CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Expert Panel: Imagine a world where software supply chain security is solved - CdeSecDays

Panel discussion with experts from Snyk, GitGuardian, Doppler, and Chainguard, moderated by Rachel Stephens from RedMonk. Imagine a world where software supply chain security challenges are solved, no vulnerabilities in open-source software, and effortless secrets management.

Video Transcript

I'm I'm so delighted to be with you all at code SEC days I think that this is a really fun event although I'm very Broad in its Ambitions the the idea of just security at large itself is is its own thing but then to imagine Security in a world in which there are no security problems this is this is a fantasy world but I'm excited to be part of the panel that is going to be moderating just kind of kind of talking about this exercise of what would it be like if we could eliminate some of these pain points that we have today and can we envision as an industry like where do we need to be going and start to get ourselves just a little bit closer to that Utopia and we have with us a really heavy hitting group I'm excited to be with this panel I think it's going to be great um we have part of our panel has joined now we have a couple of our people who are popping in so if everyone in the panel can go ahead and join that would be excellent um and we'll start doing introductions um as we go so today we have with us Eddie's and open source security or open source software um at chain guard we have Kaiser daher he's a lead security engineer at get Guardian we have Nick manganui no it's like manugion I'm so sorry Nick um and he is a senior software engineer at Doppler and I also have Sonia Sonia moiset who's a senior security Advocate at speak um I'm gonna yeah Nick if you can get in that'd be great we'll we'll start um with intros on the other people so um we could okay uh everyone's feeling good on audio visuals okay all right so Eddie do you want to um start and kick us off with just a quick intro who you are what you do who you do it for just just give us a quick way of the land on um where you're at yeah you can hear me okay sure can awesome yeah so hi I'm Eddie sanewski uh I'm a Staff open source engineer at a company called chain guard where we do software supply chain security uh I'm a maintainer for the kubernetes project where I work on Cube control customized all the CLI tooling and some of the build and test infrastructure and I also work on Sig store uh so super stoked to be here I'm delighted to have you uh Sonia would you please introduce yourself sure hi everyone I'm Cindy moisse I'm a senior security Advocate at Sneaker we make sure that developers do code securely um and passionate by uh open source Cloud security and devsecups and really stoked to be here as well wonderful Nick could you do you have audio you're good yep rocking and rolling thank you wonderful Nick can you please give us a quick intro to you and to Doppler absolutely I'm Nick Manoogian I'm a senior software engineer at Doppler uh we're focused on secret Ops uh which is everything from Storage to orchestration of Secrets wonderful and yeah pleased to meet you to see you all today uh I am Kaiser I am a security engineer here at goodguardian and um basically I am full on an automation Guru my job is to automate everything security here at the company uh I'm hoping I can share a bit of my insight with you today wonderful and then I realized I'd tell for I didn't without introducing myself everyone hi I'm Rachel Steven I work at monthly focus on helping um the industry at large and our clients in particular understanding kind of Technology adoption Trends particularly from the perspective of the practitioner so what is it that people with their hands on the keyboards using prefer things like that so definitely um care a lot about all of the things in in and around security and so excited to chat with you all but I wanted to start the conversation today talking a little bit more about what it means to um to kind of think about what are challenges and obstacles are like if we want to get to this utopian world of like things are not constantly insecure we're not constantly firefighting security battles like what are the most significant challenges and obstacles that we need to overcome now and start to address to make progress towards solving this supply chain security issue so would you kick us off on that one sure I think one of the most crucial challenge that is uh Bridging the developments and security silos like those two two teams are acting as a silos in in some organizations so uh historically the development of security teams have been operated in separate spheres which would lead to a lack of collaboration and understanding from each other so I think to to make progress we need to Foster that um culture of shared responsibilities and collaboration between both teams and the development team also should be educated on security coding practices whilst creatine uh need to understand the development process so we have that constant feedback loop between both the theme and also make sure to integrate security seamlessly into its uh and think by breaking down those silos we can improve communication enhance security awareness that's that's the objective and also creates make sure to create more secure software Supply chains I think that makes sense one of the things that we've seen at Red Monk and one of the things I've written about in the past is the importance of kind of making the right thing the default thing so we talked about the phrase we used was um that developer experience of using the software is actually a key component of the security of the software developer experience is security because you want your developers to be able to easily be secure and I feel like that ties into what you're saying here in terms of education is important helping Empower developers but it's also about making it so the developers workflows are seamlessly secure and I think all of those things tie together um Eddie do you want to chime in here yeah I think so one of the biggest things that we've seen is that companies just don't know what's running in their stack in terms of their dependencies and what that sprawl looks like so we heard for during like the whole log for Shell testimony before Congress uh one of the companies there said that it took them like two weeks to come up with a plan to figure out what was impacted that wasn't two weeks fixing things that were broken it was two weeks to figure out what do we need to fix and I think like that's one of the hardest things we're selling right now because any Dev team you know different companies have different open source policies for what libraries you can use but I can just go reach off the shelf on GitHub and grab a library that does God knows what all maintained by who knows what all and yeah it's just it's without knowing what we are using there's no knowledge of like what we need to fix there so yeah a lot of fine blind Nick anything that you'd like to contribute to anyone else yeah I'd love to chat in with a huge plus one on um on making things easier for the developer I mean we go and we hire smart people who are good with computers right if you put something in their way they're going to find a way to work around it um so you know if you've got a tool that is useful to the you know for a developer and and also a plus one on training developers on security that's something that we've been really big at at Doppler all of our Engineers have at least you know a base understanding of why we're why we're worried about the things that we're worried about what the impacts might be and our security team also understands that like the job's got to get done on the development side so it's a you know it does not need to be a you know a rivalry it can be a symbiotic relationship yeah definitely breaking down those status uh Sonia Nick I'm curious when you're saying training is is this going into like third-party tools is this something that you've built in-house like what is your the training that's effective look like in your organizations I would say for Developers for them to to make sense that you have a customized training on the the vulnerability so um let's say if we know the the standards for example vr's top 10 lists uh we shouldn't just drop the um the top 10 list to developers we should actually put context around that what are for example the top three vulnerabilities within your organization and make sure that you have that customized training around that so just to make sure that you bit what you always put context for developers to better understand the uh the impact that it could have within their organization and also support that real with the real life examples uh so we're talking about lock for shell and others that that we've now for example Sarah wins or could cough with the different tools that we could have within our CISD pipeline within our code base just to put that context is really important for developer always to get the the why we're doing this yeah same here a focus on your stack right like there's a lot of stuff in the OS list that it's not completely relevant in react um but there are other other things that you need to be worried about in react react um so so having a like a photo you can't just drop a like a learning module on your developers and be like okay I've done it right uh it needs to be focused needs to be thoughtful um also having open conversations uh we've got like you know our security Channel and slack where folks are dropping links and like hey you know is this relevant for us and no and here's why and and here's what we should be worried about or yes and you know we should be looking into this so having like honest real conversations about security uh We've also done a handful of like uh Security office hours where security folks will kind of hang out and just answer questions everything from like corporate security to application security um like having real conversations with with a security team and the security teams love to talk about the stuff right um like they love to get in deep and talk about it so like you've got experts on the team and you've got people who who want to learn so Nick and Sonia were speaking about engaging with people and actually having conversations and um my experience has been that you know usually security trainings are unfortunately sometimes um quite far off the Mark um you know talking about let's take a very simple example we're going to speak about the HP security when your company does Java or whatever else that that's quite unfortunate um what we want to do as Security leaders obviously is to you know raise awareness Etc but what we really want is that the people we are working with the developers the engineers we want them to care we don't really want them we don't want to teach them their job they are much better at it than we are that's obvious and at least I hope it is we want them to care we want to engage them we want to show them how you know how things can go wrong and uh the impact of that so yeah I really I am deeply convinced that in any security training session you know the actual code is probably secondary it's not the most important part the most important part is building a connection with these folks and getting them to care just like we do about the security of their own products and that's much easier said than done obviously for sure it's definitely it's such a combination of the culture and the processes and the tools that you're using and all of these things feed one another in terms of how you can holistically start to think about security but let's maybe spend a little bit of time on that tools from though because I think one of the things that the industry struggles with is a fragmentation of our Security Solutions and it's a fragmentation of who's in charge of at least sometimes to have a security team that's in charge of things and we have the developer team and they're not always working together so we talked about those titles but I also think that one of the things that we are all struggling with is we have just this swath of tools that are handling different components of security across our supply chain and how can we start to make kind of rationalize that think about how to think about that and I I would just love thoughts there Kaiser could you kick us off and how do you all think about this yes of course right so um you just said that security holding is fragmented I I totally understand why you say that but in my experience honestly I kind of feel that security is just as fragmented as I don't know pipeline tooling as data analysis to link or any other types of tooling and yeah an issue per se you know if you if you want to build a shelf or you know an Ikea an IKEA bed or whatever you will need um a hammer you will need a screwdriver whatever and these tools well they're fragmented of course they are they tools they just do the job you want them to do and it's up to us you know the engineers the people who actually know to to make these tools come together to build something great right and in my perspective it's the same thing with with security tooling um you know we we have expertise we paid a lot of money to actually understand these tools and to prove you know extract maximum value out of them the um the the how do you say that the real kicker you know the real challenge for us as security people is to find the right tool for our gonna organization and then making sure that we have you know the best um workflows and the best automations possible to get the findings of these tools to the people who can fix these findings to me that's really the bigger issue and again I do not have a silver bullet I do not have an answer to you know how to make tools less fragmented but I do believe that um triage is very important as early as possible and if all triage fails within the tool then sub to the security team to actually do that work manually which is again unfortunate but yeah I do believe that you know making alerts more uh more actionable making them usable for other users and triaging them and giving them the right teams is extremely important gotcha and I definitely agree fragmentation is an issue all over the place but anyone else anyone else agree disagree with what Kaiser is saying here or anything you'd like to chime in I have a bit of a cynical take on this one I I attend a lot of events and a lot of conferences and I mean over the past year I've seen companies that you would never think of would be in the software supply chain security space like have that on their Booth or their marketing material and it honestly it feels like a lot of people are selling a check box when a lot of these tools that are popping up uh you know we have regulations new like executive orders and it's there's no Silver Bullet for dealing with this problem like it is a fragmented ecosystem um but it's it's becoming more and more like people are trying to offer a check box and we've heard from customers that you know they they paid for expensive cool fancy vulnerability scanners and they get mad at the results and they just stop running them because they don't like the results because it's not something that they can fix but that's just one example it does happen very often to you know to install tools um pay hundreds of thousands of dollars for them and then just throw them off because well you don't know how to act upon the alerts and this is a real issue this is why we've spoken before about the importance of free art and making alerts actionable foreign yes I do agree on the remediation uh and um fixed bits that you should have in the uh in the alerts uh also I'd say that it's important to have the developers also uh within this onboarding uh process because we don't want to have the security team just dropping a tool at the end of the day and this this is the new shiny tool just use it now um not understanding the embarking process the documentation is it easy to use doesn't make sense to have it within our pipeline uh does it suit our workflow uh does it actually cover a tick stack and the uh the package manager that we're using so all of those it's important you have the developers from scratch from the start of the process just to have those discussions so it doesn't come as a surprise but also uh just to see the the results so if you're doing a proof of concept to see if there's a lot of false positive uh how you get the the feedback from from the tool so having that boring process um and for the um do you agree with uh all that has been said on the um this different tools this is is also a problem that we have for different like from monitoring for learning that we've seen this in in software engineering but I would say which is important is to have automated process um so if you're implementing the tools within the the developer Pipeline and not creating another uh pipeline is to have those automated process um so it's also um doesn't put the the weight on the developers to actually add some more on their plates uh so yeah having the Automation and orchestration piece is really important as well to leverage this from the Developers gotcha now I think this is a great conversation and it leads into some follow-up questions here especially in and around what Eddie was talking about around some organizations um being perceived as selling a check box and kind of having this bolted on add-ins that may or may not make sense for various organizations to adopt so I'd love to me to talk about the role that we think we as in like the industry broadly and kind of how should we be collaborating together in open source projects how should we be thinking about Partnerships how can we be coming together as a community to address some of these challenges without kind of having this like menagerie of vendors kind of doing one-off Solutions and so Eddie could you maybe kick us off I'm like we got your cynical thing but like what is what is the path forward take yeah we're we're big fans of like open communities and standards obviously you know we work heavily on six door we work with the open source security Foundation um the standards approach is it's really interesting to me having been from the I've worked at Starbucks my whole life and you know in the whole of shipping things in open source and pushing communities forward and so now we're in this space where we have a uh here at you know at the company I work for chain guard we have a bunch of you know open source hackers who have been battle tested securing open source and building tools and a lot of ex-googlers and it's it's really interesting right now starting to engage with some of the more formal standards bodies uh because they move very slow and I'm sure there's you know there's reasons for moving slow to make sure you get things right but you know we're trying to change the wheels on an airplane that's flying really fast and has to land and it's it's just it's been eye-opening for me to kind of like the four the four folks who've you know come up with standards of how the internet works it's it's amazing but that took place over a pretty long period of time and we're trying to you know we want to push these communities forward but I feel like we we still need to accelerate the the growth and Adoption of a lot of these things and it's we've ruffled some feathers which is interesting and uh yeah I I still think that like open in standards is the way forward but I think we need to like find a balance of you know being able to do things like this but in a reasonable timeline that people can start using and fixing things now if anyone in agree disagree that's a super interesting take I think it's it's super important um in the in the time it takes for a slow standard to get implemented by a large body you've got companies that are trying to move fast right and they're going to do something else in the meantime so now they've got to do both and now they're going to prioritize doing both versus like if they could start from the same you know from the same launching off point so a big huge plus one for me on standardization but it definitely is easier said than done as you as you mentioned especially when you're trying to get competitors to work together to build something um it's uh tricky um particularly it's not quite on the supply chain side of things but um you know we're we're in the business of rotating Secrets automatically and there's not a lot of apis for rotating Secrets right like you know there's a most Services have like they off and then you do the things with the services like there's no higher order API so we're kind of begging vendors like hey can you make us API please so that we can rotate your keys it seems like a silly thing to ask like I want to rotate a key with a key um but it's critically important for our users right um and like having standards in this space uh you know and in all these spaces is it's challenging to get the everyone aligned in the same direction so agree big agree yeah but you just had Nick that you know it's very hard to get people aligned in the same direction and get them to work together well I suppose Ellie's got plenty to say about the kubernetes project you know kubernetes is a collaboration between all the major players in the game and you know it works it's thriving the community is huge um the all the work that's going on in there is fantastic so I get your point and it's absolutely correct that you know it's extremely hard to get smaller players or maybe larger players as well to to you know work together and it makes sense but we can do it and kubernetes proves that and you know from my perspective as a security leader is extremely important for me at least that you know the people around me at the company are good Guardian you know they use standard tools that we um you know in the engineering team the core engineering team provide them because I have seen other organizations struggle uh very very very very very hard with you know fragmented tools as we've said before uh you know people who deploy this way people who Deploy on kubernetes people who Deploy on VMS people who Deploy on Heroku and then you know me as a security specialist I have to go in there and get these people to like ensure backups ensure logging is done properly enjoy I don't know all the security things that we must ensure we have and it's extremely hard you know that's that job that is a job I do not want to do I would much rather have you know one standard product offering call it what you will that I can improve that I can tweak that I can you know work on and you know have all the other teams in the company use that product and in that way you know anything I do gets multiplied the effects get multiplied times a hundred times a thousand uh because it's it's it's well standardized basically now I've been speaking about the organizational level but I suppose that hopefully uh we as an industry can maybe push um in that direction and get people get organizations to agree on some fundamental principles maybe like kubernetes maybe it's like some other things um as you said Nick with a standard API for secret relation you know that would be absolutely amazing at least for me again as security engineer I give Guardian but you know these things would be absolutely great but I in these Con in that kind of context sorry I do believe that it's important to have some sort of bodies that are non-commercial you know the the owas foundation is not commercial these these types of organizations these are the ones that really Drive standardization that drive the industry forward and personally I believe that all other commercial organic commercial organizations should contribute to these um you know bodies and help them move forward and actually comply with what these bodies suggest yeah it's I like to compare and think about how kind of policy gets done in in the US right so I I live in Denver Colorado and Denver Colorado was the first place to legalize the first state to legalize weed in the U.S right and you've seen other states start to legalize it and we're moving towards like you know the federal government's taking a look at whether or not to do it and uh this past election Colorado voted to legalize magic mushrooms right so like far steps ahead of like where the go like the government hasn't even addressed the the marijuana piece yet and the states are already pushing forward like other types of stuff and I'm not just a giant drug or pothead talking about this but it's it's interesting to look at it at that lens where you have the the independent companies or the independent like um the smaller bodies of standards that are working towards building things in the open and then they slowly wrap up into getting into you know a more formalized standard and um it's the tricky part there winds up being what when do you as an organization feel comfortable to start adopting these things right like cool like six stores gaining traction uh when are you as an organization going to decide yes I want to sign all my things internally with Sig store or adopt six store signatures and you know that's just one example but it's there's that time period that the timeline is it's felt like it's been longer and I'm not sure how to get that shorter I I knew that I said we were talking about a utopian world but I was not expecting magic mushrooms to come up in our panel today so that's that's an exciting bonus for everybody right anything else here that we want to talk about about standardizing either internally within your org or just industry-wide yeah just to go back on the on the process uh before the implementation um I think also this this kind of events today that we have is is great to have to kick off those discussions um so in terms of lecturing knowledge and best practices to have collaboration between uh Enterprise that you share their their experience uh because we do have a lot of experience with the uh the customers so we can talk about that uh that feedback so having this joint research and development with uh like also leveraging for example the the open ssf or also leveraging organizations like like OAS to also push those uh those guidelines and intenders to give us to give that feedback is is also good one more thing also is to support and contribute to Open Source Products so not only contributing by code but also supporting financially uh some of the open service projects also just to show that that standardizations that uh we want to uh to go through but this is the process ideally the implementation is uh and the timeline is a difference uh it's a different issue as well that we've discussed yeah gotcha so so I think I think one of the things that has kind of come out as a theme is like the you have this idea of what could ideally happen and then the reality of timelines of various tools various people various organizations what are some realistic steps that organizations can start take start taking now to start improving their security posture it's just open to anybody anyone who wants to chime in I'll kick it off uh hire security people early on in the companies uh in the company's life if possible at all that really does change things and also it it proves that management you know organization itself understands the risks involved and is willing to put in the effort and the money as well to fix things but you know if I'm if I try to be a bit more serious than that um one one way to actually get started on improving your supply chain Security in my opinion is having your own repository artif artifact repository where you you know basically run scans and ensure that everything in there is well done and secure you do not have to you know start big you can start small you can say okay if I use Python packages I'm going to start with um a really good python registry setup and have outside packages copied in there you know like mirrored in there and then scan for any security issues and have some sort of policy pool policy you know if this package has a 10 over 10 cbss score then it's not allowed to be pulled for example it's enough stuff like that it's not small as always and then build on that you can do that full python packages you can do it for Docker images you can do it for many other things you know we I mean we agree Guardian uh talk all the time about shifting left shifting security left you know this is um another way of Shifting security left um in the supply chain uh space obviously when you write code when a developer writes code we must scan that code and ensure that everything is done well of course but that does not apply always to the open source libraries and packages that we use and I think that can be a way of Shifting security left within that space yeah we'll add on that to continue on what you said Kaiser is to to implement those um within if you think it's it's too big of a task for your company try with one or two teams just to show how it works and use it as a good example to actually expand it to to the other teams um yeah this could be a good starting point for for companies because if you think you have like hundreds of Team might be able to start um to start somewhere so having like a few teams to just demonstrate that this is working yeah the going back to the like what I said earlier about the dependencies and knowing what you're using like starting to take inventory is great to do right tools like backstage let you catalog your infrastructure just kind of like having a higher level view uh you know there's software bill of materials s-bombs that are becoming more prevalent people still don't quite know what to do with them when you have them I think it's important to still be generating them because it gives you a nice receipt of like what you're running in production uh my co-workers that used to work at Google tell me they had the magic ability to take any given commit and find what artifacts running in production contain that commit and in the current built artifact and that's that's magical right like that's the place that most of our orgs dream of getting to uh but like yeah starting just by taking inventory now I think is a great first step The Trusted artifact repository for sure um yeah it's we what we've been doing isn't working and it's crazy when you think about the like open source dependencies going back because most developers like in the back of their head always thought like oh maybe this package I'm downloading from npm could be a problem one day you never assume that that day is going to come oh that day's here that they came very quickly and you know solarwinds got a wake-up call along with the whole industry right like that that's what we wound up with so it was a possibility and now it's a starch reality that we really need to start handling so yeah knowing what you're running I think is a big important step uh I would just say on the Secret side of things um we're definitely thinking about the dependencies in our apps and the apps that our customers use and what what is the effect if there is a compromise dependency right like what like having a plan of what is realistically going to happen to you if uh you know you've got a dependency that's that's broke how easy would it be for that to grab all your secrets right if you're injecting as environment variables is it just as easy as serializing your your process.m and flipping that off to a server like if so are there are there better ways should you be mounting a file or maybe like a temporary file that can only be read once like thinking about what could what the actual risks are and then having a plan to remediate right um you know if you if you can detect that you had a secret leaked um then uh and these like Canary Secrets this this is this idea of like you know being able to identify that that there was a leak is is a thing in and of itself but having a rotation strategy of how quickly can you manage to to rotate all of your secrets um a lot of orgs don't know how long that would actually take like if you took all of all the secrets running a production and you leaked them all today how long would it take you to get them all rotated um chances are it's like a matter of weeks or months um depending on the size of your org and that is like a that's a tough not to crack there you know what I mean like that that's a really long time for for secrets to be out in the wild um so like I I am not on this on the side of how can we prevent these things but I I am definitely thinking about it and I'm definitely thinking about what happens after the fact yeah you like that I am gonna not say so we had a question coming that I'm gonna um kind of squeeze in here because I think it fits in while we're kind of we're talking about what are practical things we can do and this question came in earlier when we're kind of talking about the culture of breaking down silos between developer teams and security teams and um one of these Anonymous user questions asked like what are the best practices here for bonding these teams and how can we Foster better communication in terms of like practical steps or starting steps like does has anyone have any thoughts or experiences that have shown how you can start to have this process kick off um I think to also to make it fun for developers uh it's probably to use gamification uh this could be also one way to incentivize developers to learn a bit more about security uh so there's one side where there's the upskilling so you have like more skills on the security uh security um side which is which is good because you're actually learning new things that could be valuable on your on your resume but having a gamified um aspects for the developers to to learn more so for example you have um hackathons or competition like a back bash competition where you actually fix the security availabilities that you have um in in the Sprint for example because we do know that developers don't really have time to fix it's it usually ends at the at the back of their their backlog so having those uh punctual events just to drive that awareness uh and also Drive fixes radiation within the the company that could potentially be something and um I don't know if it's like the the teams that actually managed to fix a lot of vulnerabilities and get prices uh um to fly to conferences or or swag or this kind of things just you incentivize also make you feel a bit more meaningful I think one of the most impactful things I've seen is showing the why behind a lot of stuff right so I I went to a workshop once where they kind of just demonstrated you know very basic owasp uh you know level one security issues like SQL injection or you know basic cookie stealing or something like that and and it's like once you see how easy some of these things to pull off with just like you know very easy to make them developer mistakes it's like oh wow this is yeah this is actually a big deal and really easy so I I think I've heard orgs that do that with their security team and their engineering team if like an engineer tries to ship something vulnerable if the security team can show an example of like hey like we want to educate you here we want to build this relationship like here's what you've done here's how easy it is for us to exploit and I think that that like you know it breaks down the you know the the the view between the different teams right and it's just like look like this is we're all working together to solve this problem and yeah yeah sorry yeah thanks Nick definitely agree with Eddie um one way we try to you know like extend Olive branches here at your garden between the security team and the other developer teams is yeah like not be so serious let's make fun of ourselves because you know everybody has incidents in production uh developers you know they can't take down um a website's availability they can put in bugs but we as well at the security team you know uh are totally uh capable of messing things up and that does happen and in all these security trainings that we do here at git guardian we um take like 10 to 15 minutes to speak about all the incidents that we've done that we've created within the company uh just to be you know to make people at ease with the concept that you know accidents do happen and why it's important to fix them and then the second part of our training is focusing on all the security incidents that have happened uh at kidcarten during the last six months one day when if and when there are obviously but also look at the um the more known security incidents out there in the industry um The Uber incident was quite a big one for us because it was uh you know it had secret leaks in it and this is what caused the large compromise so yeah it's very important for developers to understand that that the security team is not this you know uh Big Brother watching them all the time you know we just Engineers just like you trying to make it work and it's very important for you the developer to understand what we do why we do it and it's extremely important for us as well to understand why you know you don't have time for bug fixes or security fixes so like just speaking to people being humble and you know some sometimes self-deprecating humor goes a long way to establish that relationship I like it like it all right so so we've had a lot of kind of references to various emerging Trends and Technologies we've kind of thrown out s-bama and sing store and salsa things like that can we maybe spend a little bit of time talking to people maybe a little bit more in terms of what these are especially sixth door and salsa just to make sure people understand what those are and maybe just give people a sense of what kinds of things are potentially coming at them so we're saying you can take some First Steps but what what are some future things that people should be thinking about on the technology front that are likely coming their way I'm thinking of all the newly code generated by artificial intelligence I know this sounds like a buzzword these days it's a big topic but we've seen it more and more used by developers which is great because this is actually helping them in their in their workflow they can also learn and leverage that that power but thing is we need to keep in mind that also that code generated by AI might potentially also influence vulnerabilities the same as the code that we're actually writing within an organization so it's important also to apply the same tool center workflow in terms of security to scan that generated code to make sure that it's free from security vulnerability so we also need to make sure that the models were strained at it's it's not using insecure codes and also that the rcisd pipeline also have this tool set to make sure that we're not bringing more insecure code within our our code base I know this is password and it's uh yeah it's a little bit it's a good topic though one of the things I've been thinking about on the AI front is how so many people prefer to it's easier to be the one who's written the code rather than the one who's doing the code review a lot of the time like reading other people's code is a lot harder than writing your own code and are we getting into a world in which like we really need to be training and thinking about like the ability to assess the code that is written by your colleagues but also like these AI pools and like what is it doing is this like I I think that's going to flip um some ways that we are thinking about what what the skills needed to be a good coder um are and I I'm interested to watch that emerge um Eddie could you talk to us a little bit about Sig store yeah so six store is a uh open source security Foundation project which is under the Linux foundation for signing and verifying software artifacts so the idea is that you know we've been using gpg keys for years to sign our software releases so you can verify that what you're downloading or installing is what you're expecting given that the person uh created it that you trust the person who created it and signed it what we've found is that developers hate managing keys and no one knows how to do it correctly and it's very difficult even if you're the most senior engineer um you know when was the last time you rotated your your gpg or security key and so what Sig store really does and brings to the table is it swaps out those those long-lived keys for kind of ephemeral Secrets tied to an identity and so you can do something like in a GitHub action pipeline run there's a oidc openid connect token that's injected into every CI run that runs on GitHub you can take that token trade that for a GitHub I mean a Sig store signing certificate and that certificate will contain Fields like the action a number that ran the commit Shaw the repo a whole bunch of Providence data about that and so now you've gone from um this you know key that was created on a developer's laptop and thrown in a vault years ago to every time I want to sign something I trade out my machine identity for a signing certificate and sign something that has attestation about it so that's really like the big push behind Sig store there's the whole transparency log piece which every everything that gets signed can go into the transparency log so you can look it up and verify that way but that's really the problem that six store is trying to solve is is managing Keys is hard and we don't want developers to have to think about the keys I trust a like the kubernetes project we switched to using Sig sort to sign all of our releases and I would much rather trust a release signed by production at kubernetes dot IO then some key that was generated two years ago right makes good sense I'm just keeping an eye on the time so I'm going to wrap us up with one final question and the final question is really just going to be kind of opening up in terms of technology advancements cultural ships anything like if you're trying to um leave the audience with kind of final thoughts on what's necessary to drive progress in our software supply chain security either kind of small immediate steps big Grand steps like just your final thoughts on where we need to be going um and I would just love to love to close with that foreign I'm really excited to see more identity off um we're kind of seeing more of that like not just in the security space but just for like standard application to application interfaces right like portable credentials are King right now still for you know all the things that your app needs to integrate with rotation is kind of like a way of making that a little bit better right like the it reduces the surface area but only to the period that you're rotating for right um if you're authenticating with your identity there's really no spooking that um and and it's there there is something to rotate effectively right like there's a key and like in GitHub action somewhere but that's not our that's not ours to manage uh which is kind of nice um so that's a trend that I'm really excited about but in the places that we can't um more automated rotation uh and and support for like a dynamic secret you know sort of like a short hyper short-lived uh credential issuance those Trends I'm really excited to see more of wonderful yeah I definitely agree with Nick I mean the secret tradition is extremely important um it's also extremely hard to implement in a diverse infrastructure stack and this is where platform engineering comes in in my opinion you know the EBC and CF white paper platforms white paper is absolutely brilliant um in my opinion as a security engineer um you know platform engineering is a security measure because uh of standardization because of the ability to include small changes into that platform product that has a huge multiplier effect onto the entire organization's products and services so yeah I'm really excited for the platform engineering but it's not something that you can Implement by you know by snapping your fingers it's it's a it's a long organizational restructure of everything around your services and your people so it's not easy but I think it's worth the effort yeah I'd like to to echo on what case RSL is um yeah the importance of having TM bad security practices and Automation in the development process platform engineering can potentially be they want to actually push it on this the C drive progress on on that side just making sure that security is an equal part of the development workflow so yeah awesome yeah a big plus one to the machine identity piece I I actually gave a talk on this at uh open source Summit if you just Google oidc in my name you'll probably find it on YouTube uh but the the machine identity piece is critical just getting rid of keys and secrets for individual developers and why would I want to provision a long-lived cloud certificate that is the heart of my business and stick it in GitHub I trust GitHub I'd rather them not have a long-lived key to my castle uh and then funding for open source developers and maintainers is like a P0 right like we like we've talked about how the kubernetes project is is pushing things forward and staffed and the reality is that like kubernetes needs contributors right like we we are seeing contributors fall off the Old Guard is getting tired and burnt out and there aren't new people to take their places so this is echoing true for a lot of other open source projects and there's a a very famous XKCD which I don't have a link to but it's like the huge Hadron Collider and then like the tiny little pillar here and the arrow says like tiny open source Library maintained by somebody in like Oklahoma or something right and and that's the reality so we need talk to your representatives talk to your your government uh any kind of funding we can get for open source and open source maintainers is a huge necessity foreign well thank you all so much for your time today I really appreciate all of the perspectives and wisdom that you shared with us and it was my pleasure to be part of the code sectors and I appreciate all of you