 Hi, this is your host, Sapil Bhatia. Today, we have with us Lisa Tellevery, Head of Developer Education at Gengar. Lisa, it's great to have you on the show. Yeah, thanks so much for having me today. Today, we're going to talk about this free course on the next foundation, Open SSF and Gengar, securing your software supply chain with SIGSTOR. Before we talk about this course specifically, I would love to learn a bit about your own background. So just talk about yours quickly. Sure. Yeah, so I am at Gengar, which is a pretty early startup. I joined a few months ago and I'm leading developer education. My background is in tech startups and also a higher education. So I have a lot of experience in research and teaching as well. So I'm very happy in this space where I could work with the developer community and help to drive adoption of open source tools. Yeah, thanks. Now, tell us how are you involved with this course? What is your personal participation? Sure, so I'm one of the co-leads of the course. I worked on it with one of my colleagues, John Speed Mayer, and we developed the course with support from our colleagues in the SIGSTOR community. We were very thankful for a lot of great reviewers in the community and also with the Linux Foundation with a lot of help from their instructional designers. So yeah, we're very excited to see it in the world and our hope is that it will help to make the software supply chain more secure for open source. Right, now let's talk about this course itself. You tell it upon it briefly. Tell us a bit about what is this course about and of course, what is the goal behind this course? Sure, so SIGSTOR is essentially a toolkit that enables developers to work to make their software more secure. Our hope is that SIGSTOR could be part of the invisible infrastructure that's made as part of software development so that the easy way to build is the actual secure way to build and SIGSTOR is comprised of a number of different projects under the bigger umbrella. So there is Cosign, which enables you to sign software artifacts. So think about containers, but it could also be blobs, basically anything you could upload into a container registry. There's also Fulcio, which is the certificate authority and there's Recor, which is the transparency log where you could both store your metadata for software artifacts and you could also verify the providence of software artifacts that you might leverage. And we're really excited about a new project that's GitSign, which allows you to sign your Git commits. Excellent. Can you talk about what is the scope of this course? You talked about some of the project, but basically what I will understand is that what is this course actually about? Yeah, so the course is about thinking about software security in a holistic way and then driving into the tools that are part of SIGSTOR that you could use to actually implement some of the security recommendations that are being put out by different frameworks, such as NIS SSDF or Salsa. Excellent. I don't want to go too much detail into the whole content of the course, but if you can also talk about what is in there as well. Sure, so somebody who is taking the course, I think would expect to get a broad understanding of what's at stake with software supply chain security and then they will be able to step through these hands-on labs to start to use the tooling and understand how they might be able to implement them as part of their software development practice. So we step through each of the tools that are part of SIGSTOR and also share how people may be able to get involved in the SIGSTOR community if they're interested in that as well. Can you talk about the format of the course? Is it like just text they read? Is it interactive? There will be like some mentors there who will sit. And also once they've taken the course, how would they know that, hey, you know what? Yes, I have taken the course. I've passed it. So I have kind of qualified in one way or the other to have some experience with these technologies. Yeah, so the Linux Foundation offers a certificate. So if people would like to take the course, they can do the certificate pathway. Otherwise they could take the course totally for free on edX, which is an online learning platform. The course is text-based and self-directed, but the labs are very interactive and we'll step you through all of the commands that you need to get up and running with the tools. There's also assessments at the end of each chapter so that you could verify that you've learned what our learning goals were at the beginning of each chapter. Who's the kind of target audience for this course? Sure, I think that ideally, I think any individual developer who's interested in security is a great audience for this course. I really think about the open source developer in particular and how they might be able to think about the work that they're doing as part of the bigger open source ecosystem and how their security practices can influence those around them. I think that also engineering managers, like teams of developers, may think about what they might be able to implement as part of their team-based workflows. I think that security is something that could be really intimidating, but I hope that this course helps people to understand that there are little things that you could do incrementally to start to make your security practice more holistic over time. You said that any developer who is interested in security, you are from Chinggarde, we are seeing a shift left movement. A lot of things are moving in developers' pipeline. Security is no longer kind of considered as someone else's problem, right? It is kind of becoming a developer's problem. So can you also talk about, you know, why developers should look at security also when they're writing their applications so they have a holistic approach so that it's not like the developers who are interested in security, developers should be interested in security. Yeah, that's a great question. I think trying to think about how you could bring security into your development practice from the very beginning would be the ideal way to go, as you mentioned. Thinking about what are the little things that you could do to start to make your software more robust and more secure. Think about signing your releases. Think about including an SBOM, software bill of materials as part of your releases. Think about making it more obvious how people could see the provenance of your software if they're using it as dependencies as part of their supply chain. And also think about like auditing your dependencies, keeping your dependencies up to date. And I mean, Six Store has been working with a few different package managers to try to implement some of this Six Store security practices as part of that work. And we're really excited about those partnerships and I think there's lots of opportunities for working to make the supply chain more secure in a pretty frictionless way. How seriously do you think organizations are taking it? I mean, the point of this question is to kind of, we talked about developers, but developers can do only so much if the organization itself does not have a security policy or culture in there. So what is your advice for organizations so that they can improve their security posture? Sure, I think that security needs to be structured in as part of organizations, their software development practice. I think that if organizations are using things like CI CD tooling, there are ways that they could implement security as part of that. There's Tecton, which is a CI CD tool that enables Tecton chains that lets you take snapshots of your, after your workflow goes through. And there's also GitHub Actions, which enables you to connect with cosine directly that will help you sign while you're doing your CI CD. I think it's important for an organization to think about security in a structured way and not allow, like not kind of leave it up to individual developers to make those choices. It needs to be a full team-wide organization-wide approach. Right, and courses like these, they do help with whatever efforts organizations can give because security itself is challenging and you have to lower the barrier of entry as well. So what role will this course play in both sides? We talked about developers and we talked about organizational structure to kind of help them move forward. Yeah, my hope is that the course will drive accessibility and invite more people to understand what's at stake in software security and also learn how they could take these incremental approaches to making a more secure supply chain overall. And I think what's so great about the six-door project and what encouraged me to get involved as well is that it's really trying to make things easy and I would say even fun, like it's such a delight when you could check your metadata and your signature in the RecurLog and seeing that it's there and being able to share that with others. And I think that six-door is a great way to start to think about software security in a broader way. Lisa, thank you so much for taking time out today and not only talk about this course but also share some kind of insights and also advice to organizations and developers first of all why they should look at security seriously. It's not someone else's problem and also how organizations can improve their security portion and how courses like these will help them. And of course there will be more courses like these, more collaborations. So I would love to have you back on the show whenever there is new updates. But thank you for your time today. Yes, thank you so much. And anybody who would like to get in touch please join the six-door Slack channel and I'm happy to chat there.