What can I do?!

What can I do?!

Follow the Open Source Security Foundation (OSSF)
Concise Guide for developing more secure software

Keep it simple and stupid (KISS)

Automated dependency updates

Generate a Software Bill of Materials (SBoM)

Scan for vulnerabilities and audit

Scan for license compliance

Sign artifacts

Create attestations (signed metadata for artifacts)

Create provenence (signed description of artifact creation)

Unmaintained dependencies

XKCD 2347 by Randall Munroe, XKCD

Let’s say, you have done all of the above

How can you be sure that your dependencies are maintained?

Will a vulnerability be fixed quickly?

Every dependency is a risk - unmaintained even more so

Choose wisely

Follow the Open Source Security Foundation (OSSF) Concise Guide for evaluating open source software