 I'm so happy to see so many of you here, so I was already afraid that there will be crickets Sound thing, but I'm worse CIPAT and my topic today will be the software supply chain or Actually the risks with software supply chain and some of the ideas that we have today how to avoid risk, right and one of Things I want to start with is something from our marketing department. So if you want to win some airpods You can listen to my presentation. Maybe get The answer to this question and on the survey monkey Compete with it. So I will give you a chance to open the page But the question is really easy and it will be on one of the slides Maybe I will even say hint when it comes up Okay, so let's start. I usually tend to bring the listeners to the point of Acknowledging that everything today is run by technology, right? Maybe you noticed I'm Born in the age of CRT TVs and phones where you had to dial with turning the dial, right? and one thing that was interesting that time is that we Still could remember phone numbers Right today. We don't do this today. Everything is stored in our Big PCs that we carry on in our pockets, right? Because this PCs or smartphones are even better than we had 10 or 20 years ago in our computers or laptops and One point of this technology that is running our lives today is that it all runs on software so the ground module of it is software and We have many good developers that are focusing on this to bring us the greatest and best Functionality that the usability is Best of the best, right? however We many times see that the software that they are dealing with the software that they are giving us is often complex right the complexity of it all getting the hang of it all is sometimes quite challenging and We then try to Get over this challenges by telling the developers. Hey, you will be now the security expert, right? you are the shift left guy and We will give you all the tools that are there in the world, right? We will buy the whole portfolio of what is in the market and With those tools you will succeed to bring security in the source But it does not work like that, right? So one thing to make clear. I'm also a developer Developers don't focus on security In the main we focus on functionality. We focus on this that the software works that it runs that our That our users are satisfied with it. However, the problem is still how to make secure software And we can teach developers how to do this But often this is not the case often We just throw tools at them and expect them to bring us not only good software, but also secure software and If we look at what is happening then in the world is that there are many problems that start happening We get many problematic Attacks malware that is then misusing the points where the developers just did not have the view on what the problem is But why is this, right? I Mentioned tools all the time There has to be a way how to avoid all those risks But when you see the landscape of it all You can agree with me that it's not that simple anymore, right? Whoever was maybe in development 20 years ago knows that we were having Waterfall right you were developing for one year and then releasing a software and still it was not good And then you had to spend one year more to fix all the bugs and everything But still we had challenges However today the developers have many more challenges. They have to focus on different platforms They have to develop for mobile for Vap for laptops for Macs. They have to be everywhere at the top game Right, they have to be always online Previously we were in guarded Networks now everything is online and Now they have to make sure that the sources the software that they provide or the software you use is secure and we tend to take open source For helping our software development and open source is great I like open source software because it makes Development go faster you can focus on your thing and take libraries from others where you are not your core competency and All is great when you are using a certain software library or those software libraries You might agree have many dependencies, right? So I'm pulling in a direct dependency This direct dependency has other dependency called for us transitive dependencies those again have Dependencies and again have dependencies and again have dependencies. So when we start looking at the point of My software usage It's not any more that simple that I just pulled in a library. I pulled in a world an Ecosystem that lives by its own and I have to understand the whole Ecosystem because if there is one point in this ecosystem That will have a failure Then the whole software is in failure and the problem then again is How do I fix that failure if it's a transitive dependency of a transitive dependency and All those problems then continue what if the open source component that is a transitive Dependency is then deprecated nobody any more worry about it And I'm not saying don't use open soft software because open source software is good What I'm saying is you have to keep the information about the open source software that you're using as The highest priority you have to know what you're using you have to know who is developing it You have to know how it's developed and when there is a risk that you know also how to mitigate this risk, right? so Could be simple, right? We get Wornability notifications. Hey, your software is vulnerable. So what now? Some don't even notice it until it's too late, right? When somebody already exploited that for an ability and We have many many Statistics that show that well, well, where it's not going anywhere Away, right attacks are there and they will stay there the motivation is either political or money related and Attacks will happen. We need to provide software that is Resisting all of those attacks and of course then we get How should I say advisories from governmental institutions that tell hey update your operating system Your software back it up watch out on remote connection networks and such things, right? But that feels like something Somebody would tell you 20 years ago, right aren't we now in a space where hackers are hacking systems where even governments are warning that National breaches are happening and so on and we are right away in the sense of hey This hacker who is out of a blockbuster movie, right? Hacking the whole system and getting the city down to his knees and he is using advanced technologies and so on Well, often it's the opposite hackers are smart and Hackers don't want to put a lot of work into it They have information that you may be missed and therefore they are misusing this information to hit you Where you missed your point? so many times Such national breaches are just because the software was not updated Because somebody did not patch the systems and of course we know the old saying don't touch it until it runs, right? But that's the problem many times so still we are falling behind on mitigating the problems and In an internet of everything This is a really important thing because now imagine You're not anymore connected only with your laptop, right? Your car is connected to everything Your watch is connected to your car is connected to your coffee machine Today, we are really living in a Smart everything world and if this smart everything can be breached then every node of this everything can be also accessible Then we have helpers that help us code today, right code pilot nicely puts together a code so that we don't have to write it anymore then we have Intelligent helpers that put together a text but well source code is some kind of a text, right? So why not to use it and it helps us to also get secure code in it, right? There are different problems with AI One of the things is that also legal concerns are there where the code is coming from and such things But other things are that AI also does not think about every possible point of breach so in 21 in May the Biden's administration issued Executive order on how software development should be handled, right? How many of you heard of this? Wow, I'm surprised many times. I have only two or three hands, but it seems that the word is spreading so The point was Everybody has to deliver an S-bomb right in the general meaning everybody has to say This software has those components and they are vulnerable like this and this and this Well It's a little bit Different right because you have to track then the whole procedure through different Sites of or steps of your software development Be careful what you're doing in every step from whom you are getting any Components or software that you're developing with you have third-party components you have open source components So it can be challenging We have also in the EU The resilience act right coming up next year. I believe should take Be used in action and it's also talking about as bomb So as bomb everywhere I turn I hear as bomb and it's a really good thing, right? Having an inventory of everything that you're using so that you can really follow it and Yeah, and know what is there and there are even regulations that are going after this so everybody is talking about as bomb being the saviour and The thing that solves it all We have to however still think about zero-day exploits license risk malware Right and when we talk about license and when we talk about hint hint how we are Integrating open source components into our software We still see that even though there are needs to focus on what is in your software There are still a vulnerable components again hint hint. This is the slide There are still components that are vulnerable and are shipped with the software that companies are using either internally Or are using in our Software that runs on our phones or wherever So from that perspective It's not that easy to say that we have it made Right, even if there are processes even if we have to focus on certain things. We are still Having software that has a lot of vulnerabilities inside The other thing is licenses however of you understand software licensing Thank you I'm the one that would not raise his hand a few years ago because I'm a developer. I Knew some I can use others I cannot and I had to run to Legal to tell me what I can do or what I cannot do right because there is a difference between Nice license right where I can use it and Different license where I cannot use it or I can use it, but then my My intellectual property might also be common good, which many companies want to avoid, right? you have Obligations that you have to fulfill and if those obligations now are missed Then you have legal processes you have to pay money or as I said lose intellectual property Just think about Cisco links is Quite a few years ago, but that was a nice warning to every software developer, right? so Permissive licenses are good for us Less permissive licenses are not bad But we just need to watch out how we use them so As bomb will it really save us for making mistakes will it include all the data that is in there well many times we are looking at all those problems that we have in software development, right and As bomb is just covering a part of it right so again As bomb is not bad The only problem is if you just focus on it to create an as bomb just to have it just to be in line with regulations Then it's not good enough You really have to make this as bomb your life and then we have our Dev Ops and every DevOps engineer knows that it's not just Setting up one tool so that the development teams can use it No, it's many tools. It's tools that They have to manage they have to integrate it has to play one with another it has to run smoothly And then we say yeah, let's just put Sack into it, right? It's just one abbreviation more What it right? Well, it's not like this because then you get security tools in every step Then you have to gather also those results integrate them and The DevOps engineers start running right and they say, okay, that's not good that that we cannot manage So how can we start actually? We have a problem, right? We have malware. We are focusing on as bomb which should bring us information to the table which serves Regulations, we have also developers and we just shoot tools at them. Well We need to of course Align people processes and technology Easier said than done, right? So aligning Things is not just by saying Hey guys, we have a new tool. We will use it Aligning those three is really creating communities it's creating a Work methodology that everybody in every step of development and company functioning can follow and You start with creating a measuring stick a Measuring stick Should be helpful in creating an overview on where in your software development where in your Company you have Good procedures and where you're lacking those and the best way to do it is to have some kind of Guideline or maybe to compare yourself to others in the same market, right? Even though there are different markets like medical automotive. I don't know financial and so on In those markets you can compare yourself if you're doing the right things But also you can compare to other markets because everybody has to follow regulations, right? Once you have this measuring stick Set then you know where your misses are where you're good. So you can then make a plan one thing Don't think that you will make a plan that will last for the next 30 years Think of it as something that you will do regularly today. You make a plan in One week you test it call it a fire drill and if it fails Make a new plan to mitigate for the failure Then you again test it and if it fails Mitigate So planning is not just planning. It's also testing what you planned for you have Regulations you have to obey if you're hit by a vulnerability GDPR Tells you that you have to bring a notice out to your customers and the general knowledge in certain days This is what the plan is about that everybody knows what to do and how to handle a certain breach and Once you have the plan you can start with the implementation of everything So that you have then the tools that go through all your DevOps chain and that can then help you to operate and Create this real-time monitoring that can then help you When you have something in your code to know immediately at that point and Act on it at that point not when the hacker breached you or breached your customer But at the moment when this knowledge is out But yeah, as I said often we just take tools We throw them at the developers and say hey You are now a security expert You have to train your developers It just does not go like this that you would put them into a room like this and say hey No, we will learn everything about DDoS and we will learn everything about exploits no It's often good that you start with creating teams Champions that can help every team itself That they can find solutions and they can resolve problems by themselves And you don't stop with developers right I before said that you have to create a community a culture in your company Where everybody is aware of Problems just imagine if I would today tell you that you cannot anymore connect your mobile phone to the company's network or you cannot charge your Headphones on the laptop you're using from a workplace, right? You would maybe be Sad let's use this word right but if I tell you that if your Headphones are not patched if there is something wrong with your mobile phone or an application on it a hacker could gain Access to the company's network Then you start thinking differently then you know that I have to connect connect to the guest network I have to do certain things to avoid my company being hacked So all of this is training training does not start with high-end people not developers It has to be also the awareness of a cleaning lady that she's now in a company and has to watch out What she's doing because if not a Heck can happen, right? so a few steps for you as I said Make a measuring stick This will help you to instill the Culture also across your organization and create a plan for you that you can follow You can then create a deaf sec ops framework. Of course if you have it already That's great Just check that you haven't missed some of the points and are just Having some things as checkboxes and you check them because they are just there Integrate this deaf sec ops, but also train the people that are in the whole Community and then of course use monitor and evolve the people processes and technologies Thank you any questions no the crickets come to life Okay, so I will not Budger you if you don't have any questions or if you would like to have it in person just join us at our stand here in front of the Dorsal most and you can ask me in person. Thank you very much for attending and taking your time. Bye