CybersecurityDevOpsEnterprise

Curating Secure Software: The Art of Selecting Safe Dependencies - Kadi McKean, ReversingLabs

OpenSSF
OpenSSFJun 1, 2026

Why It Matters

Because most applications rely heavily on third‑party packages, supply‑chain breaches that cross ecosystems and infiltrate CI can expose secrets and erode trust; organizations must strengthen vetting, provenance, and monitoring of direct and transitive dependencies to prevent operational and reputational damage.

Summary

Kadi (Katie) McKean, open source manager at ReversingLabs, framed selecting third-party dependencies as a curatorial process — start with clear requirements, assess acquisition and UX (how the code will be used), and evaluate impact. She warned that modern software is overwhelmingly composed of borrowed code and highlighted recent supply‑chain incidents (notably the Light LLM compromise that traversed npm to PyPI and infected CI pipelines) as examples of how malicious packages can exfiltrate secrets and propagate across ecosystems. McKean urged practitioners to go beyond CVE checks to consider tampering, provenance, signatures, secret exposure, and the risks posed by deep transitive dependency chains. She compared reputational and cultural fallout from compromised projects to the historical Isabella Stewart Gardner art heist to stress long‑term trust implications for maintainers and organizations.

Original Description

Curating Secure Software: The Art of Selecting Safe Dependencies - Kadi McKean, ReversingLabs
Imagine curating an art gallery—you wouldn’t hang just any painting on the wall. Each piece is carefully selected, verified for authenticity, and preserved to ensure a valuable experience for visitors. The same meticulous approach applies to software development.
Secure curation of open source isn’t about stifling creativity; it’s about ensuring that the dependencies we bring into our applications are secure, well-maintained, and reliable. As an art curator protects against forgeries and deterioration, developers must assess third-party components for malware, tampering, vulnerabilities, licensing risks, and long-term sustainability.
This talk will explore why curation is the foundation of secure software supply chains. We’ll discuss practical strategies for evaluating dependencies, maintaining a trusted repository, and leveraging free tools to automate the process. By adopting a safe curation mindset, developers can sleep better at night, knowing their applications rest on a foundation of safe, high-quality components.

Comments

Want to join the conversation?

Loading comments...