Supply Chain Software Security is a hot-button topic in the security and compliance domain of the open source software world. Specifically for end-user companies that are large, risk-averse, and depend on open source heavily. OSS projects, and the communities that surround them, are now compelled to adopt security best practices in order to position these projects as viable ones for commercial adoption.

OpenSearch is a perfect example of a popular open source project, backed by heavyweights, and in use by a large number of companies. Therefore, securing this project is of paramount importance for the community.

In this talk I intend to walk users through some security basics, while showcasing how to adopt them for OpenSearch. Some of the information will include scanning the repository, container images, dependency management, and deploying attestations, among others.