 Cool, so thank you all for for being here and Also, this particular space is getting when I was working through it It's much larger than it was even a year ago, and there's no way that I can cover everything in this time allotted So I want this to be more like a journey to try to give you some understanding as to what's there what some of the trends are and I apologize in advance for all of the things that I left out because there's a lot of amazing stuff going on so Another part of this as well is that I have a lot of involvement in many of these particular projects as well So I want to make sure like that's clear that it's that it's up front as well and that's part of the reason why I can speak up to to many of these things and But if you look at in Some of the things I'm involved with like you'll see like I have connections and have operated and worked with some of these groups Let's see So but the very first thing is We talk about software supply chain security We have to ask what exactly are we defending against and to answer that it's like we're trying to defend the software supply chain. What is a software supply chain and in order to defend something in order to even generate your thread model you have to understand what it is and I try to come up with a decent definition. So there's not an official Definition that exists out there, but there's some that have good Approximations of what it is, but there's still gaps in some of the definitions So but generally you see something will create They'll perform some creation of an artifact or of a thing they will transform one thing to another Or they will assess the quality of that thing and report on it of course create an attestation of the of the equality And with there's various actions that we perform that fit into those three one or all It's not like you can't just pitch them hole in one at a time But things like you write code you compile you run integration test you do a code review So these are all like actions that you can that you can perform and so Why do we want to protect the software supply chain though? There's two things that people that we need to look at now Most people we say how to what what do we want to defend most people that image it comes to mind is how do we defend? from a from an attacker getting into the system and that's a very important aspect of it, but that's not the whole story and It's very short story, and I know that this particular one you hear it all the time Every time you go to a to a security talk you go you hear about log for shell But there's one particular aspect that many people Don't quite tend to think about and the question is why was log for shell so expensive and Think about this for a moment because it wasn't just like hey, this is bad. It's everywhere Why was it so expensive to fix? There was no malicious supply chain attack that had occurred as far as we know like it was a it was a mistake and My thinking of this it came down to this just very simple idea The cost is because we do not know where the things are we don't know where things go We don't have a way to map even in many organizations. We don't have an easy way to map Where when something comes in and what is the full outlay of where it is? and So what happened with log for shell is when it when it landed we has a community had to go to every single project and within our with within our Not only in the developer side But also from the operation side and say hey are you using Java are you and don't take it for granted? Maybe they're not like even projects you don't think use Java there might be a Java component in there somewhere So you have to ask the question don't don't have implicit trust like we had we covered that last time instead what you want to do is you want you want to ask the question and and get to that place of knowing but it was a very manual process and This also creates a lot of stress because we're trying to rush We're trying to beat the exploits before they arrive or are they already in the gates? We don't know so when you have that stress you also increase the mistakes that people make as well so So that's when you think of like protecting the soft software supply chain There's two things keep the attackers out, but also know like Developers are all gonna make mistakes. We're gonna continue to make mistakes and How do we know when one of those occur? How do we know where it went? so Let's back up a little bit. We want to cover like what really matters and I mentioned this rest before with people The people are the things that matter the most but when you talk to a CISO you'll see people process technology Like you'll hear this from CISOs all the time people process technology people matter the most That's why it's bold and largely in this side. You have the process and you have at the end of the day the technology that drives it and You want to focus on the people first Hold on a second. What happened with the S-bomb thing? We keep talking about a small deal We hear this this gets injected into every conversation. So let's get out. Let's get this one out of the way first We there's no tool that is that is evaluated in isolation It's important and I sorry this is a little bit of jarring side But I want to make sure that this part is done first So no tool is evaluated in isolation. So when we talk about a sponsor we many people say oh, it's it has all of these gaps Don't look at it as just the S-bomb look at it as the S-bomb in connection with everything else It is going on and how does it in the context of where it's going to live? How does it actually work? How does it actually fix things or help us discover where things are a really simple example? For this to use an analogy is we do not eliminate unit tests when they don't find all the software bugs We leave them there. We keep running them all the time. So Please with S-bombs acknowledge they do have a lot of limitations to them There's only room for one unicorn in your life. It's not the S-bomb So let's go back to and and just a real quick example of an S-bomb I want people to see what you tend to see in the in them. This is spdx. There's other fantastic formats out there as well Like cyclin DX and so on This this slide will be available. I actually pulled this from the spdx repo and it's under a creative commons license And so you can go get the slides and then look at them earlier or just play of examples out there But anyways, wait, we said people first the way quite we cover that sponsor gets get back to people. So The people are the most important part when you're working with an organization the the very like We spoke about community before that we have here But when you're looking at a company and how you're trying to get a company to move The very first thing that you want to try to do is you want to try to get what they call executive alignment you want the executives to buy into the idea that this we're going to take some action in unison and Get them to be supportive of spending the resources to do there part of that process Are things like well-written policies like policies are things that? Bind our actions as people together Another important thing as well is you have to again focus on people first That means you have to have good training don't assume people will learn on their own Not because they're they're lazy or anything similar But don't assume they will learn on their own because they simply don't have the time the incentive structures are not there So provide the incentive structure a positive incentive instructor So that they can they can have the time to train that they can have the time to keep up This is a growing and evolving field. We cannot expect people to just know this material And then we have process now as the threats change shows so should your processes and so a process is The various things you do in order to meet your goal So if your policy defines your goal, what is it you're trying to do and your processes? Roadmap on how you get there. There's some really amazing documents that I highly recommend you go take a look at The one that is that most people will point you towards is the secure software development framework that is published by NIST Which describes what things you should put inside of an SDLC? There is definitely some discussion as to like is doesn't go far enough is it is is a covering the right things But before you even ask those questions though You should just go read the document make a make a decision and understand like what they what they're trying to to talk about Then you can ask a question. How does this actually relate to my to my development? How does it relate to my to my environment? And so there's also some additional resources that you can also tie into so you have salsa version one which was recently published We here in the CNCF produce the software supply chain security best practices It's a fantastic white paper. I highly recommend you you read it if you're interested There's also some things like the secure supply chain consumption framework So it's not enough to just produce things in a secure way. You have to work out how do you consume them as another one as well that? me and Santiago For who's also part of the CNCF or works with us in the CNCF We also helped co-author this NIST SP 800204D. I'll go more into that later as well But these are things that can help you with that with that process So we have several CNCF projects that are designed specifically to help the one that I am most involved in In the software supply chain side is in is in toro So in toro, we've mentioned as bombs before as bombs are like what are the ingredients that you tie it that you're going to use To produce your software in toro is designed specifically to answer the question of how like I did it We went through this like these particular systems were used to commit these code or these people were involved with committing these code Not necessarily the legal names. It could be a well-known name as well. So I want to make sure that's clear And then how does it progress through where code reviews done? Did it go into a bill system that we that we have some? that we control What were the what were the various things that have gone through? And like did you do the integration test where their scans perform? So like an entire process of what we have described in the previous one in SSDF and similar We want to be able to say hey, we can attest the whole thing and reason about it in a programmatic way To help with that as well Two projects I've been involved with witness and archivista were added as in total sub projects as of last Tuesday I got the text message that they were accepted So I would love to get people to help contribute in this particular area and to help make this something that can they can help with that Another one that we have is tough, which is a specification for securing software updates So once you produce that artifact you have to be able to deliver it safely to to your destination Tough helps in that delivery by ensuring the integrity and authenticity of the updates And so it does things like ensuring it was not tampered with and also making sure that they've not that nobody sent an older version That is properly signed so they can't roll you back into a into a broken version There is also projects like notary which are a standard for and set of projects for signing and verifying workflows for OCI Artifacts or container images. It's actually much larger than this and total things that they do But there's some there's a lot of interesting work that's going on in notary It's another fantastic place that you can go and and take a look at and make some some good contributions There are also Other groups that we work with we have open SSF opens an SSF has a much wider scope than just software supply chain security They're looking at vulnerabilities in general They have a few projects. They have several projects that are real that are that we work with so for example we sign things within total or Then that thing can and those signatures can end up in six-door There's the open SSF scorecard if you are unfamiliar with the open SSF scorecard Highly recommend you go take a look at that because that is something that can help you work out Your vulnerabilities in general or what you're do what it helps reduce your total risk as of your of your project And all of this comes down to community. We also have a community impact as well. So the community here We're driving a whole bunch of things that is are that are impacting other groups. So again, this community and all the things that we've learned here It's Santiago and I worked towards Taking some of those learnings and helping Frame them within the context of the SSDF in a way that makes sense for cloud native and microservice systems There's also groups like the CTA and CTA Mitigating cyber security threats and machine learning based systems So these exact same things that we're doing here if you think about machine learning environments You have to know where did the data come from? What were the parameters? Where do they come from? Who defined them? Where did the hyper parameters come from? So like model weights and similar things and and Making sure that the information if you want to do some additional vetting where was the vetting done on those on that input Before you actually before you actually consume it as part of your ML So it looks a lot like CICD systems. We have the end goal is is perhaps different, but those processes have a lot of similarity We've also have had some impact with the IE Well, I got this night. I ETF. It's a IEEE free future networks. I apologize for the for the mess up on that But we've had communications with them the omnibore community There's a DHS software supply chain vulnerability tools cohort that is looking to contribute into open SSF That so there's a lot of things that are going on and this is just like a small sliver of things that we've had an impact on as It has a community and our impact in this space is going to just continue to grow Especially when you consider that that we are the producers of the packaging and of the end of several of the runtimes So with that I want to thank you all and Please come join us in tax security tax crews a fantastic place. There's a software supply chain working group There's also several other groups that you can join as well. You have the sick security and you can help in Kubernetes itself Also want to point out the graphics were made with AI in case anyone was wondering and Finally, I also wanted to say I Just say that all this is like in loving memory of Of our dear friend Nova as well So I had just keeping her in mind and wish she could be here to To help with stuff as well But with that I want to thank you all for your time. Please come talk to me Please find people in this community talk to them as well. Not just me. There's a lot of us here. So again, thank you everyone