Strength, trust, and harmony: the challenges and opportunities of software supply chain security Trevor Rosen, Head of Product Security, GitHub.


As we think about enhancing software supply chain security, what does the landscape of threats and opportunities look like? What are useful ways for framing the problem, and how does the industry view the challenge? Where do responsibilities lie? Who has the power to make positive changes or to act with malice? And most importantly, what are the roles and responsibilities of industry, academia, government, and the open source community at large?

In this keynote, industry veteran Trevor Rosen will offer some answers to these questions borne from his time at the center of the SolarWinds/SUNBURST breach and his experience in standing up a new supply chain integrity practice at GitHub. You can expect to hear some war stories, some strong opinions, and to walk away inspired to join hands with colleagues from all over the technical landscape to solve a huge (but tractable!) problem in information security.


Trevor Rosen is a Staff Engineering Manager at GitHub, where his team focuses on improving supply chain integrity in product offerings and the open source ecosystem. He has extensive experience in DevOps and practical information security, with a particular focus on microservices, CI/CD and the security of distributed/cloud-native systems. A veteran of the SolarWinds SUNBURST attack, as well as tech lead on the subsequent response, Trevor is a frequent speaker at supply chain security conferences and a member of the Technical Steering Committee for the OpenSSF’s popular code signing project, sigstore. He lives in Austin, Texas with his family and too many guitars.