Production, Consumption, and the Data: The Open Source Security Sandwich
CVE/FIRST VulnCon 2025 · Main Stage
In his insightful VulnCon presentation, "Production, Consumption, and the Data: The Open Source Security Sandwich," Mike Lieberman, Co-founder and CTO of Casari, dissected the pervasive and increasingly complex challenges of securing the modern software supply chain. Lieberman, a prominent figure in the open-source security community and a maintainer of critical projects like **GUAC** and **Salsa**, framed the current state of software security as a "dumpster fire," characterized by a relentless stream of vulnerabilities and sophisticated attacks such as the **XZ Utils backdoor** and **SolarWinds**. The talk aimed to demystify software supply chain security, defining it as the comprehensive act of securing both the production and consumption of software throughout the entire **Software Development Lifecycle (SDLC)**.
AI review
Lieberman knows this space cold — he's literally maintaining the tools he's demoing, which gives him more credibility than most supply chain speakers. The 'Open Source Security Sandwich' framework is a reasonable pedagogical device for VulnCon's audience, and the GUAC walkthrough shows genuine depth on a project that matters. The problem is that nothing here advances the conversation for anyone already living in this space. If you've read the OpenSSF working group docs, attended previous supply chain talks, or looked at the GUAC GitHub, this is largely review. It's a competent survey talk…