14:55
-
15:15
-
15:15
Day 1
Erlang/OTP’s journey toward CRA compliance
<p><a href="https://github.com/erlang/otp">Erlang/OTP</a> is an open source programming language designed for the development of concurrent and distributed systems. Created 40 years ago and open sourced in 1998, Erlang is used by <a href="https://www.ericsson.com/en">Ericsson</a>, <a href="https://www.cisco.com/">Cisco</a>, <a href="https://www.whatsapp.com/">WhatsApp</a>, <a href="https://discord.com/">Discord</a>, and <a href="https://www.klarna.com/se/">Klarna</a> for mission critical applications as well as loved by a broad community of open source developers. With the advent of the Cyber Resilience Act (CRA), the Erlang/OTP team, jointly with the <a href="https://erlef.org/">Erlang Ecosystem Foundation</a> (EEF), began to prepare the project to meet CRA requirements.
In this presentation, Kiko will describe and dive into the various supply chain best practices implemented by the Erlang/OTP project: the creation of Source Software Bill-of-Materials (Source SBOMs), automated vulnerability scanning of dependencies using <a href="https://osv.dev/">OSV</a>, creation of <a href="https://github.com/openvex/spec">OpenVEX statements</a>, vulnerability handling in collaboration with the <a href="https://cna.erlef.org/">EEF as CNA</a>, and contributions to towards other open source projects [[1],[2],[3]] to improve the security posture of the ecosystem. Moreover, Kiko will provide an insight into the lessons learned from implementing these measures in an open source project.</p>