 Let me introduce myself again. My name is Natalia Minto and I'm the Developer Advocates team here in Bradat. Some self-publishing, before we start, I'm a city foundation ambassador this year. The city foundation is the Continuous Delivery Foundation. It's a Linux foundation organization which is promoting open-source software for CD, like Tecton, like Jenkins, and other software like that. Today, we're going to show and talk more about Tecton, Tecton Chain. I'm also a Kubernetes Community Day Organizer and Red Hat Certified Engineer, author of those two books. Tomorrow, we have some books signing, so if you are interested, we can give you some free book signed for you. Let's start with the why, like everything, right? Why we need security? Why we need to put security in the first place? Well, generally, when we buy a car, we expect that every part supplied to be genuine. Moreover, where the car are expensive, we expect that those cars are perfect and the components are perfect. We can say the same about software, the part of the software. Maybe we are not taking much in consideration all the components, moreover the dependencies, and we just discover things when there's a big event impacting lots of stuff. If you remember, the Node.js dependency that block the whole world, basically, because there was some guy that was retiring this package, or the infamous Log4j vulnerability that affected so many companies, so many applications running in production. It's important we know also every single component of our application. I'm not saying this to you just because I'm paranoid about security, by the way, I'm paranoid about security, but those are the numbers that are speaking. If you look at those numbers, this is a report that's been several reports, like the state of Kubernetes security report, the state of enterprise open source, also pretty recent reports. You see the numbers, 742% average annual increase of software supply chain attack. 20% data breach. This is really important, the data breach. We've seen in the news lots of data breach. Those data publish it on torrent with all our password and we need to change the password each month because our password is basically in all the database in the world. And 78% of enterprises' businesses have increased and took some initiative to increase collaboration between DevOps security teams and I can say also developers. This is another important number, 92% say that enterprise open source solution are important. Today we're going to show why open source is important in this security story and how Red Hat is helping with that. This growing attack surface with the new emerging trade is really worrying. If you think about the technology, it's very fast. Just think about chat GPT and what things can be done with chat GPT automatically to inject some malware or try some attack. The surface of attack really increased. How can we just mitigate? We cannot prevent everything. How do we mitigate the issue, vulnerabilities and those attacks? Let me go into how we could do that. Three pillars I think we can define in general the software supply chain security can be divided in three main pillars. The first one is we should be able to prevent and identify malicious code. As we know, our app running app in production starts from the source code. We should be able to control this source code. If there's something injecting a dependency that we're not tracking or something bad on the source code we should be able to prevent this attack. The other part, the second pillar is the safeguard build system early. This is really important as well because once we move from the code to this other part this is the part where we run our pipeline. If you want, this is the DevSecOps part. We want to run those secure pipeline that will build our application, run our tests, integration tests, security check, static code analysis, container image scan, anti-virus, any possible check to automate security. Finally, we're going into the third pillar which is the continuous monitoring and observation. We're hearing lots more and more observability rather than monitoring. Observability is really key because we can detach any attack, any change and react and restart the loop if we think about the DevSecOps pipeline in this case. How Redat is helping with that? Well, Redat is helping in general in the open-source industry from 30 years of software development in the Linux kernel and the operating system, Redat Enterprise Linux and all the open-source software that Redat contribute to and deliver and build it and ship it as a product. Redat has also a strong distribution mechanism. This is from the beginning. Even from the operating system with the famous package system called RPM. This system is really some certain version. There's some open-source software like Forman or Spacewalk that you can use to track the version of the RPM in your operating system. This is also evolving during the time. It evolved with pipelines, Kubernetes. We've seen in the keynotes in the other demo that OpenShift is a Kubernetes Enterprise version that has security in place for the first time as well and also is providing more solutions toward this. What Redat did recently is announcing at our major event called Redat Summit a new series of cloud services. Three products that implement the three pillars that we discussed before. If you look at this diagram, the first one talks about how an application usually builds. You have some base image, you have some language runtime, and then you have your application library. On top, you have your app, your running code, but those are the fundamental layer where you have to understand the provenance, and you need to be sure to verify the attestation of curated content. That's why you move into those three pillars, which are three products for Redat. Redat trusted content is a product and a series of tools. We show in a demo in a moment those series of tools help you identify vulnerability in your source code, some kind of static code analysis in the so-called inner loop where developers start coding. Then when you move to automation to pipelines, there's this other product called Redat trusted application pipeline. I'll show you in a demo how it works. It's a SAS system that built out of the box DevSecodes pipeline with all the attestation, provenance, SLSA3 level we'll talk about in a moment. Then there's another product called Advanced Cloud Security Cloud Service, which is able to observe and assess and do perform vulnerability assessment. All those products I'm talking about are based on open source software, and they are part of Redat trusted software supply chain. The main message I want to give you today is secure your open source code and dependency early. So how you can start doing that? Before doing that, I need to show you this table it looks like a table from the 80s, a nightly table with long text. Nobody will read it really carefully, but I want to stress on some of the key terminology. One is the SLSA, which is the supply chain level for software artifact. It's a set of standard and you can find the definition on the official website that you can adopt to improve artifact integrity and build it. The other one is this one, SAST, Static Application Security Testing. Another important one I'm sure you already heard about is the CVE. When there's a new vulnerability, there's a public website called www.mytree.org, another website that publish those CVE. The common vulnerability and exposure. There's the description, there's the root case, there's the exploit, explaining some POC of the attack and then the mitigation hopefully. Other two important terminology before we move into the other part of the demo, provenance, so you're recording the origin, the history and who made the change, that's very important. Another one is attestation. You are making some kind of certificate that some step of some software artifact has been executed or is present. That is the attestation. There's, of course, the SIG store and there are tools like the Cosign, it's an open source tool to do signing for your software. Those are the main terminology that I would like you to have a look at. Talking about SLSA, those are the levels. The first level is really cool, right? It's no security at all. There's nothing. It's like, you know, best effort. So, there's no security, it's best effort and you cannot do anything. Once you move from level one to three, you start getting some ground on security. So, the level one is able to prevent a mistake and automating the build process. The level two is able to prevent tampering after the build. The level three is the one we'll show in the demo is the one that provides you a platform able to prevent runs from influencing another. So, it's more granular. It's full control of security in terms of this definition of level. And here's, I'm sure you heard about it, Shift-led, this famous approach where you have to Shift-led, you shift all the responsibility up to the source and, you know, you move from the final users, right? Your production app is consumed by the user and then you move back to, you know, the networking, the production, the staging QA, development, source code, developers coding and dependencies used by developers, right? Up to the root of the cause of the issue or of the possible risk. Very, very simple example, right? You need an HTTP library, a JSON parser, a database access, any application needs something, no? Usually you use a dependency. If you are a Java developer, it's a POM XML. If you are a Node.js developer, it's a taken JSON. If you are a Python developer, requirement 60, or in general, if you just need to containerize application and you are abstract from the programming language, or you just use the container, you just write the docker file. But the people that write those files are responsible in bringing those dependencies into the project. And this is the analysis, it's the Maven dependency tree. It's the tree of dependency of Spring Boot application example, L award. As you can see, and maybe you have noticed when you do Maven packages, it's download the world, right? And you need to be sure to follow everything, sometimes we don't care much about it, but there's a lot of information here. There are lots of dependency downloaded. And what happens if the maintainer of one of these dependency is not publishing an update? What happens if this dependency is injected with malware? It's something we need to be able to track. Likely we have open source software that help us. So the open source software is an intelligent approach. Of course, this is an opinionated approach. There are lots of open source software that are able to implement secure software supply chain. But I want to go through this one because those are the backbone of that product I'm showing you in a while, the Red Dot Trusted Application Pipeline, that you can also try yourself for free in our developer preview. I'll share the link in a moment. So you can start from any source code management system, GitHub, GitLab, Bitbucket, GitE, I don't know what you like. You can use whatever you want. Then the Red Dot Opinionated way to implement secure software supply chain, the one we ship out to the box is using Tecton. Tecton is a Kubernetes native open source software for delivering CICD on Kubernetes. You don't need to install an external agent. It's just available out of the box, bringing API into Kubernetes to manage pipeline task execution. And Tecton Chain is a project that helps you providing attestation provenance for each step executed in the pipeline. For each execution step, you can define a manifest that you can sign and that manifest testifies that execution has been executed with those dependency, with those volume. Talking about attestation and provenance, Cosign is another open source software which is able to analyze, verify, sign the famous software bill of materials. In the slide maybe it was not visible because it was done, but another important terminology to consider is the software bill of materials. Your dependencies are defined how much dependency, what are your dependencies. This is this bomb in the flow, we'll see how to use Cosign for that. There's another, I'm doing the list of all the open source software, there are many, but those are, you know, our opinionated way on how we build the secure software supply chain. Another popular one is Clare. Clare is an open source software that scan container images. So if you want, if you have your container images and you want to scan against a public list of CVE, you can use the software that you can use because it has this public registry repository of CVE and can scan your container. So if your base image is red dot or another, I don't know, another base image that you want to use Ubuntu or other is able to consult the CVE list and give you a scan of the container image. Going into the end of this overview of software and finally going into a demo I want to tell you that the other software involved is Open Policy Agent. OPA is very popular in Kubernetes for delivering policies and rules in the clusters and when you need to deploy something, you can use GitOps approach. We've seen in our session before the demos that we've done, we are using a lot of GitOps. It's like today is a standard way to deploy application keeping them in sync securely. Argo CD is a software, an open source software that can do that. Of course targeting Kubernetes and in our case we're delivering it on top of OpenShef. So that was the overall view and how we implement this in the flow is in this way. I'm going to now go into the demo. Let's go into the how do we prevent and find malicious code. I have an example here and I want to start from that. This example is again for those of you that were not present in our keynote we created a sample or GitHub organization where we are present as user and in this organization, the WinTurbine Inc, we have some repository. This is a simple repository containing a Spring Boot application. Really simple, no docker file full of vulnerability that's why we want to use it to try it out. So what we've done is just have this Spring Boot application that we can execute also locally and it's really simple. I'll show you the source code it's just printing out and hello endpoint, we can query and it's going to replace something and it's also providing some starting content. Really simple but the thing I want to show you is the dependency file. So as a developer this is my code, really simple, but look at this. I have my dependency file and in the dependency file there's something saying to me that I am using this version but this is a known vulnerability I should use another version and there's also the infamous log4j here and we put that version in for purpose, right? So why Visual Studio Code in this case is suggesting me that because Red Hat is providing an open source extension that I'll show you in a moment it's called the dependency analytics report and if you go to the list and extension and you look for dependency analytics already is already installed, you can install in Visual Studio Code in IntelliJ and this basically is just scanning your dependency in the code and providing you a report that you can use to verify what are the vulnerabilities. As you can see here we have lots of vulnerability log4j, struts H2, those are all versions and you can have also a detail if you want to open it by clicking this is going to go on SNCC website because this extension is made in collaboration between Red Hat and SNCC so we're able to scan in early in the inner loop if there are any vulnerabilities so we should stop here, right? because we found some vulnerability but let me go through the other pillar how do we automate the building part because a quick fix here folks is of course going into the Pomex ML the suggestion is a recommendation in 220 and doing that simple as that, so this is our fix but I want to keep this error because I want to show you how other tools in the so called outer loop can help us with that and the tool I want to show you today is Red Hat trusted application pipeline Red Hat trusted application pipeline is Red Hat SAS against those software I was talking to you about Clare, Tecton, ArgoCT is basically implementing SLSA level 3 so it's compliant to all of this and it's offered as a SAS so the only thing you need to do as a developer, as a user it's getting a repository accessible and you can start from here and you can import this code and you can then this wizard will ask you ok I found this is a spring boot application and this is the target port, I can deploy to this also deploy to an environment which is in this SAS or can connect to your cluster somewhere if you have open shift on any Kubernetes cluster you can design the number of instances injecting variable build time secrets if you need to do that and what is gonna do is basically define your first secure pipeline now what is gonna do also is pushing to your git repository some settings to implement those secure pipelines so this is also called pipeline as a code it's really interesting let me show you how the system is gonna suggest you to add some change if you're using github you can install a github app in your organization or repository but what the system is doing it's adding as you can see here some tecton object pipeline run with some steps to implement all those security gate it's fully automated as user as developer you have just to login into your github and approve that I think I'm logged in here so let me go back here in the partner catalog have a pull request here we go and you have just to merge it what is happening here is that the system the tool recognize the merge in git and then will will apply the pipeline as you can see this is applied and now the pipeline is starting the pipeline as all the security gate I was talking to you about but since this take some while I want to show you an already run execution of that so it takes some time to clone the repository to build a container inspect the image let me show you an execution I already done in another user so this is the execution I've done as you can see the pipeline has been start and then after building the container image has been has done some scan with Claire Claire if you remember is that open source software that can scan for container image and if you if you look at it we have 17 critical security issue and some some some lower score but we can go in much detail and go and go looking at what are those vulnerability and check what's wrong here what is the what is the layer for this vulnerability so we can go really granular on that but the system already identifying some vulnerability not only the vulnerability is able also to give you an an overview of what's going on with an anti-virus scan so in this case is using clump V it's an open source anti-virus that can perform that scan and is also able to perform the check on the software bill of material and some other check with some other tool so long story short this will perform all the scan now at this point you can also do this operation you can visualize the software bill of material so this will tell you all the dependencies in all the version that you have and you can decide to verify with cosine and also sign it if you want so it's a convenient way to have an overall view of everything that you need to run a DevSecOps pipeline and not only that if you right now this software you know it contains lots of vulnerability but after the after the scan is able also to perform another type of execution which is the integration test those are called in the terminology the enterprise contract so the partner Gallagher enterprise contract is able to show you that for each after the pipeline execution the system give you a security tab in this security tab you see all the layer or check that has been done for the application so is there a base image is there a build test containing the steps what are the collection what is the provenance that match the build test image result so this is not really it's all success because it's not about the security it's about the conformity on all the check that you need to do before pushing that somewhere and for this reason I also want to show that the system is able you to deploy this to the default location in the SAS or your own cluster and for this reason I deploy this application in this cluster this is an OpenShift cluster that I connect to the system and here's the we have the partner catalog so the tab was able to deploy the partner catalog you can see the spring boot up running over here and here's our hello endpoint without the HTTPS right so this is absolutely a non-secure application non-https with full vulnerability but just to show you that the system is able to the tooling are able to help you on the inner loop on the code side on the pipeline so you can stop everything you can stop signing stop delivering it if you want or last but least also on the observability how you can observe all this well there's another tool called Advanced Cluster Security for Kubernetes that you can attach into the execution and I'll show you here I've installed also in this cluster and I want to access it because I want to show you that you can do the observability also using this other tool which is connected to the cloud service and here's an overview on the old cluster where you are connected I'm connecting this cluster and the cluster recognizes that there's log4j vulnerability is a violation of your policy and also you have a list of the container images containing all the those of vulnerability there's a list of all the container image but you can have a list of top CVE you can order by the last scan as you can see there are lots of stuff that are not going very good over here and it's really cool also the thing it manage the vulnerability management so you have a list of CVE in the cluster also the risk policies the partner catalog is having a high risk indicator this is give you a very granular detail on how you can filter and organize the policy and discover the policy violation that you have in the cluster I want just to close just showing that this observability tool can also be very granular and going not only in the execution of the pipeline but also in the execution of the application and here's a diagram that show you all the application running and if you click on one of this entity over here you can have the list of all the flows all the network flows, which port which protocol who is contacting what this is the internal port, this is the traffic and you can inject network policy around time if you want so to recap everything security in place from the beginning in the code, in the pipeline and also in the target Kubernetes cluster you can do that, you can try red dot tools for that and I'll give you some links here where you can try for free what I've just shown you, if you go to this website redht slash trusted you can subscribe and send a request and you can try this tooling for free. Again this tool is fully composed by open source software we are just delivering as a service but the backbone is open source you want to do the same thing in your own cluster just take tecton, tecton chain cosine, clare argocity, put that all together in some pipeline scheme and implement your secure software supply chain in the same way if you want it out of the box here's the service that you can use this is another reminder of things that you can do, if you subscribe to developer.com you have some free ebooks tutorial and what about the ebooks you are interested on developer setting supply chain security in DevSecOps, you can download for free this book, this will walk you through on how to set up a DevSecOps flow I know we are out of time just a quick reminder that if you want we do some book signing tomorrow, this is the modernizing enterprise Java if you are a Java developer, probably you'll love it this is a book more for people interested on tecton argocity, so pipeline and GitOps it's a list of the technology that you can use to start implementing your GitOps driven secure software supply chain thank you, that was a pleasure to be here with you, all of you today and I really look forward to speak with you here about this product that opens our technology, thank you