Secure-Dependencies Presentation by David A. Wheeler
Why It Matters
With modern applications relying on large, rapidly changing dependency graphs, Secure-Dependencies aims to make scalable, repeatable supply-chain due diligence practical, reducing deployment risk and enabling organizations to make better-informed dependency decisions. A community-developed tool under OpenSSF could standardize and accelerate security checks across the software ecosystem.
Summary
David A. Wheeler proposed a new open-source OpenSSF project called Secure-Dependencies to automate security due diligence for software dependencies using a hybrid approach: deterministic scripts to gather and preprocess data and AI to analyze risk indicators. He demonstrated a working prototype and outlined three top-level modes (adding new dependencies, updating existing ones, and auditing installed dependencies) supported by multiple analyses, with emphasis on sandboxing, sanitization, and countering attempts to subvert AI analysis. Wheeler stressed the need for multi-organization collaboration rather than a single-maintainer project and invited contributors to help evolve the prototype. The design goal is pragmatic risk reduction—not absolute guarantees—by scaling analysis and limiting AI to judgment tasks after deterministic preprocessing.
Comments
Want to join the conversation?
Loading comments...