Open Source Malware or a Vulnerability? The Philosophical Debate and How To Mitigate - Brian Fox, Sonatype; Madelein van der Hout, Forrester Research Inc.; Santiago Torres-Arias, Purdue University
Abstract
As open source software is increasingly important in modern software development, the security challenges continue to evolve. Vulnerabilities are largely understood, but open source malware poses a uniquely hidden threat. But when does a planted vulnerability transform a package into malware? This talk will discuss and debate the nuances between open source vulnerabilities and malware, as well as discuss the before diving into what’s most important: how to stay secure with open source. Traditional SCA and endpoint security tools do not detect open source malware, which increases the challenge. In this panel, key experts — from software engineering acad to influential analysts and open source security veterans — will dive into the different types of open source malware and why it’s so pervasive, outline practical strategies for mitigating threats and discuss the responsibility of enterprises and developers in safeguarding the software supply chain.