NOTE: The event will be held in Central Daylight Time (CDT), UTC -5.

View More Details for Open Source Summit + Embedded Linux Conference North America 2020
Registration Information.
Back To Schedule
Monday, June 29 • 11:55am - 12:20pm
Building a Secure, Efficient, Compliance OSS Supplychain at Scale - Tan Zhongyi (Jerry Tan), Baidu

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
FOSS projects are heavy used in every enterprise,but if some oss project report a high CVE risk or a easy coredump bug, how to push over 10,000+ engineers to fix this issue asap across 100,000 repos?

Building a secure/efficient/compliance supply chain at scale is very challenge.

The OpenChain Project provides a great framework for addressing this challenge head-on and we are implementing it in my company. With a use-case of massive open source projects, many engineers with both good and bad habits, and limited legal or engineering resources, the only solution is to automate as much as possible and deploy effective training.

I worked with security, legal and internal tech committees and run with small steps. Adding scripts to check when a developer begins to review code helps prevent unsafe code from being committed in the first place. Indexing every repo with automated tools also provides benefits, such as allowing the repos to be cleaned within three working days of a CVE alert. This actions come together to provide much greater efficiency than before.

avatar for Tan Zhongyi (Jerry Tan)

Tan Zhongyi (Jerry Tan)

Open Source Program Officer, Baidu
OSPO of Baidu.Inc,Over 20 years working experience with OSS,committer of Mozilla/Gnome/Apache,Speaker of OSCON/ApacheCON/Open Source Summit, Contributor of OpenChain projectLinux Foundation Authorized Instructor for CKA/CKAD

Monday June 29, 2020 11:55am - 12:20pm CDT
OS Program Office Theater