It's all right. I am early or on time? I'm on time. I'm punctual. That's brilliant.
So, hello. My name is Salve Nielsen. I'm one of the few fellows that hack around with
the Netherlands in Oslo, Norway. And last year, I bumped into, with some other people into thinking about security on the
seapen. So, stuff happened and I'm going to tell you about that now. And a little bit, it's kind of an introduction to
FOSTA. Similar talks have been given at other conferences already. And a little bit of an update.
So, I hope you can bear with me. So, we were established at the Perl Tulsen Summit in Lyon last year.
And the purpose here is to basically feel an void about caring about seapen security. There are already people who care about
security in the Perl community. Mostly they live on the P-File porters list. But when it comes to the seapen ecosystem, a couple of us raised our
hands and said, okay, we'll try and do something about that. These are the people that showed up at the Perl Tulsen Summit.
And a bunch of these are also on the seapen security working group. So, what's in scope for this working group? We are, there's a lot of
people who are interested in the security of the Perl. So, we try to do security outreach. That means information work. It's maybe not obvious that's
needed because of course everybody knows how to Google and figure out something. But we try to think a little bit about how to do things that are
connected to the security of the Perl. So, that includes making sure that important security issues that are probably registered as a CVE. That if there are
anything that show up in the CVE index that they are responding to in a good way. And we're not solving the problems. We're helping the people who are
involved in the project, for example, that doesn't have a responsive author will make a little bit of an effort to try to find a replacement or solve it that way. This is basically what happened with
spreadsheet parseXL and parseXLX. And we are super happy somebody stepped up and actually resolved those issues. And we do some coordination with other
scientists through the search.org VINCE interface. And so, we are trying to build up a network so we can make sure to report things properly and share the information we have and help those people who need help.
And there is some triaging and coordination going on there. And the goal here is to make sure that important vulnerability issues are not ignored. So, that's one of the major topics we're working on. We care also about having a good
vulnerability index. There are, I think, one or two options right now. This one, called C-Pan-Odeta, I think, has something going on there which is useful. But it needs to be up to date and we want to help with that and maybe see if we can integrate it with other
indexes out there. Furthermore, let's see what's going on here. That was not the point. Okay, the screen is saying hello. Okay, sorry for technical problems here.
It looks like my computer doesn't like the USB C connection here for a moment. Sorry about that. Okay, let's throw it out and put it in again. That's always how it works.
There, sweet. Yeah, it would manage to fix itself or the old computer are just saying. So, yes, vulnerability index. We also care about what's called supply chain provenance, which is basically where the stuff come from and how did it become the way it is.
And in general, supply chain security. Things that we are working on there. Look here. It's already disappearing. This is a bit annoying. I'll try to continue. We want to make an effort to make sure that all the C-Pan clients use HTLess by default, for example.
So we connect quickly to the servers that we want to download from. We want to make use of something called the update framework, which is used by other packaging ecosystems for securing the whole process of publishing and sharing the modules out there.
We want to introduce repository signatures and author signatures at some point. We, moving on, we have, come on. It looks like I'm having more trouble than is necessary here. This is quite annoying.
No.
No.
No.
All right. So we are looking also at, oh, this is the wrong page. Interesting.
We're also looking at tracking all the changes that happen on the software. Look here. Using S-bombs, software below materials. That's a huge topic and demands from that downstream when people in running software on critical infrastructure, for example, have now, they're obliged by law to keep track of dependencies and what's going on.
And this whole
field also includes solving the problem of how to refer to the depends across package ecosystems. So with that, there's something called package URL, which is currently in use by a lot of systems out there that and S-bomb standards to refer between
two packages in different ecosystems. If all goes well, we'll actually have C-pans as part of the package URL standard, sometimes this weekend, I'm hoping. I talked with the author yesterday at the party, at the conference here in Brussels.
And we want to improve the indices in general when it comes to interoperability with other indexes, package indexes.
Let's see. Since we don't have slides here, this is really annoying. So I'm sorry this doesn't work as expected. Does anybody have a USB to HDMI connector?
USB C.
No, no, that's, I need to, I need to, female HDMI.
Ah, okay.
Let's see if this helps.
Crossing fingers.
Because if it doesn't get better now, then it's not my computer.
All right.
There's something called transparency logs.
There is some tooling called six store and six some that we want to take inspiration from to create transparency around what changes happen on C-pans.
So if something is updated without anyone knowing, we want to detect stuff like that.
We also would love to have a way to do a patching of C-pan distributions when an upstream of there is completely unresponsive and we have no way of resolving a crisis quickly.
So to publish a patch in a structured way so that, say, for example, a client can detect, oh, there's a patch that is not applied here, but we do want to download or something like that.
We'll see how that works. It's a current dream we're having.
We do care about compliance and privacy.
So having an idea of what kind of legislation is relevant for us.
That's super important and documenting that stuff is part of that.
So we have a reading list already published.
We also want to have good tooling for software composition analysis and like checking finding ways to detect if something, some of your dependencies have certainly gotten a vulnerability or something.
So we say, for example, during a test run configured, oops, there was something happening.
One of the dependencies you need to update is lots of good ways to do that.
There's already some tooling in place actually, but these are what we want to do.
There's also the act of having a project management.
So we're taking that part of that and that means creating a good charter, having a pre-release disclosure agreement.
That tells us under what terms we can share information or not.
And do general information around how things are put together as an organization and which place we play in the larger ecosystem.
Funding is also an important part of this because I have to be frank here for a moment.
And that is working on security issues on behalf of others on a volunteer basis isn't always fun.
Sometimes it can be increased like horribly boring or frustrating or just solving problems that I don't have.
I imagine this is the same for everyone.
So we're looking also for finding ways to actually fund some of the work that we want to do.
And there's a whole lot of other stuff we want to do.
And the most important thing for us is that while Perl isn't the super big thing it was 20 years ago,
it's still used everywhere in critical infrastructure and in important businesses that with money is earned right now.
So people call it legacy systems these days, but we have to remember legacy means also earning money.
So we cannot just ignore and say I'll rewrite stuff later or we'll just update.
No, no, we need to update stuff now and we need to figure out exactly what's running and to make that happen.
We need to enable a whole lot of things using the stuff I already mentioned.
And there's also some cultural things worth mentioning.
And in the Cpan and Perl community, we don't always think actively about security.
So we're hoping to be a little bit of a catalyst for over time to change the culture also.
And that means learning new stuff, not only being a DevOps, but thinking also how to become a DevOps,
or Sec DevOps or whatever it's called.
The security becomes part of how we operate.
And in my opinion also we're pretty good at having our own ecosystem where things have worked for a long time
and we know we can trust it and it's been very predictable.
But we're not that good at interoperating across the ecosystem boundaries.
Like say for example if you package something in Debian, it's like how do from Debian's perspective
is what do we have to do to make whatever these guys are doing work in our environment.
When we could have used say good standards for communicating dependencies in a machine readable
and common way that works across all kinds of ecosystems.
That's a super interesting problem that people are working on right now to solve personally
and I hope we can be part of that.
So why do we do this?
There are new security demands coming from the EU and from an old executive order in the US.
These are specifically aimed at institutions and companies that write software for critical infrastructure
and that could be anything from power internet access, street light management, water treatment plans, administrative systems,
all kinds of places throughout society.
If something breaks it affects the normal operation of society in a negative manner.
That means these two directives applies.
For the cyber security sector which is still upcoming, it's more about internet enabled devices which basically means anything
from toys to phones and all the systems that connect to and update those.
So that means everything.
So we will be affected.
These laws are coming this year and will be rolled in in the next few years.
I think it's 18 months or something.
So this is upcoming stuff.
That means we have the legislative guns pointing at us basically.
We would also love to find ways to show that those of us who publish things on c-pan have our ducks in a row.
We have the things in order.
People can't trust the code we publish and we do that's what's necessary to make that happen.
So there's some awareness raising.
So we're discussing blog posts and all kinds of other ways to get more people involved in this.
Who are we?
Brenno, Graham, Inge, Jose, Andreas, Leon, Olaf, sitting there, Pete, René, Sam, Salvis, Mi, Stig, sitting there.
Tim, Merein isn't here today.
And a whole lot of others.
We, these are a couple of the people that were at the Peralta Julesin Summit.
I'm there.
It's a photo of me where I don't look horrible.
That's good.
So that's Stig and Inge and Leon and Merein and Brenno.
And the reason I say all the names here is to make a point actually.
When somebody talks with you about supply chain security, there are people like this and the group picture that are actually working on the supply chain, the bits and pieces that make that up.
On a volunteer basis.
And meaning humans.
It's not like a black box where suddenly stuff appears.
We have to actually think about this as almost like our open source colleagues.
We work together with these people.
So what I want to hear is to ask you to join us.
Do you care about open source security?
Do you have some extra tweets, some time to spend over?
Do you have a manager that is aware of that there's a security commons out there that is shared and that needs to be updated and kept alive and kept healthy?
And you all would like to fix security yourself.
Please contact us.
We need help.
We are a bunch of volunteers right now, but we do not have all the time needed.
And at the moment we don't have the funding either.
So there's that.
So to find us, we are on our seal and there's a link there.
You can find all the necessary on security.metasep.org.
You could also use the security.zip.org and the mailing list where we coordinate stuff is the zip and security.
It's closed off, but with a little bit of dancing and singing, you can get into there.
So I don't know.
We probably don't have time for questions and comments.
Two minutes.
Two questions. Yes.
Three, very short remarks.
First, I'd love to see a module creating a sports, lively.
Yes. Working on that.
Okay.
If you want to help, talk with me.
Second, I'd like to have 502 support for a stick support for any of the big frameworks we have in the fall.
More delicious or dancer tour.
We won't do anything on that, but if you want to publish something, go ahead.
I've been looking into that a little bit.
Okay.
Who in this room has a Vince account?
I have one.
I like it very much, but please make yourself.
Vince is a vulnerability sharing system that search.org runs.
We have a couple of us on the have it already.
So if you are scared about security enough to have an account there, you're welcome to join us.
That's a very good criteria.
But of course, please actually help.
We have a lot of people that are having bystanders looking at.
There's something called the bystander effect where lots of people look at an accident and waiting for someone else to make the first move.
That is, we cannot have that.
We need people to actually want to make sure it happens.
Having a Vince account, maybe not enough, you have to publish yourself and say to them, hey, we use the problem.
Yes.
There's a whole lot of stuff.
More questions?
One question.
Well, you get the difference from everyone, but for me, it's that we need more people who are actively working at the moment.
But you have a whole lot of stuff, which is all of them are good things.
I should try to paint a picture of today.
And if something tickles your brain, then you're quite welcome to join us and make something happen there.
If you know something we don't, then please tell us.
We're in the process of learning.
I'm getting an idea that this is the end, so I will say thank you.
And I hope this was useful for you.
And please get in touch if you care about security on CPAP.