 Hi all, thank you for joining this session 5G and challenges with software supply chain security. My name is Fahad Dermanji and I work for Ericsson software technology as open source developer. During the coming 15 minutes, I will talk about transformation in telecom industry, 5G, the changes we are witnessing, the impacts of those changes on software supply chain and challenges we are facing. As you know, mobile communication is part of our lives. And over the past 40 years, we have seen tremendous changes within communication. If we even go back 150 years, we can see that communication happened through wires via a phone. But since 1980s, the mobile communication has become a critical part of our lives. And as you all know, every 10 years, we are seeing new generations of mobile communication, starting with 1G, going through 2G, 3G, 4G and finally 5G networks that are currently being rolled out all around the world today. And I want to look at last 10 years and what's been happening within telecommunications industry. The new technologies such as cloud native and virtualization opened up a lot of opportunities for various industries and telecom is not an exception. And around 2014, European Telecommunications Standards Institute published a white paper describing how virtualizations could be employed in telecommunications industry. And network functions virtualization started becoming the focus for the industry. And as you can see on this picture which is taken from the first white paper it's published around 2014, the shift from classical network appliance approach to virtualized and segregated approach is critical for the next generation telecom networks. The reason for this is that the virtualized approach allows desegregation, enables vendor diversity, enables innovation as a piece of the introduction of these services to end users. And as part of this white paper, it came up with an FE architecture and that also talks about the different components within the next generation telecom networks and puts the focus on openness and enabling innovation. So what was that architecture. I took very simplified view of that architecture. And if you look at the left hand side diagram, you will see how the telecom networks in the past and even today are built and rolled out. The classical approach involves the use of specialized hardware and software and deploying physical network functions in that kind of setup. And as you can see on the diagram, this is very coupled, highly integrated, and it is very difficult to bring in new services or applications into networks. But if you look at the diagram on the right hand side, you will see that with virtual network functions and cloud native network functions, you can decouple different layers within the telecom stack and bring those different applications or components within the stack from different vendors in a much faster pace. And the other thing I want to highlight here is openness and standardization. And in the past, again, specialized hardware and software and the use of property hardware and software made things difficult for communication service providers to bring in new products and new applications into their environments. But with this decoupling and openness, many new applications could be developed by various vendors, and they could be applied to communication service providers. So the segregation and openness are the two key things that is pushing the communications industry forward. And the new technologies, as I mentioned, virtualization and cloud native are becoming part of telecom stack. So what kind of challenges we are observing? On this diagram, I have very simple software supply chain and various actors. On the left hand side, we have communities and vendors. On the right hand side, we have telecom networks that could either be deployed into data centers, cloud or edge. And in the middle, we have communication service provider or mobile network operator. And when it comes to communities, it could either be a community or a standalone project developing a certain piece of technology that could be used as dependency for other open source technologies, or it could be an entire platform such as Kubernetes. And when it comes to vendors, the vendors could be developing their products in their environment without consuming an open source components, or they could be consuming open source components from various committees and projects. And in most cases, telecom stack contains other open source components. And if we look at the first challenge we are facing is forced introduction. Obviously, the vendor who is developing product X need to bring in certain dependencies from upstream communities if they are using open source components within their product development. And this is the first thing the vendors face how to bring those false components into their product development organizations and how to introduce those false components. And as we all know, free and open source has different licensing types or those components could have different types of security and vulnerability issues. And all those issues or license types, types must be vetted before the software could be introduced to product development organization. And this is the first challenge, how we can introduce new force or newer versions of existing force components into our product development in a fast and satisfying manner. Next challenge is, again, through this disaggregation many different components are developed and published by various open source committees and when these components are consumed from upstream communities and put together with products, the communication service providers are acquiring from the vendors, they need to face the challenges because of integration. And especially with integration, it is very important to keep the chain of trace, traceivity and reproducibility aspects in mind. So when things are integrated with each other or put together the critical information about those components are not lost in translation. Another important and related challenge is software build of materials. And again, during forcing production phase, we need to identify primary, 3PP or force and its dependencies and what kind of licensing type those open source components can adopt and if there are any changes in those licensing types when we move to newer version and software build of materials is critical for us to be ensure that whatever we are bringing into our product development and lately to production is well documented and we have full build of materials for those components. Another challenge is actually mostly related to open source committees, open source developers to us, non-secure development. Obviously, we all are best when we contribute to various committees we are engaged in or the projects we are developing and it is critical we apply security practices properly. However, this is not followed up by majority of developers. According to Linux Foundation developers survey, only 2.27% of developers are actually applying security practices during their day to day work within committees they are engaged in. So it is critical for us as developers to follow these practices, apply best practices and ensure whatever we are contributing satisfies security development principles. And the next issue is again going back to security law and there will be bugs and there will be security issues because we are depending on other open source components and those components may have security issues. But those issues most of the time stay invisible. Again, if I must refer to a survey, Github Octoverse report says that the issues go undetected undeclared for about four years in average. So we must make sure that we apply security practices and if we can't fully secure our software, we then need to make sure we catch those security issues in a timely manner so those issues don't have to propagate into our production environments. So propagation again is late to secure development and persistence. So if we have a bug in one of the critical dependencies that bug could propagate through our pipelines and could be deployed to production environments in this case telecom networks, if they are not caught on time. And this obviously increases the attack surface for malicious actors and it could cause big problems for us as humans. Vulnerability analysis is another issue. Again, it is important to identify what kind of vulnerabilities software we are using have and get those vulnerabilities patched fixed by moving to newer versions of those dependencies or components assuming they become available. And OSP released their report and using software with no one like this is the ninth biggest reason for issues with software supply chain. And finally traceability is critical. Again, we will have bugs in our software, like in other community, and we will need to issue fixes those bug for those bugs including security issues. But in order for us to achieve that, we have to make sure that we have ways to trace the software that is deployed in production back to its origin and potentially identify problematic commit to fix the issue and bring those fixes back to production environment. So traceability is critical and commit is a big role to play here. So as I mentioned telecom has been going on heavy transformation and all this virtualization and cloud native is changing how the next generation telecom networks are developed and deployed and 5G is the generation where this segregation and optimism is happening. And telecom is not fundamentally different if you look at from this perspective because these new technologies have been available in other industries and telecom is adopting these new technologies as well. And in product that the use of force in telecom is increasing drastically. But the difference when it comes to telecom is telecom is highly regulated and heavily standardized industry. It takes quite some time for telecom to adopt new methodologies, new technologies. So they become available within our networks, but we have to help them and committees have a big role to play here. Again, committees have a lot of opportunities to impact telecom networks like how the committees did for other industries, because we sit at the integration or intersection of government organizations, studios, industries, and other committees. So if we could achieve cross-pollination and cross-collaboration across different industries, standard development organizations, committees, and government agencies, the benefits could be tremendous. Thank you very much.