[00:00.000 --> 00:06.960]  So, thank you all for coming.
[00:06.960 --> 00:14.960]  This is securing your software supply chain one open source project at a time.
[00:14.960 --> 00:18.360]  My name is Lori LaRusso, that's a picture of me and my kiddo.
[00:18.360 --> 00:22.520]  I am the open source program manager at JFrog, I don't know if you guys have heard of us,
[00:22.520 --> 00:23.520]  I'm sure you have.
[00:23.520 --> 00:28.400]  And I'm also the marketing outreach committee chair of the Continuous Delivery Foundation.
[00:28.400 --> 00:30.760]  Feel free to find me on Twitter or on LinkedIn.
[00:30.760 --> 00:33.520]  Hi everyone, thanks for being here.
[00:33.520 --> 00:37.520]  My name is Fahad Dermanj and I work at the Linux Foundation as an executive director
[00:37.520 --> 00:39.400]  of the Continuous Delivery Foundation.
[00:39.400 --> 00:44.560]  And that's my photo with my son because she puts her daughter, so I had to put my son.
[00:44.560 --> 00:47.080]  So, thanks again for being here.
[00:47.080 --> 00:53.240]  Okay, so I know you guys are hardcore Java developers and so I'm surprised that you're
[00:53.240 --> 00:55.960]  in this room and I appreciate you for staying for our talk.
[00:55.960 --> 00:59.200]  So why is supply chain security important?
[00:59.200 --> 01:01.320]  So let's just do the math real quick.
[01:01.320 --> 01:07.440]  So 99% of all software is developed with open source components.
[01:07.440 --> 01:14.400]  And of that, at least 85% of enterprise products are created using open source components.
[01:14.400 --> 01:19.520]  So any sort of work we do to secure the supply chain is going to have a tremendous impact
[01:19.520 --> 01:23.880]  not only on your own projects but on the enterprise in general.
[01:23.880 --> 01:25.920]  So I have a quick question for you.
[01:25.920 --> 01:29.120]  Oh, no I don't, just kidding.
[01:29.120 --> 01:31.640]  So what happens when you change slides first thing?
[01:31.640 --> 01:33.520]  So supply chain security, right?
[01:33.520 --> 01:37.480]  Like the shift left has happened, you guys are all like working on securing your code
[01:37.480 --> 01:41.760]  before you go to production, everything is good to go, right?
[01:41.760 --> 01:43.440]  Maybe or maybe not.
[01:43.440 --> 01:45.360]  So now I've got my question.
[01:45.360 --> 01:50.400]  So how many of you know what percentage of increase in software supply chain security
[01:50.400 --> 01:52.440]  attacks happened in the last year?
[01:53.080 --> 01:55.720]  Anyone, throw out a number.
[01:55.720 --> 01:56.720]  How much?
[01:56.720 --> 02:00.680]  650 was in 2021, 2022 number.
[02:00.680 --> 02:02.080]  So we're already at 650.
[02:02.080 --> 02:03.080]  Anybody?
[02:03.080 --> 02:04.080]  Anybody?
[02:04.080 --> 02:05.080]  Okay.
[02:05.080 --> 02:06.080]  742%.
[02:06.080 --> 02:12.800]  There was a 742% increase in software supply chain attacks in 2022.
[02:12.800 --> 02:15.320]  That's kind of a big deal, right?
[02:15.320 --> 02:19.520]  That's kind of something that we should all sort of look at and say, hmm, what can I do
[02:19.520 --> 02:24.640]  to help decrease this number and make sure that my projects are running smooth, my work
[02:24.640 --> 02:27.480]  is running smooth, I'm efficient.
[02:27.480 --> 02:33.240]  So when we do the numbers, there's a 99% of software has open source components.
[02:33.240 --> 02:38.480]  85% of enterprise software is built using open source components.
[02:38.480 --> 02:44.800]  And there was a 742% increase in software supply chain attacks in the last year.
[02:44.800 --> 02:45.800]  Okay.
[02:45.800 --> 02:48.920]  I think now we're all listening and thinking, yeah, this is probably something we should
[02:48.920 --> 02:50.720]  look at.
[02:50.720 --> 02:54.880]  So in the last 10 years, we've had six massive attacks.
[02:54.880 --> 02:59.060]  I'm sure you're all familiar with SolarWinds, maybe the British Airways, the amount of money
[02:59.060 --> 03:04.280]  that these corporations lost, the amount of productivity, the amount of time, the effort
[03:04.280 --> 03:08.100]  that the developers had to put in to fix things that were broken from the beginning because
[03:08.100 --> 03:12.080]  maybe somebody didn't maintain a project because, you know, maintainers, nobody gets
[03:12.080 --> 03:13.080]  paid, right?
[03:13.080 --> 03:15.440]  Like things happen, you move on.
[03:15.440 --> 03:19.480]  And so in the last 10 years, we had six massive attacks.
[03:19.480 --> 03:23.520]  And I'm sure if I say log for J, everyone's going to shrug.
[03:23.520 --> 03:31.720]  So that wasn't an attack, but that was a discovery that could have been significantly crazy.
[03:31.720 --> 03:35.560]  So what are the three types of supply chain security attacks out there?
[03:35.560 --> 03:36.560]  I think we can all read.
[03:36.560 --> 03:40.120]  So there's known vulnerabilities, unknown vulnerabilities like zero day attacks.
[03:40.120 --> 03:42.240]  So that's where that log for J came in.
[03:42.240 --> 03:44.320]  And then non-code issues.
[03:44.320 --> 03:49.520]  So human error, people attacking, hackers are getting smarter, they're looking at things
[03:49.520 --> 03:55.240]  in a different way and they're going in and trying to cause disruptions.
[03:55.240 --> 03:59.960]  So this is a very American reference because we all have cars.
[03:59.960 --> 04:05.480]  So how many of you turned on your ignition and your car didn't start?
[04:05.480 --> 04:08.640]  So you had to replace your spark plug or your alternator.
[04:08.640 --> 04:12.760]  But if you got in your car and it started, maybe you wouldn't know that your tail light
[04:12.760 --> 04:16.480]  was out because it's your tail light and you're just like, I can go.
[04:16.480 --> 04:23.840]  So that's the genius of a supply chain attack.
[04:23.840 --> 04:27.800]  They attack the parts that are built in between, the things that you don't notice.
[04:27.800 --> 04:32.120]  They're not denting your car, they're not breaking a window, they're not breaking your
[04:32.120 --> 04:37.540]  alternator, they're going in from the inside and busting things out.
[04:37.540 --> 04:43.060]  So as this might be a little outdated reference, but Winner is here and it's time to really
[04:43.060 --> 04:47.420]  take this seriously and Fatih is going to talk about some open source projects that
[04:47.420 --> 04:50.460]  are helping to secure the supply chain.
[04:50.460 --> 04:51.460]  Thanks Lurie.
[04:51.460 --> 05:00.420]  So things look a bit, how to say, risky or kind of demoralizing because all these attacks
[05:00.420 --> 05:05.660]  happening like new vulnerabilities are disclosed and some of those vulnerabilities that are
[05:05.660 --> 05:11.260]  currently exploited and we are probably impacted by them one way or the other.
[05:11.260 --> 05:17.460]  And if we think about like 2020, 2021, people start talking about these things like software
[05:17.460 --> 05:22.260]  supply chain security and so on and then governments started making some noise and I'm sure most
[05:22.260 --> 05:28.460]  of you heard this famous White House executive order, 2021, May, June or something.
[05:28.460 --> 05:32.900]  And then other countries, other governments followed the suit, India released something
[05:32.900 --> 05:36.740]  similar and EU had this cyber security act and everything.
[05:36.740 --> 05:40.940]  And those things like the governments, the regulators, they are putting out of focus
[05:40.940 --> 05:42.660]  around this topic.
[05:42.660 --> 05:47.860]  But as you know, the regulations, it takes a while for them to become real, like it
[05:47.860 --> 05:54.180]  goes through all these real processes, politicians are involved and things are a bit slow.
[05:54.180 --> 05:58.620]  Because of that, the communities we are involved in or the projects we are developing or the
[05:58.620 --> 06:04.020]  contributions we are making, we all have a big chance to impact and improve the situation
[06:04.020 --> 06:09.740]  even before those things, those regulations, laws become real.
[06:09.740 --> 06:15.460]  And as Laurie mentioned, like some of the communities, they are actively working on
[06:15.460 --> 06:17.860]  improving the state of software supply chain.
[06:17.860 --> 06:23.580]  And I took just four of those communities on this slide and they are kind of different
[06:23.580 --> 06:26.940]  from each other and they are taking to this slide on purpose.
[06:26.940 --> 06:33.260]  Like CD Foundation is where we are contributing to and as a foundation and as our projects,
[06:33.260 --> 06:38.260]  we mainly evolve around continuous integration and continuous ecosystem and projects.
[06:38.260 --> 06:40.740]  And some of our projects are very famous Jenkins.
[06:40.740 --> 06:47.260]  They have a table here, Jenkins is under CD Foundation, Spinnaker and other CD orchestrator
[06:47.260 --> 06:50.900]  tool that is under CD Foundation.
[06:50.900 --> 06:55.420]  And we try to contribute to efforts from our perspective because when you look at the
[06:55.420 --> 07:07.180]  how to say, scope of supply chain, it is vast and no foundation, no one project can fix
[07:07.180 --> 07:08.180]  those issues.
[07:08.180 --> 07:12.540]  And we as the practitioners from continuous integration and continuous ecosystem do our
[07:12.540 --> 07:16.500]  bit to contribute those efforts from continuous delivery perspective.
[07:16.500 --> 07:24.980]  Because the attacks Laurie summarized, the people are actually abusing pipelines themselves
[07:25.540 --> 07:28.940]  as they are hijacking pipelines that are kind of route to production.
[07:28.940 --> 07:32.260]  And that's why within our community we are contributing those efforts.
[07:32.260 --> 07:39.380]  OpenSF is another foundation under Linux Foundation that works on security best practices, standards
[07:39.380 --> 07:40.380]  and so on.
[07:40.380 --> 07:43.660]  And they are very much focused on supply chain security itself.
[07:43.660 --> 07:49.540]  So CDF looks at from CDF perspective, OpenSF looks at the supply chain as a whole.
[07:49.540 --> 07:53.700]  And OWASP is another project that's not under Linux Foundation and it works on improving
[07:53.700 --> 07:58.620]  the security of OpenSource and CNCF, which I'm sure most of you heard, Kubernetes and
[07:58.620 --> 08:03.500]  other cloud native projects, even though security is not their primary concern, they are doing
[08:03.500 --> 08:09.340]  lots of work around security by publishing white papers or releasing best practices
[08:09.340 --> 08:10.340]  for cloud native.
[08:10.340 --> 08:14.460]  They actually had another event, I think it was this week called cloud native security
[08:14.460 --> 08:15.460]  con.
[08:15.460 --> 08:18.860]  So these foundations, committees, they are all different, but they are all trying to
[08:18.860 --> 08:19.860]  contribute.
[08:19.860 --> 08:23.740]  As a Java developer, as Java, you know, people contributing to Java ecosystem, I think we
[08:23.740 --> 08:29.460]  can also try to contribute these efforts and make sure that the stuff we are developing,
[08:29.460 --> 08:33.660]  the people who are using what we are developing, what we are making available for them to use
[08:33.660 --> 08:40.180]  is as secure as possible so they don't, you know, face problems.
[08:40.180 --> 08:45.260]  One of the things, again, we took examples from these different communities to show what
[08:45.260 --> 08:46.260]  they are doing.
[08:46.740 --> 08:50.500]  This is not an extensivist, this is just a snapshot of what they are doing, there are
[08:50.500 --> 08:52.300]  lots of other initiatives going on.
[08:52.300 --> 08:57.020]  But if you look at OAS, for example, they recently released this report, top 10 CICD
[08:57.020 --> 09:04.020]  security risks and, you know, I'm sure there are people among us who are doing CICD for
[09:04.020 --> 09:10.980]  their communities, their projects, their organizations and some of these items, we do those mistakes
[09:10.980 --> 09:15.620]  without knowing and there are some people out there who are exploiting those issues
[09:15.660 --> 09:22.020]  and hijacking pipelines and injecting malicious code and instead of real artifact, maybe some
[09:22.020 --> 09:26.700]  bad artifact is, you know, flowing through our pipelines and going to production, impacting
[09:26.700 --> 09:27.700]  end users.
[09:27.700 --> 09:31.900]  So this is one side, the CICD.
[09:31.900 --> 09:37.500]  And this is another project called supply chain levels for software artifacts, Salsa.
[09:37.500 --> 09:41.260]  This is under open SSF, open source security foundation.
[09:41.260 --> 09:46.540]  And this also looks at things a bit like end to end perspective, instead of just focusing
[09:46.540 --> 09:51.380]  on, you know, you have your source code, secure development practices or you have your artifact,
[09:51.380 --> 09:59.380]  you must sign your artifact, but Salsa looks at the entire supply chain and it is a framework
[09:59.380 --> 10:06.900]  for giving projects, organizations, committees to have different levels of security.
[10:06.900 --> 10:11.500]  It has four levels, you start with very basic build automation, documenting your build process
[10:11.500 --> 10:19.060]  and it goes to fourth level, which is the most secure and, I would say, increases confidence
[10:19.060 --> 10:20.740]  to your supply chain.
[10:20.740 --> 10:27.300]  And the practices documented by Salsa is pretty good and it's already actually, many communities
[10:27.300 --> 10:32.140]  actually start adopting their community pipelines or community production systems to adhere
[10:32.140 --> 10:39.780]  to these levels that come with Salsa.
[10:39.780 --> 10:44.220]  Another project, again, this is under open source security foundation, CICD store.
[10:44.220 --> 10:45.780]  This is about signing the artifacts.
[10:45.780 --> 10:51.940]  I think, like some of you know, May 1 requires PGP signatures and CICD store is similar to
[10:51.940 --> 10:59.060]  PGP, but it's keyless signing and it is a collection of open source projects like FUTU or RECORE
[10:59.060 --> 11:07.820]  and so on to make it easier for developers, maintainers, package managers to build and
[11:07.820 --> 11:10.220]  distribute artifacts in a secure manner.
[11:10.220 --> 11:14.900]  So when you publish your artifact, it's signed so people can check if that is the right artifact
[11:14.900 --> 11:19.780]  they are expecting, they can verify that signature and make sure that they are not getting some
[11:19.780 --> 11:24.980]  weird random artifact and using it as dependency perhaps.
[11:24.980 --> 11:31.460]  So this project is actually pretty interesting because when we think about open source, we
[11:31.460 --> 11:38.420]  want many people to use our projects, we want many other tools to adopt our library or whatever.
[11:38.420 --> 11:44.420]  And CICD store is actually showing great adoption and many other open source projects are adopting
[11:44.420 --> 11:47.420]  CICD store for signing their release artifacts, for example.
[11:47.420 --> 11:51.900]  And this again, another snapshot I took from CICD store landscape and you see all of these
[11:51.900 --> 11:57.180]  are open source projects, they are located under different communities and they are different
[11:57.180 --> 12:02.100]  from each other and they started signing their artifacts.
[12:02.100 --> 12:05.780]  And this is the CICD store, May 1 Gradle.
[12:05.780 --> 12:10.460]  I've seen a blog post yesterday actually, it was talking about like the status of CICD
[12:10.460 --> 12:15.780]  store with May 1 and Gradle and I believe May 1, Apache May 1 project started working
[12:15.780 --> 12:22.260]  with CICD store to adopt CICD store for signing the artifacts and they had a two-step plan,
[12:22.260 --> 12:26.900]  they are currently working on the first step and the expectation is that they will adopt
[12:26.900 --> 12:31.540]  CICD store coming months, I don't know when, but the work is happening there.
[12:31.540 --> 12:37.100]  And the Gradle is a build tool which you probably know, they also start looking at CICD store
[12:37.100 --> 12:39.020]  for signing artifacts.
[12:39.020 --> 12:43.980]  And if you go back to the title of our presentation like securing open source supply chain one
[12:43.980 --> 12:52.620]  project at a time, like CICD is a big area and sometimes I'm a CICD person, I'm a developer
[12:52.620 --> 13:01.420]  and I don't, like I can't secure my software as best like some other people because they
[13:01.420 --> 13:06.420]  may know CICD better than me, but one thing I can do if I am developing a library, if
[13:06.420 --> 13:11.460]  I am releasing artifacts, I can at least sign that artifact so when people pull that artifact
[13:11.460 --> 13:16.380]  during their build process, as a dependency, then they can check that artifact to make
[13:16.380 --> 13:24.340]  sure they are getting the right one without some tampering and so on.
[13:24.340 --> 13:29.860]  So another project I want to highlight is Tecton Chains and Tecton is a project like
[13:29.860 --> 13:37.060]  Jenkins but Kubernetes native continues their framework and it has multiple projects underneath
[13:37.060 --> 13:41.780]  Tecton Chains, Tecton Dashboard, Tecton Pipelines and so on.
[13:41.780 --> 13:49.060]  The reason why I want to highlight Chains is as a CICD practitioner, like as I noted
[13:49.060 --> 13:52.060]  there are lots of risks we have within our pipelines.
[13:52.060 --> 13:57.140]  People might hijack them and we must make sure the pipelines, the phases in our pipelines,
[13:57.140 --> 14:01.420]  the tasks within our phases, they are only doing what they are supposed to.
[14:01.420 --> 14:04.500]  They are not doing anything else but what we tell them to do.
[14:04.500 --> 14:10.940]  When Tecton Chains comes up with some kind of observability, it takes the observability
[14:10.940 --> 14:12.740]  and applies to the pipelines.
[14:12.740 --> 14:19.620]  So whenever Tecton runs a task, it takes a snapshot of that task, records whatever happened
[14:19.620 --> 14:25.260]  during that task, signs it and stores it so you can go back and audit your tasks if you
[14:25.260 --> 14:30.900]  face issues, security issues, you can check which task actually caused that problem and
[14:30.900 --> 14:33.220]  then make sure that task is fixed.
[14:33.220 --> 14:40.140]  So it is like observability of pipelines will be an important thing going forward.
[14:40.140 --> 14:44.980]  And the last project I want to mention is the youngest project or latest project that
[14:44.980 --> 14:47.380]  joined the CIDI Foundation, Persia.
[14:47.380 --> 14:55.060]  Again we distribute packages and we hope that they are safe, secure and people use them
[14:55.060 --> 15:02.300]  with confidence but sometimes it is difficult and it takes some effort to make sure to verify
[15:02.300 --> 15:07.940]  those packages are built by the right people, community organization and they are not tampered
[15:07.940 --> 15:08.940]  with.
[15:08.940 --> 15:14.380]  Persia comes with Bitcoin, not Bitcoin, no.
[15:14.380 --> 15:15.380]  Blockchain?
[15:15.380 --> 15:16.380]  Blockchain, yeah.
[15:16.380 --> 15:17.900]  I mixed those two.
[15:17.900 --> 15:21.340]  Blockchain-based technology and it is like peer-to-peer package distribution network.
[15:21.340 --> 15:28.780]  So multiple nodes could build the same artifact and they have this algorithm, they check if
[15:28.780 --> 15:33.700]  this artifact is same across all over the place, all those nodes distributed and then
[15:33.700 --> 15:39.060]  the package could be consumed by the users safely and securely.
[15:39.060 --> 15:44.780]  So these were like five, six different initiatives and there are tens or even maybe hundreds
[15:44.780 --> 15:47.540]  of other types of projects and initiatives.
[15:47.540 --> 15:53.380]  So I think we as developers, we have responsibility for our users, obviously as Dory mentioned,
[15:53.380 --> 15:57.780]  some of us are not getting paid for this and we are doing that for our fund and someone
[15:57.780 --> 16:01.420]  is using our project, at the same time we are responsible.
[16:01.420 --> 16:05.180]  We make something available for people to consume and if they are facing issues because
[16:05.180 --> 16:10.540]  of some of these simple things we are not putting in place then we may perhaps feel
[16:10.540 --> 16:15.620]  responsible and do our bit to make sure we improve any and each project we are involved
[16:15.620 --> 16:16.620]  in.
[16:16.620 --> 16:22.300]  So I just want to close with all of the foundations that we mentioned today.
[16:22.300 --> 16:28.660]  So each one has projects, each one has SIGs, each one have working groups, they are all
[16:28.660 --> 16:33.500]  alive and well in terms of communication whether they have it on Slack or on Discord
[16:33.500 --> 16:37.700]  or mailing lists, things like that and if you look at these foundations and you look
[16:37.700 --> 16:41.780]  at the corporate sponsors for these foundations you might be surprised that your corporation
[16:41.780 --> 16:45.540]  actually sponsors one of these and with that there are tons of benefits that you might
[16:45.540 --> 16:48.540]  not be receiving that you are eligible for.
[16:48.540 --> 16:53.100]  So there is always trainings, there is webinars, there is opportunities for like white papers,
[16:53.100 --> 16:57.260]  blog posts like Bhatti was saying there is best practices in each of these depending
[16:57.260 --> 16:59.020]  on what area you are interested in.
[16:59.020 --> 17:05.740]  So I would encourage you to go to each of these and there is tons of other foundations
[17:05.740 --> 17:10.260]  out there but here are just some core that are really working on supply chain security
[17:10.260 --> 17:18.220]  from multiple angles and I think it is something that as job and developers you know you should
[17:18.900 --> 17:22.980]  look and see what other people are doing and how you can also just improve and move forward
[17:22.980 --> 17:23.980]  as well.
[17:23.980 --> 17:28.100]  We all know Java is not going anywhere so it is time to kind of see what else that you
[17:28.100 --> 17:31.820]  can do to help yourself on the front end so on the back end you are not paying millions
[17:31.820 --> 17:35.700]  of millions of dollars lost hours, wages, all that good stuff.
[17:35.700 --> 17:37.900]  So any questions and thank you very much.