Securing Open Source Dependencies in the Public Cloud

A little while back (before we had this community), I wrote a blog and did a Lightboard presentation on Securing Open Source Dependencies in the Public Cloud.

The Lightboard presentation is here:

I hope that this starts some discussion on here. What steps are you currently taking to secure your open source dependencies? What tools have you found work well with Ubuntu on the public clouds?

1 Like

Hi there, can you share your thoughts in light of ICT supply chain management and transperancy, regarding DORA act, and what’s the perspectives to deliver sufficient information and documentation on security to users, as the EU digital identity wallet is recommended to be based on Open source?
Personally, I do expect Ubuntu to be identified as critical ICT service provider in EU under DORA, but when it comes to personal digital identity based on open source technologies how Ubuntu is getting ready for day after tomorrow?

Hi @milena-mn, welcome!

I’m not personally too familiar with DORA. It looks as though it is focused on operational resilience in the financial sector.

More generally, there is definitely an increasing interest globally in knowing more about the software artefacts people are using in production. It is easy to throw around terms like SBOM (Software Bill of Materials), but it is important to be clear what information you are looking for from it. I think of efforts in this sort of space as detailing and potentially securing the pipe between upstream and you as a user – they are unlikely, for example, protect against issues in the upstream itself, as we saw recently in the xz vulnerability.

In terms of security information, what specifically are you looking for here?
Security notices | Ubuntu and provide a pretty good starting point for security information on Ubuntu packages.