Securing Software Supply Chains and Dependency Confusion – An Industry Perspective

Following a growing trend in software supply chain attacks which use “dependency or namespace confusion” techniques, I sat down for a discussion on software supply chain security with a few experts on the topic.

  • Dr. David Wheeler, Director of Open Source Software Supply Chain Security at the Linux Foundation
  • Dr. Trey Herr, Director of Cyber Statecraft Initiative at the Atlantic Council
  • Brian Fox, CTO and Co-founder of Sonatype

As the attack vector continues to gain further steam in the early months of 2021, we chatted about what’s happening, why this vector has taken off and how organizations can protect ourselves. 

You can watch the full discussion on YouTube and/or read the transcript below.


Derek Weeks: Hey, everyone, I am Derek Weeks, VP at Sonatype, and I am joined here by an esteemed colleague and two friends from the community. We’re going to talk about some software supply chain attacks that have happened recently. 

First off, I’m joined by my colleague, co founder and CTO of Sonatype, Brian Fox. We have Dr. David Wheeler, from the Linux Foundation, where he is the director of open source supply chain security. We also have Dr. Trey Herr from the Atlantic Council, who is the Director of Cyber Statecraft Initiative. 

All of us spend a lot of time within our own organizations and within the community, talking about securing software supply chains. That’s really the basis of the discussion that I wanted to gather you three here for today. To start off the discussion, I want to focus on some of the more recent news on software supply chain attacks, going to Brian and talking about a new or novel supply chain attack with “namespace confusion” that’s happened within the npm repositories and some others. Brian, introduce (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Derek Weeks. Read the original post at: