to package manager software developers on how they can provide critical information in a manner that can be integrated across different package manager ecosystems resulting in greatly improved security across the entire software supply chain. We will also cover how that same information can improve open source license compliance and software product safety.