 Our next speaker is going to talk to us about Supply Chain Security and tools to secure open source. Tracy Reagan is the CEO and co-founder of Deploy Hub and also a member of the Open Source Security Foundation Board of Directors. She's an expert in supply chain security with a focus on pipeline DevOps practices and in particular microservices and cloud-native technologies. So she is going to talk to us today about specific tools to secure open source. Please welcome to the stage Tracy Reagan. Hello and welcome. There's a lot of faces out there. It's awesome to see. And I have to say, wasn't Dr. Diaz awesome? I thought he was great. And from a person who worked at Discover Financial Services, I can tell you everything that you saw on that is totally true. It's a great company. So today I'm going to cover a pretty important topic right now for both open source producers and open source consumers. And when we think about open source consumers, I want you to think about the people at Discover or any of the FinNOS or insurance or anybody else who is consuming and relying on our open source code that we are contributing. Over the last year, I think that most of us kind of felt like this. We truly have gone through a security awakening. Now we've always known that there are security hacks out there and this has happened years and years and years, but something shifted over the course of the last 18 months. We talk about log4j often. I'm not going to dig into it, but it was an awakening for us. Why that kind of stirred us to think more about security? I don't know because we've had serious problems in the past, but I can tell you that open source is extremely critical for these large enterprises. And we, as the producers of open source, I believe have figured out that our existence is dependent upon our ability to deliver quality and secure open source software. A little bit about myself. As Jim pointed out, I am the CEO and co-founder of Deploy Hub. Before that, I started a company called, with my partner Steve Taylor, a company called OpenMake Software. And we actually started that technology at Discover Financial Services. So I find it kind of coming home to have Dr. Diaz present before me. I also served a year on the OpenSSF board. I served on the Continuous Delivery Foundation. And I want to give a shout out to Tracy Miranda, who reached out to me and said, hey, Tracy, do you want to help us start Continuous Delivery Foundation? And I was super excited to hear that they were going to bring it on. I still serve on the Technology Oversight Committee of that organization. And I did help IBM start the Eclipse Foundation many, many years ago. So I'm not new to open source. I've been playing in open source for quite some time. I'm also the community organizer for a project called Ortilius, which Deploy Hub donated a good portion of the code to. So numbers matter, and impressions matter, and cultural beliefs matter. These numbers are ones that we all should ponder. 742%. That is a humongous number to think about when it comes to the growth rate of malicious supply chain attacks. 742% increase. Maybe that's why we had a security awakening because it's happening more. 88% of boards that consider cybersecurity just a brisk of doing business. And 65 to 80% of the companies are asking to have more visibility into logs around application security. So something is definitely happening. And I want to say that if you're a producer of open source software, we've done an amazing job. We're all doing a really, really great job. And we're all working very, very hard to produce software that is secure and has high quality. We just have to, suddenly now we are realizing we have to do better. Now the good news is the cavalry has arrived. The open source security foundation has been established to address these types of concerns. And these are open source contributors. So again, the open source community is stepping up to solve the problem. There really are a formidable force in open source security, developing the tactics and strategies needed to harden cybersecurity readiness across a global committer community. And that's you. The open SSF was formed, I believe it's been around for maybe like two years. They have done quite a bit. I'm going to, because I'm on the stage, so I get to pick out my favorite projects. I'm going to pick out some projects that I think you might be interested in. And it takes a team to pull together something like the open SSF. And this team, the internal team to the Linux foundation, as well as the people who have stepped up and volunteered to do this work, they have worked extremely hard over the course of the last year, two years, 18 months, however long we've been around. So I want to give a shout out to some of these folks. Brian Bellendorf, this man has made a massive commitment to this project. He's the general manager, now the CTO, but he literally has learned to formalize the problem in a way that we all can understand it and bring together a group of amazing individuals from large enterprises to start solving the problem. Jamie Thomas, she is a, I call her a secret weapon for the open SSF. This woman, she works for IBM. She has such, she has a vast knowledge about everything from global supply chain issues, global geopolitical issues, all related to technology. She's so fascinating to talk to. I did an interview with her on Tech Strong Women TV. So it's out there. I encourage you to watch it. Fascinating. Krobe, he is the face of the open source security foundation. This man, again, he's a volunteer. He has his own job that he does, but he is involved in so many different projects. And he has such a heart for it. Not only that, he's extremely kind and he has a very strong understanding of what developers go through and what they need in terms of help and education. And then Bob Calloway. He is sort of our leader in the Technology Advisory Council. And again, somebody who is sincerely working towards solving these problems. I don't believe Jamie is here, but I know Brian is here and I know Bob is here and I know that Krobe is here. If you see him in the hallway, give him a fist bump and tell him thank you. But it takes more than just some really strong people at the top of organizations to make this work. Every single one of you can be a hero. Every single one of you have something to offer to solve this problem. And there's several working groups that I'm going to point out that you might want to get involved in. Best practices. Everybody needs this as an area that nobody really wants to deal with best practices. As a software developer, I know I'm like, best practices. Do we really have to do that? But it's a really good place to have conversation and to start understanding what we may need to start doing in terms of best practices around open source security. What do the open source teams need to start thinking about? End users. You just saw how important an end user is. An end user like Discover Financial Services is why we do our work. The end user group, if you are a consumer of open source and most of you are, you should have a seat at the table at the end user working group. Security tooling, supply chain integrity, vulnerability disclosures, securing critical projects, and identifying security threats. These are all working groups and you can go to the openssf.org website and look at their working groups and sign up. You can add it to the list and, you know, really showing up is half the battle. You show up and somebody asked me, how do you get involved in open source and how do you do so much? Every one of us have a superpower and you sign up for the things that you know you can solve because you have the superpower. Go apply your superpower to one of these groups. We really, really need you. Get educated. The openssf has a whole platform for you to start learning about the 10 streams and things that you can do. And this is something that, if you see Crow about in the hallways, talk to him about education. He's very passionate about it. We have a lot, many, many new tools are being brought to the market in the open source world. We have tools coming out of the openssf. We have tools coming out of the Continuous Delivery Foundation and we have tools coming out of the CNCF projects. I've only listed a few of my favorites here and I've given you a list here of what potentially can be added to your pipeline if you want to add security to it, which I highly recommend. Salsa. If you haven't heard about salsa, learn about salsa. Some basic steps about builds. Builds are something that's near and dear to my heart. My first business was around the build process. But salsa levels are very important for really understanding how you can bring security into your build process. Persia. Persia is a new project that was brought into the Continuous Delivery Foundation by JFrog. It is, again, if you want to do salsa, you can implement Persia. Persia really checks off a lot of the salsa boxes. And it's what's called the decentralized package network. Now what that means is you can basically think about keeping nefarious libraries out of your build by building it across a decentralized package or a decentralized network where you're doing builds in multiple locations and they're checking against each other to make sure that they all have the same exact result. I know from working in the build space for a long time that some people are like, we can barely get one build to work. Believe me, you can do this. The scorecard. Scorecard badge, go for it. Everybody should be able to get this done. This is all built into GitHub with actions. It's low-hanging fruit. You can get started pretty quickly. Go check out the scorecard. Alpha Omega always has, from the very beginning, it's been one of my favorite projects. Alpha Omega is the process of making open-source projects more secure. Starting with some of the top projects bringing in security measures for the top open-source projects, Omega then will bring it out to more open-source projects by automating some of the steps that they did in Alpha. So learn more about Alpha Omega and if you're a consumer, you want to know if your projects are going through this or if they have a scorecard badge. Ortilius. Ortilius is a project that Steve Taylor and I started because we understood that there was now a problem in a microservices environment with data. And to be honest, in the future, in terms of DevOps, we want to start doing things in a really much more intelligent way. We want to automate things. We want to make things happen in a magic way. Well, that's AI. The problem with AI in DevOps is we don't have the data. If we think about GitHub and tools like Co-Pilot, how those tools are starting to become real, is they have the data. They can go look at all of the open-source Git repositories and find code snippets and make a decision. And that's how tools like Co-Pilot are working. We don't have that in DevOps. So Ortilius is that dream. It's a centralized evidence store of both security and DevOps information from the S-bomb all the way up to logical applications in a decoupled environment. I'm pulling all that information together so you have one place to grab that info and in the future have places to define policies and build AI systems. Before I go too far, I have to just give a shout-out to the Ortilius community. I do feel their love and support every day and I love every person in the community. We have an amazing community from around the world and they're great. CDEvents is probably one of my, I think, is one of the most important projects in DevOps today because if we think about how we've implemented our pipeline workflows, we have literally, in this room, we have millions of workflows. Now if you want to add the generation of S-bombs to your workflows, you're going to have to go visit a lot of workflows. CDEvents solves the interoperability problem and automates and potentially can automate the templating of your workflows. They think of it that way. Think about cloud events. CDEvents has a payload. Each payload passes its payload to the next step. So I want to thank the Open Source Summit for inviting me to do this talk and I want to thank the Open SSF and the CDE Foundation for all they do around making DevOps easier and teaching us how to build and release more secure open source software. And you can reach me at, follow me on Twitter or just reach out to me. I'm happy to chat with anybody. Thank you so much.