 Hello. All right, so I have five minutes to take you on an adventure. And ending with an action that for the industry to step up its game in supply chain security. All right, so I'll be surprised given how much this topic is prevalent right now if you haven't seen this data. But for those who haven't, according to the Sonatype report, there's been a 742% increase in the average annual supply chain attacks. Why? Because it's lucrative. Not only can you attack your target, but you can attack your target's customers. In that same report, they showed us that six out of every seven project vulnerabilities come from transitive dependencies. So that's a goldmine. Attackers gotten wise this thing that has been stumping security experts for the last decade. And then just when we think we've got our handle on it, some amazing new technology comes out. And it makes our software supply chains even more complex. So what does trust in the supply chain mean? I'm not talking about zero trust. That's different. I'm talking about having a trusted supply chain. We've all seen the worldwide disruption when physical supply chains are disrupted. The impact is catastrophic. Manufacturing, essential services, and international economies have all been hit extremely hard in recent years. Our software supply chain is no different in the ability to impact when disrupted. When the supply chain is trusted, everyone's job is easier. Sales, marketing, legal, engineering. We can provide customers with attestations to how our products are made. We can develop on stable enterprise platforms. And most obviously, we can avoid massive security disruptions that stop production. All of these things, frankly, lead to more room for innovation and development. Externally, many of our customers rely on our products to be a part of their supply chain, which means that if this is a positive spiral, we can ultimately lead to advancements that make this world a better place, all because of a trusted supply chain. So we have a problem, and there's about 10 other presentations in this conference that can dive into that deeper than I can in five minutes. So I'm going to jump to the next steps of what can we do about it? Obvious answer is to implement security controls throughout your supply chain. There's a variety of controls that you can implement depending on what your supply chain looks like. This is the prettiest supply chain that I have ever seen. Most of them don't look like this. You have various scanners, six-store cosine, kublinter, tecton chains, all of these wonderful ideas. Keyword, ideas. The supply chain level for software artifacts or Salsa walks you through the various maturity stages in best practices. And if you haven't seen it, I recommend going and educating yourself on it. And of course, you have user and identity access management, which is still one of the more difficult things to implement, even though we, the security community, have been talking about it for many years. And unfortunately, discussion about what is right and what is wrong is not what leads to security improvements. Actually, implementing those security gates in checks is what we need to do. But how? How do we get this exhaustive list of ideas to reality? When you want to enable a workforce to innovate and to break through barriers, there's got to be some beautiful orchestration, which brings me to my biggest point, partnership. In order to fully implement supply chain security, you have to do it in partnership. And let me walk you through how we learned how to do this and how it transformed security at Red Hat. We tried to implement all of those controls throughout our supply chain, but those ideas and isolation were not enough. We had to get the people, the team, that was creating those standards and guidelines in implementation timelines to understand how those security implementations impact product planning timelines. Integration requirements, maintenance and upkeep. We couldn't just broadly apply security requirements as a security team and then expect the product teams to just pick those up. Some enterprises go through a model of a single supply chain, which in my mind would be really, really nice. But having that in the limited coding languages to pick from kind of inhibits innovation. So what do we do? What we want to do at Red Hat was not be so restrictive that our teams couldn't innovate and come up with these technologies. So we wanted to make security a part of the development process. And I'm not talking about sec DevOps. I am talking about something different, where security controls and supply chain decisions are made hand in hand with feature development. How do you do that? You keep your messaging around risk. Always tie it back so that it never turns into a check the box exercise. We've had more government regulation around supply chain security in the last couple of years than we ever have before. So this makes it really easy to go back into that check the box state. You have to be able to articulate the why as a security team. And then you have to collaborate on the what, the how, and the when. When you work with development teams to articulate this risk and to understand it and to have it be part of your core culture, then you can really apply security controls that I've discussed on previous slides. We've only seen success in supply chain at Red Hat when we were able to use this partnership approach. Without partnership, they're just ideas. And ideas in isolation are nothing. Security partnership transforms those ideas into results. So people are going to go around ideas and they're going to take the path of least resistance, because that's what people do. It's not going to systemically reduce your risk because that approach will have holes. So my proposal for starting to tackle this massive security problem in supply chains is to do so in partnership with your engineering teams and open source community. Without that partnership, without this beautiful orchestration of expectations, reality, necessary tools for production, types of technologies, timelines and people, we will not be able to truly and fully secure our supply chains. Thank you and enjoy the conference. The people here are truly, truly wonderful speakers. So I hope you have a great time. I am at the Red Hat booth if you have any questions.