 Yeah, thanks. My name is Dan Lawrence. I'm talking about securing the supply chain with open source. How many people were at supply chain security con yesterday? Quite a few people. Cool, so this is basically a little bit of a recap summary of that for today. So sorry for going over some old stuff again. I'm going to go kind of quick and then re-show the premiere of Operation Salsa, the video explaining how to secure supply chain with the Salsa framework. So I've been working in open source security for a while. This is a quick before and after picture. This is about when PopsWig was up to date. This is what I looked like at the start of the pandemic and when I started working on open source and supply chain security, and this is a little bit more accurate today. So this has been a long time, and the more you look and the more you worry about supply chain security, the more stuff you find. It's a pretty scary field today. So I'm going to start out just by talking about open source. We've got some numbers here. I'm not going to get too far into it. This is an open source conference. How many people here commit to open source projects? OK, awesome. Pretty much everybody. Then I'm going to talk about some of the problems a little bit and then end with that exciting video. So this is a couple recent surveys from SordaType, VentureBeat, a bunch of other ones. 90 to 98% of all modern organizations are using open source. I think the other 2% are lying or confused or didn't understand the question they filled out. It's impossible to build software today without using open source in some way. The numbers are pretty shocking too, though. This is one or two things everyone is using. 135 software components on average, but depending on the framework, depending on the ecosystem, it's not uncommon to see this go out to the thousands and many thousands. If you've heard the word S-bomb or that phrase throughout a lot, it's about getting all this information tracked in one place. And as you can see, the combinatorics and numbers start to blow up. So this becomes really important really fast. Open source is everywhere. And particularly cloud native, right? Cloud native is built on open source. All the cloud native tools, the landscape that everybody loves to see and watch and make fun of because it grows so much. That's all open source software and it's amazing, the innovation that everyone is doing publicly. But open source has been under attack over the last several years, right? So it's awesome that we've done all this in public and now we need to take time to protect that public good together. Particularly these last couple of years, right? Open source is often funded and worked on by maintainers that do this in their spare time. The Kubernetes release process itself is driven by a couple individuals that do this in their volunteer process. At Kubernetes is one of the most active projects in the world with hundreds of maintainers. But there's still only a few people turning the crank on the release process and actually making sure that the artifacts get out there securely. I'm gonna receive this all over. If the foundations are not strong at the bottom of most open source projects because we're just not paying attention to them. At the same time, these funding issues, the burnout issues, everybody getting tired of responding to things on GitHub, it's becoming more important and more critical. You're starting to see open source supply chain attacks grow like crazy. A couple of surveys had a 430% increase in 2020. There was just another one with a 650% increase from Sona type. And I think the EU predicted a 400% increase next year. So these are happening more and more often. So time to turn it around, time to get motivational. What can we do to help? There are a bunch of different projects. Kirsten just mentioned some great ones in this space like State Store, Tact on Chains, the Intodo project, the update framework, all these things in the Linux foundation and different open source foundations. And here in the CNCF as well. A lot of it is putting these pieces together. A lot of it is just taking this seriously and working together as an industry. Thinking about open source security, thinking about supply chain security is the most important first step because that's what led us here. People not thinking about it and not worrying about it. So I have a couple of memes here kind of showing the issue. I have a few versions of this one. So I'll show. Yeah, then this is the reality of things today, right? We've been very comfortable for years building and deploying our modern, brand new, cloud native Kubernetes applications to these amazing, scalable infrastructures. But in a lot of cases, these things are getting built and deployed on Jenkins servers sitting on Mac Minis under somebody's desk. And that's the problem here. Your build system should be at least as secure as the environment that it's deploying things into. If one takeaway, it's treat your build system the same way you do your production environments. Here's another version of it, a little bit more timely from this year and pulling back in the other supply chain metaphor. Yeah, the world's software supply chains and one person underpaid or not paid at all in a lot of these open source cases, trying to fix this on their own. And this is the real issue. To find those people, we need to support them. We need to help them as an industry. So along that theme is a new initiative called the Salsa framework or SLSA.dev. And this is being developed by the open source security foundation, the open SSF, which is a sister foundation to the CNCF. And it defines a bunch of levels here, right? How can you get started taking these things seriously? How can you get started protecting your build system? It defines levels from one all the way up to four. So if I worried you, if I scared you about open source security to start out here, the Salsa project is here to help. So let me switch over to that and I will end with this awesome video which you can find on YouTube and on Twitter. We'll end this up here. Should it be good? You all know why you're here. Software supply chains all over the world are being hacked and we need to get to the bottom of it. Does everybody remember what Salsa is? Well, we don't have much Salsa in Iowa. I expected more fair day. It's just a dip for chips, right? Come on, Picante, let's get serious. Let me remind you, Salsa is the supply chain levels for software artifacts. It's a framework that you can use to ensure the integrity of your software supply chain. It ranges from levels one through level four and as you go higher in level, the more secure your software supply chain becomes. Today, we're going to use Salsa to figure out why software supply chains all over the world are being breached and we're going to use it to neutralize the threat. Agent Caso, the screen. This is a big problem. As I'm sure you've noticed, supply chain attacks have been increasing in the past few months and we've seen it in the mainstream news. Trillions of dollars have been lost and that's why it is more important than ever to secure your software supply chain. Your supply chain consists of many steps from building your code, testing it to deploying it to production and you may be depending on different environments and using different services as well. That's why it's important to make sure that every step of the supply chain is secure. At every step, you are vulnerable to a different type of attack and that is why you need to take different measures to make sure that your entire chain is safe. Does anybody have any questions? Good. Agent Caso, water. We're under attack. These supply chains aren't going to secure themselves. Let's go. Yeah, so I want to thank Eric, especially back here, he produced these videos Give him a round of applause.