Keynote: What Log4j teaches us about the Software Supply Chain

both face when it comes to rapid remediation of vulnerabilities in open source software. Long transitive dependency chains delay full remediation. Unstable APIs add work to software patching tasks. And malicious open source commits make it risky to automate adoption of the latest library versions.

As the maintainer of Maven Central – the repository that hosts log4j and most other open source Java projects – Sonatype has unique insight into the uptake of patched versions of vulnerable components. This presentation will draw on analysis of this data to discuss behavioral patterns in open source supply chain management. For example, even 2 months after the disclosure of the log4j vulnerability, about 40% of Maven Central log4j download requests are still pulling vulnerable versions.

Sonatype also works closely with enterprises to help them manage their software supply chains, and we will share our observations regarding industry trends and challenges. Many of these observations are based on a survey of industry approaches to supply chain management that we have been conducting annually for the last three years.

This talk will pull together the above content into a presentation targeted at the HCSS community. The goals will be covering relevant background information, providing a summary of the state of the art with respect to industry tooling, and highlighting the open challenges that could benefit from further research and technology development.

Stephen Magill is Vice President of Product Innovation at Sonatype. He’s the former CEO of MuseDev, a software company acquired by Sonatype, and is dedicated to helping developers write their best code through code quality automation.Stephen is a world-recognized expert on program analysis and was previously a principal scientist at Galois. Among his other accomplishments, he earned his Ph.D and M.S in CS from Carnegie Melon and serves on the University of Tulsa Industry Advisory Board.