 Oh, I'm sorry, my audio is going out. Can you hear me now? Yeah, I had to log out and log back in. I don't know what happened there. Yeah, I had the same issue. That's good. I was a little worried I'd have to do the whole panel myself. I asked the experts without the expert. All right. Yeah, I guess being a starter that's it's 4pm Eastern time. So, yeah. Welcome everyone to the privacy and data governance track. Ask the experts. Today we have a bunch of super talented and awesome people on the panel. The first member of our panel is Jamie Parker. She is the Indian compliance for compliance and process for service delivery. And she has 12 years of experience in the whole, in the space. We also have Jay Kohler, hopefully I said the last name right. She's new to red hat, but she has over 15 years of experience and industry related to security. We also have the rent CEO. Colonel. And he is senior product security analyst at red hat. Lots of experience and familiar cloud services and. Well, he has a good 20 years of experience. I think back then I was still in school. Finally, we have a day. He is our product management for our email workloads at red hat. And for the hybrid cloud. Not sure how many years of experience that he has when I'm assuming it's just as much as everyone else. Finally, you have me. I'll be moderating the panel today. My name is Anish Astana and I'm a software engineer on J steam at red hat. So the AI services organization. Cool. I guess I'll kick things off. In terms of our planning for the panel. We were hoping to sort of focus more on supply chain security. And that's kind of what we'll be starting off with. That isn't to say you can't ask questions about anything you're interested in. So please ask what anything you're curious about. This is just some things we came up with a plan for. So with that we can open the floor. Well, the first question I prepared is what is the supply chain you're referring to when we're talking about security? And why do we care about it? Well, I can, I can start if you will say. The, we have been talking about the supply and change security in the last year or maybe more than previously. Now it seems that we are more aware that we have to have our software secure, but also our software and solutions depend on third party components. Sometimes close and sometimes open. And the security of those components are very relevant for the security of our solution. So we cannot just rely on the other components to provide security but we have to do also proactive things we have to plan our security how we include new components. And also how we protect our own pipeline, the security of our own pipeline. So I think open source has some advantage there are so some challenges. And that is a main concern I think for all the industry these days. Cool. Could you, could you elaborate on some of the challenges or advantages of open source in this picture? Really. I'm asking you but like anyone on the panel again. Well, sorry, go on please. Oh, thanks. Yeah, I can kick it off for the open source part, right? I think I said a couple of major challenges and advantages to start with the open source development model which is let's develop fast, fail fast and go back and retry. That's really great to get the software out the door but is it really a well thought out process from a security perspective is one thing we have to really look at, right? A lot of software open source projects delay on or use components from other areas that are also open source. And if you don't have a policy on which ones to pick and which do not pick, you may or may not be picking the right component or even the right version of the component to use in your project. And that may create security holes, right? So that's both a good and a bad thing that the good thing is you have choice and which means you can get software out fast with open source that's secure. But choice also creates a responsibility to do some due diligence. So security in open source is one area where in fact we may need to slow down and think which components to use and what the impact of them is. And to that point, would you also say that understanding that community, the open source, how often they are updating, how are they addressing their security issues and those sorts of things. What do you think about that from an important perspective? Absolutely, Jay. So one of the critical things when you look at not just security but any aspect of picking an open source community is look at how vibrant the community is, how fast they update and what kind of support does it have, right? Is it a single vendor driven who just puts code out there? Is it the real community in the collaborative sense that there's multiple people with different expertise levels developing it? Certainly a vibrant community always guarantees the fresh and new software coming out on time, right? So that's a critical aspect to look at. Yeah, and then I was, so now I'm coming to Jamie. I'm sorry, but I have these thoughts. Since I am kind of new to the open source too. And one of the things that I've recently learned is that from a PII perspective, there's a concern there too, you know, when we're selecting our vendors, et cetera, you know, what kind of information are they potentially gathering and that sort of thing. Jay, what is BIIS time for? Personal Identifiable Information. I wasn't quizzing you. I just sort of make sure we're all aware. Yeah, no, thank you for that, Anish. Yeah, I think it's something that we all think about, right? I mean, especially when you see, especially the headline news, right? A lot of security breaches. So the day I was going to ask you and maybe Florencia, like, you know, how do you kind of influence and kind of work with the community to think about privacy by design, right? So that's really what it boils down to is, you know, how are you incorporating like the opt in or opt out? Do you understand where the data is going when you are making an update, right? Do you have to put in some sort of control, right? So how do you work with our communities to kind of, you know, work through what is the best way to think about privacy by design? I think that something that on the security industry we have done wrong in the past is to be like against developers in the sense that we want to put gates. We want to put controls and we slow down the work they do. So we have to, we are fixing that and we have to continue improving. We have to give good advice on which security controls can be implemented by default to improve privacy, good mental models. Things that are aligned with being agile and with being fast, it is possible. It is a challenge because the easy way on security is saying no, you can do that. I have to review these before you can continue. That is the easy thing. The difficult thing is to define architectures that are secured by default, paradigms that take care of the privacy and data of users. So we have to improve as an industry. I think so about security. We have to go to the next level to have a better portfolio of security controls. And if we explain that what we do is for improving privacy and what we recommend has sense, communities understand that. If we try to impose security controls that don't take into account what they are doing, how they work and agility is when friction happens. So it is about thinking, thinking a lot, how to improve, how to be agile and fast and at the same time protect privacy. It can be done, but it is a challenge. That's why it's good and funny to be here now. To add to the point, something we have discussed with DEF CON last year. This also brings the need to bring in more technical people but not just programmers or software engineers into our communities. But we need these technical experts and domain experts that can provide the framework so you can speed up development but also remain within the realm of the security and the set guidelines. We do need to expand communities to include some of the expertise beyond just software engineering. I think one way of doing this is like including these controls on the CI, CD pipelines. For example, automating things, what we have named shift left. So instead of doing a security review at the end, like a security gate, maybe it is better to continuously scan the code while it is being developed. And give these insights, this information to developers in real time if it is possible or when they do a full request or a push to a repo. But as soon as possible on the development life cycle. I think in a space too, it's really challenging because the requirements are always changing. And what is really your benchmark? Is it taking a global point of view? Are you looking in a specific region? I think especially in the privacy space, it's really evolving and ever changing. And how do we kind of think about privacy by design with the automation that would support the fast moving privacy kind of landscape, if you will. Yeah, maybe outing myself here. I don't usually think a lot about these things when I'm working or just writing my code, right? I'm like, well, someone will catch an interview or someone else will yell at me later or fix it eventually. I think I probably agree with having a more proactive approach to these things. I definitely think it's just an opportunity for us to really collaborate together just to do amazing things in this space. Because I think sitting in engineering, sometimes you don't know what you don't know. And being able to kind of just be a little bit more connected just to the higher level things. It doesn't need to get into the leads of a compliance expert, but just having a little bit more awareness of where the data is flowing. What's the impact? How would the customer respond to this? How would an individual respond to this? Just kind of thinking about those key things, I think just helps in general. I was thinking also, Jamie, about what you mentioned about the different requirements and this is continuously changing the compliance goal and the compliance requirements. That's a problem that we have to face, but I think that there are some core values or core things that are always present that information should be accessed only by people that need to access that information or is authorized to access that information that is always the same in GDPR, in ISO 27001, that are those that I know more. But I'm sure that in others that I don't know, HIPAA and others are similar. So people that need to access and has a need to know, probably they are allowed to access. Probably you need to have somewhere a log with who has access when to the data. So with some principles, maybe you comply with a lot of compliance requirements. But the difficulty is to extract these core things you have to do, map them to all the compliance and also to know all these different laws and regulations that might apply to you. Florence, I think maybe changing just a little bit on the topic here, because when we were talking before, I think what you do is so important here at Red Hat. But I also wanted to have you maybe comment from when we talk about developers. In my experience, a lot of times, things that may look minor in one piece. Oh, well, maybe we don't need to fix that or that's just a minor over here. Do you want to touch on a little bit? I think we talked about those minor things all added together can sometimes be catastrophic. Yeah, that is something that especially on cloud services can have a big impact. Vulnerabilities that we have been analyzing vulnerabilities in the past for individually each one. So we have the CVSS that is a calculation of the severity of the vulnerability, but from an individual point of view of only seeing the vulnerability. But these minor vulnerabilities combined on a service, on a system, on a company together can make a big impact, a big severity and that is difficult to see. I as an analyst, I try to see the whole picture, but it is difficult to see it individually. So this minor vulnerability today maybe that we maybe can accept as is or not prioritized to be fixed. But maybe together with other minor vulnerabilities tomorrow put at risk the whole system or the whole service. That is a challenge where there are proposals to have more information about this like attack vectors or attack flows, but it is very difficult. So this maybe lets me pivot perhaps ungracefully to my next question, which is sort of like, you know, with this whole shift of cloud cloud services and you know, like, and context serving open source right things like these are huge in private industry. Do you see in this government certifications or requirements changing in the future in the context of like open source projects like Kubernetes? When you get certifications one aspect to think through is, is that are you certifying the technology or are we looking at the products of a specific iteration of the technology which is branded as a product by a company or even the community, right. So when we look at certifications one clear thing that both open source users and even companies need to differentiate is when you pass a security certification when they pass a standard that is specific to a version of the code probably a version of the product, right. So from a threat assessment perspective both the users and admins need to be aware of that of that particular version where it was assessed for a threat and noted safe. And this becomes even more complicated for certifications in the context of a solution right you have a few pieces of code from different projects and vendors interacting. So clearly defining the interrupt matrix of what can be used and what is tested and good to go in your in your deployment I think that's critical from a certification perspective if not it becomes a huge two by two or a three by three matrix that that's impossible to certify at some point. I think that's a really, really good point. You know, especially as we move into like the managed services, you know, space, you know, thinking about, you know, the platform the product. You know, there's there's so many things and so many opportunities right so I can, I completely understand that in a sense. Recently the United States has issued this executive order that affects how we do some some things I'm not specifically working on on that but I know the industry in general is looking is thinking how to comply with it how to comply better with it. It's a it's something that we have seen with the solar winds bridge recently that we can do, maybe not better because maybe we are already doing what it requires but make it more visible maybe inform other parties. So I think it is something that isn't continuously evolving. And don't know if new certifications are coming but the industry itself, it is obvious that we have to do it better with or without legal requirements or certifications. I think it's definitely like sparked interest and you know a little bit more focus in the space right headline news always grabs the attention of everyone but I think that we just need to think about it in a much different way than we ever have before. You know, I think last year we talked about like the impacts of like COVID and privacy. And now you think about, you know, you have the pandemic on top of, you know, even more intelligent, you know, security breaches, you know, how do we get ahead of that how can we be proactive. How do we put those guard rails up right and you know, those are things that we think about every day and, you know, just any and maybe we could just do like a little brainstorming around like you know what, what are some of the things that you think some of the developers should be thinking about, you know, as we kind of go through this, you know, transition with a focus on cybersecurity. I think that one important thing is improving what we are talking about the supply chain but specifically what we do on our secure development lifecycle or secure secure way that we create information and for the products and services that we ship to process it with security on the pipelines. So that's that is an important thing. I think we communities in general do what they what they can and work with the tools they have in many different ways, but we have to put focus on adding security on those development life life cycles to an automating things on if we do, we do that when new requirements arrive when we have to improve anything it would be easier because at the end there is the software in services and products if we work on securing the software in general the security of everything will will improve. So Jimmy, a quick note if you learn the topic right so when you look when you say software supply chain security it's like from from the code the production the libraries use is your end product secure enough as it gone through enough testing right. One other thing also that we've been noticing some of the recent features is just that the software is the latest version of the newer versions may be secure but in the community or a product but they just the users just haven't upgraded right it's probably there's a missing link where the the supply chain has done its job but the communication between that chain to the user where they get a notification on how critical it is and the reason they need to go to this newer version apply a fix that seems to be a missing point to read that that is a place for the user. I think Florence you to point we need a lot more automation alerting is is there is a certain level of a security threat that was fixed the users need to know with with some notification around here is how critical this is and and here is how we recommend we upgrade it right that that has been a missing piece that's causing a lot of beaches recently. It's funny you just said that because I was sitting here thinking there's there's a multiple pieces of this pie from security right if you look at supply chain and then security testing and then just regular testing and how we develop things and education of our engineers to ensure that they understand. My experience is engineers are always trying to do the right things sometimes they just don't know the security implications of what they're doing. And so educating but then also it's like then you have the the the management side of thing from it and it or operations or whatever other parts of it so there's a whole lot of things so I like that you type that in there to the to cover more of the pieces of time sure there's others I left out. So do again, we breathe open source right and I'm an engineer like this is something that'd be interesting for me to other any open source projects initiatives or anything of communities even that are aiming to improve things in this space. You know, speaking like vulnerability scanning I know that GitHub has like sent me emails on occasion saying hey you need to update this package, but that's one 70 few months and then like I usually ignore it, right unless it's on an important repo I guess, but I guess other open source systems which aim to do something similar to that. Which I'm not, I have no idea if GitHub's thing is open source, but yeah. Yeah, the, there are projects like in general like organizations like a wasp or open SSF. There are many organizations that work on the security part or wasp for example is an organization that is for a long time, supporting open source tools for improving the security, like dependency check for example for dependencies or was that for the dynamic security testing. So it has been always there with good information. In that in the sense of an organization and there are many tools that I mentioned like for example dependency check or what's up that are very useful very easy. They are designed to be integrated on the supply chain that the tools are there maybe they have to be improved. But the important thing is as we have mentioned that maybe more security people should participate in these communities and help including these tools, help using these tools in an intelligent way, not not only doing a scan and sending the results with 50 pages of findings, but really really identifying the real vulnerabilities and helping to improve the open source projects. Okay, so I lost track of time we only have a minute or two left. Anyone have any last words or thoughts they want to share. So, I mean, let's get back to you as a developer, right? You are on the right code and you have a panel of product manager security experts, people managers. So what do you want from us? What does the developer community want from other experts willing to help you? And how can we help you? I think make it easier for me to understand how to fix something right like