Open Source Summit + ELC North America 2020

FOSS projects are heavy used in every enterprise，but if some oss project report a high CVE risk or a easy coredump bug, how to push over 10,000+ engineers to fix this issue asap across 100,000 repos?

Building a secure/efficient/compliance supply chain at scale is very challenge.

The OpenChain Project provides a great framework for addressing this challenge head-on and we are implementing it in my company. With a use-case of massive open source projects, many engineers with both good and bad habits, and limited legal or engineering resources, the only solution is to automate as much as possible and deploy effective training.

I worked with security, legal and internal tech committees and run with small steps. Adding scripts to check when a developer begins to review code helps prevent unsafe code from being committed in the first place. Indexing every repo with automated tools also provides benefits, such as allowing the repos to be cleaned within three working days of a CVE alert. This actions come together to provide much greater efficiency than before.