Podcasts about chainguard

Are you struggling to implement robust container security at scale without creating friction with your development teams? In this episode, host Ashish Rajan sits down with Cailyn Edwards, Co-Chair of Kubernetes SIG Security and Senior Security Engineer, for a masterclass in practical container security. This episode was recorded LIVE at KubeCon EU, London 2025.In this episode, you'll learn about:Automating Security Effectively: Moving beyond basic vulnerability scanning to implement comprehensive automationBridging the Security-Developer Gap: Strategies for educating developers, building trust, fostering collaboration, and understanding developer use cases instead of just imposing rules.The "Shift Down" Philosophy: Why simply "Shifting Left" isn't enough, and how security teams can proactively provide secure foundations, essentially "Shifting Down."Leveraging Open Source Tools: Practical discussion around tools like Trivy, Kubeaudit, Dependabot, RenovateBot, TruffleHog, Kube-bench, OPA, and more.The Power of Immutable Infrastructure: Exploring the benefits of using minimal, immutable images to drastically reduce patching efforts and enhance security posture.Understanding Real Risks: Discussing the dangers lurking in default configurations and easily exposed APIs/ports in container environments.Getting Leadership Buy-In: The importance of aligning security initiatives with business goals and securing support from leadership.Guest Socials: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cailyn's LinkedinPodcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:-⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠If you are interested in AI Cybersecurity, you can check out our sister podcast -⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ AI Cybersecurity PodcastQuestions asked:(00:00) Intro: Container Security at Scale(01:56) Meet Cailyn Edwards: Kubernetes SIG Security Co-Chair(03:34) Why Container Security Matters: Risks & Exposures Explained(06:21) Automating Container Security: From Scans to Admission Controls(12:19) Essential Container Security Tools (Trivy, OPA, Chainguard & More)(19:35) Overcoming DevSecOps Challenges: Working with Developers(21:31) Proactive Security: Shifting Down, Not Just Left(25:24) Fun Questions with CailynResources spoken about during the interview:Cailyn's talk at KubeCon EU 2025

Emily Long is the co-founder and CEO of Edera, the pioneer of strong workload isolation technology for cloud and AI infrastructure. She places the highest value on people and bringing diverse teams together to build something that is greater than the sum of its parts. Emily is a tactical and strategic leader who’s proven in scaling operations, fostering strong company cultures, and driving strategic execution. She’s also an unapologetic people person who believes in the capacity of humor and human connection to motivate and empower team members to achieve more. Prior to Edera, she was the COO at Chainguard, where she built, scaled, and led core business functions that helped lead the company to its Series C and Unicorn status. Emily also served as Chief Operating & People Officer at Anchore, where she oversaw business operations and sales and spearheaded its DEI initiatives. She’s also held strategic operations roles at LogicMonitor and KPMG. Emily is based in Santa Barbara, California and holds a Bachelor of Science in Business Administration from California Polytechnic State University, San Luis Obispo.See omnystudio.com/listener for privacy information.

Cybersecurity startups are experiencing a significant revenue surge as threats associated with artificial intelligence continue to multiply. Companies like ChainGuard have reported a remarkable seven-fold increase in annualized revenue, reaching approximately $40 million, while Island anticipates its revenue will hit $160 million by the end of the year. The rise in cyber attacks, particularly a 138% increase in phishing sites since the launch of ChatGPT, has created a greater demand for cybersecurity solutions. A recent report from Tenable highlights that 91% of organizations have misconfigured AI services, exposing them to potential threats, emphasizing the urgent need for organizations to adopt best practices in cybersecurity.Intel is undergoing a strategic reset under its new CEO, Lip Bu Tan, who announced plans to spin off non-core assets to focus on custom semiconductor development. While the specifics of what constitutes core versus non-core assets remain unclear, this move aims to streamline operations and enhance innovation in the semiconductor space. However, Intel's past struggles with execution raise questions about the effectiveness of this strategy. The company must leverage its strengths while shedding distractions to remain competitive in the evolving semiconductor landscape.Google has made strides in email security by allowing enterprise Gmail users to apply end-to-end encryption, a feature previously limited to larger organizations. This democratization of high-security email comes in response to rising email attacks, enabling users to control their encryption keys and reduce the risk of data interception. Meanwhile, Apple has addressed a significant vulnerability in its iOS 18.2 passwords app that exposed users to phishing attacks, highlighting the importance of rapid response to security flaws.CrowdStrike and SnapLogic are enhancing their partner ecosystems to improve security operations and streamline integration processes. CrowdStrike's new Services Partner program aims to promote the adoption of its next-gen security technology, while SnapLogic's Partner Connect program focuses on collaboration with technology and consulting partners. Additionally, OpenAI has increased its bug bounty program rewards, reflecting the need for ongoing vigilance in cybersecurity as AI becomes more prevalent. The convergence of AI and cybersecurity presents both challenges and opportunities, necessitating proactive measures to safeguard sensitive information. Four things to know today 00:00 Cybersecurity Startups See Revenue Surge as AI Threats Multiply—Are We Prepared?04:44 Intel's Strategic Reset: Spinning Off Non-Core Assets to Boost Custom Chip Development06:09 Google Brings Enterprise-Level Encryption to Gmail as Apple Patches Major iOS Vulnerability08:56 CrowdStrike and SnapLogic Step Up Partnerships While OpenAI Sweetens Bug Bounty Reward  Supported by:  https://syncromsp.com/  Join Dave April 22nd to learn about Marketing in the AI Era.  Signup here:  https://hubs.la/Q03dwWqg0 All our Sponsors: https://businessof.tech/sponsors/ Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/Looking for a link from the stories? The entire script of the show, with links to articles, are posted in each story on https://www.businessof.tech/ Support the show on Patreon: https://patreon.com/mspradio/ Want to be a guest on Business of Tech: Daily 10-Minute IT Services Insights? Send Dave Sobel a message on PodMatch, here: https://www.podmatch.com/hostdetailpreview/businessoftech Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on:LinkedIn: https://www.linkedin.com/company/28908079/YouTube: https://youtube.com/mspradio/Facebook: https://www.facebook.com/mspradionews/Instagram: https://www.instagram.com/mspradio/TikTok: https://www.tiktok.com/@businessoftechBluesky: https://bsky.app/profile/businessof.tech

Send us a textSubscribe to AG Dillon Pre-IPO Stock Research at agdillon.com/subscribe;- Wednesday = secondary market valuations, revenue multiples, performance, index fact sheets- Saturdays = pre-IPO news and insights, webinar replays00:00 - Intro00:08 - Klarna Plans NYSE IPO at $15B Valuation  01:27 - Applied Intuition in Talks for $15B Valuation 02:36 - Anysphere Eyes $10B Valuation After Rapid ARR Growth  03:11 - Gemini Confidentially Files for IPO  03:55 - CoreWeave Signs $11.9B AI Infrastructure Deal With OpenAI  05:04 - Moveworks Acquired by ServiceNow for $2.85B  05:57 - Chainguard in Talks for $3.5B Valuation  06:31 - OpenAI and Oracle Launch $100B Stargate AI Infrastructure  08:02 - xAI Expands Memphis Data Center to 350K GPUs  08:43 - Anthropic Revenue +40% to $1.4B ARR  09:49 - Binance Secures $2B Investment From MGX  10:46 - TikTok US Deal with Oracle has High Potential

In questo episodio di GitBar, i conduttori discutono di Distrobox, un innovativo strumento per gestire container, e del lavoro in ChainGuard, un'azienda focalizzata sulla sicurezza delle immagini Docker. Viene approfondito il concetto di S-BOM (Software Bill of Materials) e la sua importanza nella sicurezza del software. Inoltre, si esplora la mancanza di una convergenza nei sistemi operativi simile a quella di Kubernetes, evidenziando le differenze di investimento e supporto tra i due ambiti. La conversazione esplora l'evoluzione delle distribuzioni Linux, evidenziando le differenze tra di esse e l'importanza delle scelte fatte dagli utenti. Si discute dell'esperienza utente, delle preferenze per determinate distro in contesti lavorativi e delle sfide legate allo sviluppo e alla portabilità delle applicazioni. Viene anche sottolineata l'importanza della facilità di contribuzione nel mondo open source.

This week we're taking you backstage at TechCrunch Disrupt. Becca Szkutak had the chance to talk with Dan Lorenc, the CEO and co-founder of cybersecurity startup Chainguard following their conversation on stage with prominent investors, The Chainsmokers. They discuss how the EDM duo's venture fund MANTIS went from being viewed skeptically by traditional VCs to becoming a highly sought-after investment partner in the B2B space, how Lorenc scaled the company in a difficult time for cybersecurity, and what value celebrity investors can add to a startup.Check out the full onstage conversation here.00:00 - Introduction02:27 - Chainguard: Company Overview and Open Source Security 05:27 - Google Background and Solar Winds Impact 08:02 - Building Chain Guard: Product Evolution 11:44 - Early Fundraising and Timing 12:53 - The Legendary Alex Pall Cold Emails 15:01 - MANTIS Investment Impact 16:11 - Company Growth and Future Plans 16:51 - Learning from Early Mistakes Found posts every Tuesday. Subscribe on Apple, Spotify or wherever you listen to podcasts to be alerted when new episodes drop. Check out the other TechCrunch podcast: Equity . Subscribe to Found to hear more stories from founders each Connect with us:On TwitterOn InstagramVia email: found@techcrunch.com

RJJ Software's Software Development Service This episode of The Modern .NET Show is supported, in part, by RJJ Software's Podcasting Services, whether your company is looking to elevate its UK operations or reshape its US strategy, we can provide tailored solutions that exceed expectations. Show Notes "Okay. So I'll come on to that point is that's obviously something i'd like to talk about. But a couple of things I should mention, I guess. That I think you're absolutely right with all the points you raised, but we are trying to work on on everything there. So a couple of things are worth pointing out: one is docker-init; so nowadays if you start in like a new project with python or node or whatever, you can run the docker-init command, and what that will do is like create a dockerfile and a couple of other files, I think, to help you get started, and it sort of contains that the best practices. So to try and help you get over the hump of trying to understand how to create a dockerfile, and all the different ways you can build that without needing to know everything. So I think that really helps."—Adrian Mouat Welcome friends to The Modern .NET Show; the premier .NET podcast, focussing entirely on the knowledge, tools, and frameworks that all .NET developers should have in their toolbox. We are the go-to podcast for .NET developers worldwide, and I am your host: Jamie "GaProgMan" Taylor. In this episode, Adrian Mouat joined us to talk about Chainguard, what a distroless container is, a number of tools that you can use to check whether your containers have any CVEs present, attestations and reproducibility, and a number of ways to secure your applications once they are running in the wild. "Yeah, I like your point there about showing your receipts. So in attestations, you can also say things like, you know, “we did do this on this image.” You can create an attestation that says, “hey, I ran a scanner on this image and I had this output at this time.” And because it's all signed, you know that that did happen, if you like. Yeah, and also like, you know, you could have an attestation that said, “I ran these tests on this image at this time and this was the output,” sort of thing. So it's sort of proving that certain steps were taken."— Adrian Mouat Anyway, without further ado, let's sit back, open up a terminal, type in `dotnet new podcast` and we'll dive into the core of Modern .NET. Supporting the Show If you find this episode useful in any way, please consider supporting the show by either leaving a review (check our review page for ways to do that), sharing the episode with a friend or colleague, buying the host a coffee, or considering becoming a Patron of the show. Full Show Notes The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-7/chainguard-and-securing-your-containers-with-adrian-mouat/ Useful Links Chainguard Container Hacks and Fun Images OODA Loop Snyk Grype docker scout the NVD (National Vulnerabilities Database) seccomp Google Distroless project github.com/wolfi-dev SBOMs Attestation Sigstore project edu.chainguard.dev Chainguard's YouTube channel Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show Editing and post-production services for this episode were provided (in part) by MB Podcast Services Supporting the show: Leave a rating or review Buy the show a coffee Become a patron Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend. And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch. You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast.

This episode is going to piss you off. Most founders struggle to raise their first few million. Many have to bootstrap for years. Even once there's revenue, many get rejected because they're "too early". Dan had dozens of VCs asking to invest before he even quit his job. He raised his first $5M with no deck, no story, and no product idea. All it took was two founders  who wanted to build something in the security space. To add fuel to the fire, 6 months after he incorporated, he raised a $50M round from Sequoia... with no revenue!He didn't pitch dozens of VCs. He didn't create a deck. He just spoke to a partner at Sequoia and had a term sheet in 3 days. The reasons are part macro, part team, part market... and part just the insanity that sometimes happens in Startup Land.It's hard to beleive and makes little sense from the outside. But it often works. Chainguard just closed $140M Series C, has 100s of customers and does 8 figures in ARR. Here's how it happened.Why you should listen:Why launching multiple products at once worked for Dan.How to raise from a position of strength to get favourable terms.Why identifying the right markets can be such an important step. Why time to value and leads to fast growth and high close rates.Keywordsstartup, fundraising, product market fit, Sequoia, security, open source, venture capital, entrepreneurship, growth strategies, technology, innovationSend me a message to let me know what you think!

This week on, Defense Unicorns Podcast we welcome Eddie Zaneski, the tech lead for open source here at Defense Unicorns, who takes us through his fascinating career journey from aspiring math teacher to a key player in the tech industry. Eddie shares his experiences transitioning into computer science, his passion for developer relations, and his significant contributions to the Kubernetes project. We dive into the evolution of software deployment, from bare metal servers to virtual machines and containers, and how Kubernetes has become essential in managing large-scale containerized applications. Eddie also reflects on his time at DigitalOcean, Amazon, and ChainGuard, highlighting his work on software supply chain security projects like Protobomb and Sigstore.Our conversation then turns to the security of open-source communities, challenging the misconception that open-source software is less secure than its closed-source counterparts. Eddie discusses the advantages of transparency in open source, using the XZ library's recent security breach as a case study to emphasize the importance of trust and identity verification. We also explore the potential for similar vulnerabilities in closed-source projects and the growing importance of supply chain security measures, including building integrity and software bills of materials (SBOM). The episode concludes with a thought-provoking discussion on the benefits of transparency in open source and whether proprietary software incidents would be as openly shared or understood.Eddie shares his enthusiasm for leveraging government funding to support open-source projects. He expresses his excitement about engaging with soldiers, airmen, and guardians to understand their challenges and explore open-source solutions. We also touch on innovative tools for air-gapped environments, like Zarf, and their applications across various industries. Listen in as Eddie recounts his experiences at Bravo hackathons, the unique challenges faced by developers in constrained environments, and offers valuable career advice for those passionate about open source and software development.Key Quote“There's lots of misconceptions and I'm sure you and I can talk about all of them. One of the big ones is, just. It's less secure, right? that's a massive myth. Open source security is less secure because all the code is in the open and everyone can go find the holes and generally quite the opposite actually, because the code is in the open, everyone can do their own audits and everyone can see what's happening under the covers of the magic box that you usually can't peer into with proprietary software. We have entire teams of like security. So the Kubernetes project is divided up into special interest groups or SIGs. So we have SIGs for security, we have a product security council and committee that is the incident response people for when there is a new CVE or a bug found, and all sorts of different types of things that are just tailored around security.”-Eddie ZaneskiTime Stamps:(00:02) Kubernetes and Open Source Evolution(08:17) Security in Open Source Communities(20:43) Software Bill of Materials for Cybersecurity(24:04) Exploring Defense Unicorns and Open Source(31:43) Navigating Careers in Open Source(42:25) Breaking Barriers in Defense Innovation(46:42) Collaborating for Defense Open SourceLinksConnect with Eddie

Software supply chain attacks exploit interdependencies within software ecosystems. Security in the supply chain is a growing issue, and is particularly important for companies that rely on large numbers of open source dependencies. Chainguard was founded in 2021 and offers tools and secure container images to improve the security of the software supply chain. Matt The post Container Security with Matt Moore appeared first on Software Engineering Daily.

Software supply chain attacks exploit interdependencies within software ecosystems. Security in the supply chain is a growing issue, and is particularly important for companies that rely on large numbers of open source dependencies. Chainguard was founded in 2021 and offers tools and secure container images to improve the security of the software supply chain. Matt The post Container Security with Matt Moore appeared first on Software Engineering Daily.

In this special Black Hat edition of the Breaking Badness Cybersecurity Podcast, Part 1 of a 5 Part Series, we dive deep into how artificial intelligence is transforming the cybersecurity landscape. Our guests—Mark Wojtasiak (VP of Product at Vectra AI), Carl Froggett (CIO at Deep Instinct), Dan Fernandez (Staff Product Manager at Chainguard), and Marcus Ludwig (CEO of Ticura)—join us to explore the evolution of Endpoint Detection and Response (EDR), the growing threats posed by generative AI, and the complexities of securing AI in supply chains. With AI becoming a tool for both attackers and defenders, this episode uncovers the ongoing "AI arms race" and highlights the urgent need for a more preventative approach to cybersecurity.

Topics covered in this episode: Dataherald Python's many command-line utilities Distroless Python functools.cache, cachetools, and cachebox Extras Joke Watch on YouTube About the show Sponsored by ScoutAPM: pythonbytes.fm/scout Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Tuesdays at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Dataherald Interact with your SQL database, Natural Language to SQL using LLMs. Allows you to set up an API from your database that can answer questions in plain English Uses include Allow business users to get insights from the data warehouse without going through a data analyst Enable Q+A from your production DBs inside your SaaS application Create a ChatGPT plug-in from your proprietary data Brian #2: Python's many command-line utilities Trey Hunner Too many to list, but here's some fun ones json.tool - nicely format json data calendar - print the calendar current by default, but you can pass in year and month gzip, ftplib, tarfile, and other unixy things handy on Windows cProfile & pstats Michael #3: Distroless Python via Patrick Smyth What is distroless anyway? These are container images without package managers or shells included. Debugging these images presents some wrinkles (can't just exec into a shell inside the image), but they're a lot more secure. Chainguard, creates low/no CVE distroless images based on our FOSS distroless OS, Wolfi. Some Python use-cases: docker run -it cgr.dev/chainguard/python:latest # The entrypoint is a Python REPL, since no b/a/sh is included docker run -it cgr.dev/chainguard/python:latest-dev # This is their dev version and has pip, bash, apk, etc. Brian #4: functools.cache, cachetools, and cachebox functools cache and lru_cache - built in cachetools - “This module provides various memoizing collections and decorators, including variants of the Python Standard Library's @lru_cache function decorator.” cachebox - “The fastest caching Python library written in Rust” Extras Brian: Python 3.12.4 is out VSCode has some pytest improvements Michael: Time for a bartender alternative, I've switched to Ice. Rocket.chat as an alternative to Slack Joke: CSS Cartoons

Lisa Tagliaferri earned her PhD in Comparative Literature at the CUNY Graduate Center. She is now a Senior Director of Developer Enablement at Chainguard. Erin Rose Glass earned her PhD in English at the CUNY Graduate Center. She is now a Product Manager at Chainguard. The post Comparative Literature and English at Chainguard appeared first on Career Planning and Professional Development.

Bret and Nirmal are joined by Dan Lorenc from Chainguard to walk them through Chainguard's approach to building secure, minimal container images for popular open source software.They discuss why it is important to have secure and minimal container images. Dan explains how Chainguard helps remove the pain of CVEs, laggy software updates and patches and much more. Chainguard is now available also on Docker Hub.They spend the first part of the show talking about the week's big news: the XZ supply chain attack, and Dan was the best man to explain it. They also touch on CVEs, things you can do to reduce the attack surface, SLSA, and more during this jam-packed show.Be sure to check out the live recording of the complete show from April 4, 2024 on YouTube (Ep. 261).★Topics★Chainguard Website Vulnerability Management Certification course True Cost of Vulnerability Management Chainguard Images Chainguard on Docker Hub AnnouncementCreators & Guests Cristi Cotovan - Editor Beth Fisher - Producer Bret Fisher - Host Nirmal Mehta - Host Dan Lorenc - Guest (00:00) - Intro (05:14) - Dan's Take on the XZ Hack (14:59) - Chainguard Distro Creation (21:21) - Chainguard in Docker Hub Announcement (24:26) - Free Images vs Private Images (26:27) - Zero CVE Approach (28:33) - Ways to Reduce Attack Surfaces (39:56) - Chainguard Academy (41:08) - Real Time Antivirus Malware Scanner (43:52) - Google Distro Lists Worth Using (45:56) - Chainguard for Buildpacks (46:20) - SLSA (56:08) - What's Next for Chainguard? (56:52) - Getting Started with Chainguard You can also support my free material by subscribing to my YouTube channel and my weekly newsletter at bret.news!Grab the best coupons for my Docker and Kubernetes courses.Join my cloud native DevOps community on Discord.Grab some merch at Bret's Loot BoxHomepage bretfisher.com

Dan Lorenc, co-founder and CEO of Chainguard, joins Dennis Fisher to dig into the recent XZ Utils backdoor incident, the implications for the open source ecosystem, and what can be done to avoid similar incidents in the future. Then they discuss the problems facing NIST's National Vulnerability Database and the CVE ecosystem. 

We're back! Jason Hall joins the show to tell Justin & Autumn all about how Chainguard builds hundreds of containers without a single Dockerfile.

This interview was recorded at GOTO Amsterdam for GOTO Unscripted.gotopia.techRead the full transcription of this interview hereMatt Turner - DevOps Leader & Software Engineer at TetrateAdrian Mouat - Author of 'Using Docker' & Dev Rel at ChainguardRESOURCESgithub.com/wolfi-devMatt@mt165github.com/mt-insidelinkedin.com/in/mt165mt165.co.ukAdrian@adrianmouatgithub.com/amouatlinkedin.com/in/adrianmouatadrianmouat.comDESCRIPTIONAdrian Mouat and Matt Turner delve into the world of container image security and network trust. Matt shares his expertise on Chainguard tooling, emphasizing the practical benefits of image size reduction while Adrian explores the parallels between securing container images and implementing a zero-trust network strategy. They emphasize the importance of being explicit and concrete in both domains, highlighting the common thread of strong trust and identity-based authentication. This engaging conversation offers valuable insights for those navigating the complex landscape of containerization and network security.RECOMMENDED BOOKSAdrian Mouat • Using DockerBurns, Beda & Hightower • Kubernetes: Up & RunningBurns, Villalba, Strebel & Evenson • Kubernetes Best PracticesLiz Rice • Container SecurityTwitterInstagramLinkedInFacebookLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket: gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted almost daily

#239: In this episode, Ville Aikas and Matt Moore from Chainguard join us for a discussion about open-source projects, distroless containers, and software security. They share their stories about the creation and progress of ChainGuard, offering insights into the way the company operates and contributes to the open-source community. They also delve into the value of improving the signal-to-noise ratio of vulnerability scanners and how this can aid in addressing software security problems. They also explain their commitment to the APK format and its advantages, as well as the significance of Wolfi, their '(un)distro', in maintaining vulnerability-free software environments.   Matt's contact information: Twitter: https://twitter.com/mattomata LinkedIn: https://www.linkedin.com/in/mattmoor/   Ville's contact information: Twitter: https://twitter.com/aikasville LinkedIn: https://www.linkedin.com/in/villeaikas/   YouTube channel: https://youtube.com/devopsparadox   Books and Courses: Catalog, Patterns, And Blueprints https://www.devopstoolkitseries.com/posts/catalog/   Review the podcast on Apple Podcasts: https://www.devopsparadox.com/review-podcast/   Slack: https://www.devopsparadox.com/slack/   Connect with us at: https://www.devopsparadox.com/contact/

Brandon interviews Dustin Kirkland, VP of Engineering at Chainguard. They delve into Dustin's experience as a part-time analyst, explore how Chainguard secures open-source software, and Dustin shares his hiking experience on the Camino de Santiago. Plus, some thoughts on men's fashion and the timeless three-piece suit. Show Links theCUBE (https://www.thecube.net/) SiliconANGLE (https://siliconangle.com) Chainguard: Fortified Software Delivery (https://www.chainguard.dev/) Chainguard Raises $61 Million Series B Round as Enterprises Move to Fortify Open Source Software (https://www.chainguard.dev/unchained/series-b-funding) Battling the Trojan Horse in Open Source (https://www.sequoiacap.com/article/dan-lorenc-chainguard-spotlight/) Our Open Source focus: Securing OSS is not optional (https://www.chainguard.dev/open-source) Octopus wolfi (https://en.wikipedia.org/wiki/Octopus_wolfi) Camino de Santiago (https://en.wikipedia.org/wiki/Camino_de_Santiago) My Walk on the Portuguese Camino de Santiago, 2023 (https://blog.dustinkirkland.com/2023/04/camino-de-santiago-2023.html) Contact Dustin @DustinKirkland (https://twitter.com/DustinKirkland) LinkedIn (https://www.linkedin.com/in/dustinkirkland/) SDT News & Hype Join us in Slack (http://www.softwaredefinedtalk.com/slack). Get a SDT Sticker! Send your postal address to stickers@softwaredefinedtalk.com (mailto:stickers@softwaredefinedtalk.com) and we will send you free laptop stickers! Follow us: Twitch (https://www.twitch.tv/sdtpodcast), Twitter (https://twitter.com/softwaredeftalk), Instagram (https://www.instagram.com/softwaredefinedtalk/), Mastodon (https://hachyderm.io/@softwaredefinedtalk), BlueSky (https://bsky.app/profile/softwaredefinedtalk.com), LinkedIn (https://www.linkedin.com/company/software-defined-talk/), TikTok (https://www.tiktok.com/@softwaredefinedtalk), Threads (https://www.threads.net/@softwaredefinedtalk) and YouTube (https://www.youtube.com/channel/UCi3OJPV6h9tp-hbsGBLGsDQ/featured). Use the code SDT to get $20 off Coté's book, Digital WTF (https://leanpub.com/digitalwtf/c/sdt), so $5 total. Become a sponsor of Software Defined Talk (https://www.softwaredefinedtalk.com/ads)! Special Guest: Dustin Kirkland.

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Dan Lorenc is CEO and co-founder of Chainguard, a company that raised $116 million in less than two years to tackle open source supply chain security problems. In this episode, Dan joins Ryan to chat about the demands of building a "growth mode" startup, massive funding rounds and VC expectations, fixing the "crappy" CVE and CVSS ecosystems, managing expectations around SBOMs, and how politicians and lobbyists are framing cybersecurity issues in strange ways.

Dan Lorenc is the Co-founder and CEO of Chainguard, the best way to secure your open source software. Dan and his co-founders Kim, Matt, and Ville started the company in 2021 after spending a decade working together at Google on all things open source and software security. They've since raised $116 million from investors including Spark (led Series B), Sequoia (led Series A), Amplify (led Seed), The Chainsmoker's Mantis VC, Banana Capital, and dozens of angels in the cyber security and open source communities. — Topics discussed: What is the “software supply chain”? How the SolarWinds breach created the software supply chain security market The history of open source software Why open source software makes software supply chains even less secure The moment Dan and his co-founders decided to start Chainguard Why they started selling consulting services before even building a product The reason their first two products solved completely different problems (top-down and bottoms-up), and why the one that didn't work at first is now their main business Why Chainguard decided to focus on a broad communications and marketing strategy so early on How Dan gets quoted in major media publications as an early stage startup founder Why Chainguard uses memes for marketing Why Dan thinks startups should “make content optimized for the group chat” How they raised their Seed round from Amplify a week after leaving Google Raising a Series A from Sequoia as the market started collapsing in Spring of 2022 Dan's advice for founders on dealing with investor inbound when not fundraising Why he wish he hired sales reps sooner Raising a Series B from Spark Capital to accelerate their enterprise sales process — Referenced: https://www.chainguard.dev https://www.sigstore.dev/ Battling the Trojan Horse in Open Source: https://www.sequoiacap.com/article/dan-lorenc-chainguard-spotlight/ Chainguard Series B Announcement: https://www.chainguard.dev/unchained/series-b-funding Dan's favorite open source project: https://github.com/jqlang/jq Reflections on Trusting Trust: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf — Where to find Dan: Twitter: https://twitter.com/lorenc_dan LinkedIn: https://www.linkedin.com/in/danlorenc — Where to find Turner: Newsletter: https://www.thespl.it Twitter: https://twitter.com/TurnerNovak Banana Capital: https://bananacapital.vc — Production and distribution by: https://www.supermix.io — Want to sponsor the show? https://docs.google.com/forms/d/e/1FAIpQLSebvhBlDDfHJyQdQWs8RwpFxWg-UbG0H-VFey05QSHvLxkZPQ/viewform

Guests Daniel Stenberg | Dan Lorenc Panelist Richard Littauer Show Notes Today, we are switching things up and doing something new for this episode of Sustain, where we'll be talking about current events, specifically security challenges. Richard welcomes guest, Daniel Stenberg, founder, and lead developer of the cURL project. Richard and Daniel dive into the complexities of Common Vulnerabilities and Exposures (CVEs), discussing issues with how they are reported, scored, and the potential impact on open source maintainers. They also explore the difficulty of fixing the CVE system, propose short-term solutions, and address concerns about CVE-related DDOS attacks. Dan Lorenc, co-founder, and CEO of Chainguard, also joins us and offers insights into the National Vulnerability Database (NVD) and suggests ways to improve CVE quality. NDS's response is examined, and Daniel shares his frustrations and uncertainties regarding the CVE system's future. Hit download now to hear more! [00:01:00] Richard explains that they will discuss Common Vulnerabilities and Exposures (CVEs) and mentions that CVEs were launched in September 1999, briefly highlighting their purpose. He mentions receiving an email about a CVE related to the cURL project, which wasn't acknowledged by the cURL team. [00:01:50] Daniel explains that the email about the CVE was sent to the cURL library mailing list by a contributor who noticed the issue. He describes the confusion about the old bug being registered as a new CVE. discusses the process of requesting a CVE. He also mentions the National Vulnerability Database (NVD) and how it consumes and assigns severity scores to CVEs. [00:03:54] Daniel discusses the process of requesting a CVE which involves organizations like MITRE, and he mentions the National Vulnerability Database (NVD) and how it consumes and assigns severity scores to CVEs. [00:06:21] Richard asks about how NVD assigns severity scores to CVEs and specifically in the case of CVE 2020, and Daniel describes the actual bug in curl, which was a minor issue involving retry delays and not a severe security threat. [00:09:57] Richard questions who at NVD determines these scores and whether they are policy makers or coders, to which Daniel admits he has no idea and discusses his efforts to address the issue. He expresses frustration with NVD's scoring system and their lack of communication. [00:11:18] Daniel and Richard discuss their concerns about the accuracy and relevance of CVE ratings, especially in cases where those assigning scores may not fully understand the technical details of vulnerabilities. [00:14:37] We now welcome Dan Lorenc to get his point of view on this issue. Dan introduces himself and talks about his experience with the NVD, highlighting some of the issues with CVE scoring and the varying quality of CVE reports. [00:16:11] Dan mentions the problems with the CVSS scoring and the incentives for individuals to report vulnerabilities with higher scores for personal gain, leading to score inflation. Dan suggests that NVD could improve the quality of CVEs by applying more scrutiny to high-severity and widely used libraries like cURL, which could reduce the noise and waste of resources in the industry. [00:18:23] Richard presents NVD's response to their inquiry. Then, Daniel and Richard discuss NVD's response and the discrepancy between their assessment and that of open source maintainers like Daniel who believe that some CVEs are not valid security issues. [00:20:44] Richard asks if anyone offered to fund the work to fix vulnerabilities in important open source projects like cURL when a CVE is reported. Daniel replies that no such offers have been made, as most involved in the project recognize that some CVEs are not actual security problems, but rather meta problems caused by the CVE rating system. [00:21:40] Daniel explains his short-term solution of registering his own CNA (CVE Numbering Authority) to manage CVEs for his products and prevent anonymous users from filing CVEs. [00:23:04] Richard raises concerns about the potential for a CVE DDOS attack on open source, overwhelming them with a flood of CVE reports. [00:24:20] Daniel comments on the growing problem of both legitimate and invalid CVEs being reported, as security scanners increasingly scan for them. Richard reflects on the global nature of the problem, and Daniel emphasizes the importance of having a unique ID for security problems like CVEs. Links SustainOSS (https://sustainoss.org/) SustainOSS Twitter (https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) SustainOSS Discourse (https://discourse.sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) SustainOSS Mastodon (https://mastodon.social/tags/sustainoss) Open Collective-SustainOSS (Contribute) (https://opencollective.com/sustainoss) Richard Littauer Twitter (https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Richard Littauer Mastodon (https://mastodon.social/@richlitt) Daniel Stenberg Twitter (https://twitter.com/bagder?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Daniel Stenberg Mastodon (https://mastodon.social/@bagder) Daniel Stenberg Website (https://daniel.haxx.se/) Dan Lorenc Twitter (https://twitter.com/lorenc_dan?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) National Vulnerability Database (https://nvd.nist.gov/) CVE (https://www.cve.org/) cURL (https://curl.se/) Chainguard (https://www.chainguard.dev/) Sustain Podcast-Episode 185: Daniel Stenberg on the cURL project (https://podcast.sustainoss.org/guests/stenberg) Sustain Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at Google (https://podcast.sustainoss.org/93) Credits Produced by Justin Dorfman (https://www.justindorfman.com) & Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/) Special Guests: Daniel Stenberg and Dan Lorenc.

“Container registries” are ubiquitous software clearinghouses, but they've been exposed for years. Chainguard says it now has a solution. Read this story here.

In this episode we bring you with us to Southern California Linux Expo, or SCaLE20x in Pasadena, California. We interviewed several attendees about their experience at the conference. Featuring: Robin Phantomhive, attendee at SCaLE and community member Mofi Rahman, Developer Advocate at Google Fatima Sarah Khalid, Dev Evangelist at GitLab Bryan Behrenshausen, Open Source Program Manager at GitLab Laura Santamaria, Geek with an achievement streak at Dell Jeff Deifik, Cybersecurity at Aerospace Corp Jill Bryant Ryniker of LWDW and the Destination Linux Podcast Bill Schouten of Tux Digital and the Sudo Show Podcast   Do you have something cool to share? Some questions? Let us know: - web: kubernetespodcast.com - mail: kubernetespodcast@google.com - twitter: @kubernetespod   News of the week Chainguard contributes Rekor Search Project to Sigstore Docker and Ambassador Labs Announce Telepresence for Docker, Improving the Kubernetes Development Experience Docker, Inc. Celebrates 10th Anniversary With Alliances Oracle Cloud Infrastructure to Increase the Reliability, Efficiency, and Simplicity of Large-Scale Kubernetes Environments at Reduced Costs cdCon / GitOpsCon Schedule Crossplane Security Audit Crossplane completes fuzzing security audit Improving Security by Fuzzing the CNCF landscape Report   Links from the interview Destination Linux Podcast LWDW LinuxChix LA Sudo Show Podcast Tux Digital Creating a cluster with kubeadm  

Chris: I have been following your research for several years now, dating back to your role before Chainguard. As you have watched the conversation around Software Supply Chain Security unfold in the industry, do you feel like we're making positive headway?Chris: You have done a lot of research into software supply chain security, and of course SBOM's. One recent study you took a look at the quality of SBOM's in the OSS ecosystem, compared to say the NTIA defined minimum elements for SBOM. Can you tell us a bit about the study and implications of the findings?Chris: In addition to SBOM, we're seeing the emergence of VEX, can you speak a bit about its importance?Chris: I wanted to follow up about OSS, since it has become such a core aspect of the software supply chain conversation. I'm sure based on your studies you know the phrase dubbed Linus' Law, which states that "with enough eyeballs all bugs are shallow" but based on my research for writing a book recently, I realized that the overwhelming majority of OSS projects lack enough eyeballs. Do you think this is a challenge when we look at the widespread adoption of OSS?Chris: Can you tell us a bit about your next/current efforts for software supply chain security research?

Guest Aaron Crawfis Panelists Richard Littauer | Justin Dorfman Show Notes Hello and welcome to Sustain! The podcast where we talk about sustaining open source for the long haul. Richard and Justin are excited to have as their guest today, Aaron Crawfis, who works in the cloud space as a Senior Product Manager on the Azure Open Source Incubations team, which develops and launches new open source projects to advance the industry of cloud native computing and applications. He's done a lot of work on Dapr, which is a distributed application runtime where he helped define, launch, and market it to microservice developers currently working on incubations, and more open source stuff across Azure and Microsoft. Today, we're going to find out more about Dapr, Azure, and working in the cloud space. Aaron tells us about some great projects and cool technologies coming out of the incubation space at Azure, and he shares some awesome advice if you're a project looking to get into this space. Press download to hear more! [00:01:52] We start with learning more about Dapr. [00:04:39] What's the difference between cloud native and working in the cloud? [00:07:35] Justin mentions Dapr is mature and there are several companies that use it and wonders what's keeping Dapr in an incubation state rather than graduating. Aaron also tells us that since the release of Dapr v.1.10, they found that the majority of contributors are now non-Microsoft developers. [00:09:31] We hear if Sarah Novotny and Stormy Peters are involved in Dapr or if they've worked on any projects with Aaron. [00:11:59] Aaron gives us his take on why so many people in the cloud space feel the need to gravitate towards large corporations. [00:16:33] We hear about a small business startup Diagrid, and the Founders are building their entire business model around Dapr. [00:18:13] Besides wearing a Dapr hat, Aaron runs the Open Source Incubations at Azure, so he fills us in on what that is, and their most recent incubation they launched called, Project Copacetic. Justin wonders if this project has any similarities to Chainguard's images or a different approach to tackling vulnerabilities. [00:24:08] Aaron shares how the Azure Open Source Incubations team, as well as Microsoft is giving back more than it takes. He gives a shout-out to the Hugo Project and Doxy, which are his two go-to projects. [00:27:3] We hear about if there's been a discussion around governance for Dapr and how to make the governance be independent from a single large funding body. [00:29:40] If you're a project looking to get into this space, Aaron shares some advice. [00:30:57] Find out where you can follow Aaron on the web. Quotes [00:16:26] “Developers and customers will go where the best place to run that software is and I don't think it has to necessarily be a large corporation.” [00:30:39] “You can make the best piece of software out there, but if it's undocumented or if you're doing the getting started guide and you a hit a bug on the first line, that's where everyone will drop off.” [00:30:48] “Biggest piece of advice, make sure that things are well documented, the value props are there, and the customers will flock right to you.” Spotlight [00:31:39] Justin's spotlight is a series he's doing called, tncc-newsletter.com. [00:32:02] Richard's spotlight is Hugo. [00:32:20] Aaron's spotlight is Doxy. Links SustainOSS (https://sustainoss.org/) SustainOSS Twitter (https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) SustainOSS Discourse (https://discourse.sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) SustainOSS Hachyderm (https://mastodon.social/@sustainoss@hachyderm.io) Richard Littauer Twitter (https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Justin Dorfman Twitter (https://twitter.com/jdorfman?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Aaron Crawfis Twitter (https://twitter.com/AaronCrawfis) Aaron Crawfis LinkedIn (https://www.linkedin.com/in/acrawfis) Dapr (https://dapr.io/) Azure (https://azure.microsoft.com/en-us/) Sustain Podcast-Episode 78: Stormy Peters: Sustaining FLOSS at Microsoft's Open Source Programs Office (https://podcast.sustainoss.org/78) Sustain Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at Google (https://podcast.sustainoss.org/93) Sustain Podcast-Episode 80: Emma Irwin and the Foss Fund Program (https://podcast.sustainoss.org/80) Diagrid (https://www.diagrid.io/) Project Copacetic (https://github.com/project-copacetic) Hugo (https://gohugo.io/) Doxy (https://pypi.org/project/doxy/) The Non-Code Contributor newsletter (https://tncc-newsletter.com/) Credits Produced by Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/) Special Guest: Aaron Crawfis.

Join this episode of In the Nic of Time with Dan Lorenc, CEO, ChainGuard as they discuss the challenges and struggles around software supply chain and take a deep dive on Dan's incredible contributions to the open source community with his projects like Minikube, Sigstore, Distroless and Wolfi.

Bret is joined by two Chainguard co-founders, CEO Dan Lorenc and Head of Product, Kim Lewandowski, to break down the ins and outs of supply chain security and talk about Chainguard's approach to securing it. We dive into tools, including their new Wolfi Linux distro.We first talk about what that even is, because it's a buzzword right now, and not everyone's on the same page on what securing your supply chain even means in the world of software. Then we jump into base images for containers, and their project Wolfi. We talk a lot about Wolfi in this episode, because it has the potential to change how we build our containers.Streamed live on YouTube on October 13, 2022.Unedited live recording of this show on YouTube (Ep #188)★Topics★Chainguard WebsiteChainguard TwitterChainguard AcademyWolfiWolfi-based imagesSigstore★Dan Lorenc★Dan Lorenc on TwitterDan Lorenc on Linkedin★Kim Lewandowski★Kim Lewandowski on TwitterKim Lewandowski on Linkedin★Join my Community★New live course on CI automation and gitops deploymentsBest coupons for my Docker and Kubernetes coursesChat with us and fellow students on our Discord Server DevOps FansHomepage bretfisher.com ★ Support this podcast on Patreon ★

Dan Lorenc of Sigstore and Chainguard joins Doc Searls and Katherine Druckman on FLOSS Weekly to discuss the software supply chain.The open source software supply chains are increasingly vulnerable attack surfaces. Nobody knows more, or is doing more, to secure those surfaces than Dan Lorenc. Hosts: Doc Searls and Katherine Druckman Guest: Dan Lorenc Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsor: Code Comments

Dan Lorenc of Sigstore and Chainguard joins Doc Searls and Katherine Druckman on FLOSS Weekly to discuss the software supply chain.The open source software supply chains are increasingly vulnerable attack surfaces. Nobody knows more, or is doing more, to secure those surfaces than Dan Lorenc. Hosts: Doc Searls and Katherine Druckman Guest: Dan Lorenc Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsor: Code Comments

Dan Lorenc of Sigstore and Chainguard joins Doc Searls and Katherine Druckman on FLOSS Weekly to discuss the software supply chain.The open source software supply chains are increasingly vulnerable attack surfaces. Nobody knows more, or is doing more, to secure those surfaces than Dan Lorenc. Hosts: Doc Searls and Katherine Druckman Guest: Dan Lorenc Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsor: Code Comments

Dan Lorenc of Sigstore and Chainguard joins Doc Searls and Katherine Druckman on FLOSS Weekly to discuss the software supply chain.The open source software supply chains are increasingly vulnerable attack surfaces. Nobody knows more, or is doing more, to secure those surfaces than Dan Lorenc. Hosts: Doc Searls and Katherine Druckman Guest: Dan Lorenc Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsor: Code Comments

Dan Lorenc, CEO and founder of Chainguard, joins Dennis Fisher to talk about supply chain security, asset inventory, Sigstore, and the challenges of helping developers write more secure code. 

In today's episode, we talk about distroless, ko, apko, melange, musl and glibc. The context is Wolfi OS, a community Linux OS designed for the container and cloud-native era. If you are looking for the lightest possible container base image with 0 CVEs and both glibc and musl support, Wolfi OS & the related chainguard-images are worth checking out. Ariadne Conill is an Alpine Linux TSC member & Software Engineer at Chainguard.

In today's episode, we talk about distroless, ko, apko, melange, musl and glibc. The context is Wolfi OS, a community Linux OS designed for the container and cloud-native era. If you are looking for the lightest possible container base image with 0 CVEs and both glibc and musl support, Wolfi OS & the related chainguard-images are worth checking out. Ariadne Conill is an Alpine Linux TSC member & Software Engineer at Chainguard.

Dan Lorenc, CEO of Chainguard, a software supply chain security company, joins SE Radio editor Robert Blumen to talk about software supply chain attacks. They start with a review of software supply chain basics; how outputs become inputs of someone...

Guest Amanda Brock Panelists Richard Littauer | Justin Dorfman | Ben Nickolls Show Notes Hello and welcome to Sustain! The podcast where we talk about sustaining open source for the long haul. Today, we have an amazing guest and she's been on this podcast before. Joining us is Amanda Brock, who's the CEO of OpenUK, which is an industry organization about the business of open technology. She's also a Board Member, keynote speaker, and author, with a new book coming out soon called, Open Source Law, Policy and Practice, that we'll hear all about today. We'll also be learning more about OpenUK and the policy work they do, Amanda tells us about the All Things Open (ATO) tech conference where she'll be launching her book with some incredible panelists, and we hear some goals from Amanda for an event she'll be attending to create a broader engagement across UK government, where they'll focus on security, technical issues, and security policy issues. Go ahead and download this episode now! [00:01:27] Amanda tells us about OpenUK, the difference between OpenUK and the Software Sustainability Institute (SSI), and the policy work OpenUK does. [00:04:37] We learn if OpenUk's mission has changed since Brexit, now that the UK is more of an independent body as a national group and how that's influenced how we think about tech in Britain. [00:07:13] Amanda tells us all about her book coming out called, Open Source Law, Policy and Practice, that includes several authors, and the launch of her book at ATO. [00:12:06] One of the chapters in Amanda's book is on sustainability and open source and since it's relevant to this podcast Amanda explains more about this chapter. [00:13:52] Amanda explains some goals they have for the meeting that's happening on the17th of October called, “Open Source Software: Infrastructure Curation and Security, Thought Leadership Event.” [00:18:28] Ben asks Amanda if she thinks anything is going to happen within the government from now until February and what she thinks of the government's response in the US with the executive order around expenditure on open source in government departments and guidance around a software bill of materials and better understanding of what components are in software that's using governments. [00:22:00] Richard wonders if there's been a conversation about what happens if one part of the dependency stack doesn't want to be included or bother with having a SBOM, dealing with the government, and refuses to do any work. [00:35:10] We hear a mad insurance scheme Amanda had a long time ago that's she's going to get some people to revisit. [00:37:02] Find out where to follow Amanda and OpenUK online. Quotes [00:17:13] “I think it's really important that governments also see the level of engagement across our communities as strong, and that we are largely united at least body, that wants to see them understand how they do a much better job of curating open source software and ensuring that when they're using it, they're giving back both in terms of contribution and economic contribution.” [00:20:41] “In the US, the survey showed over 70% of organizations that are using SBOMs now.” [00:21:45] “You should not be taking on liability for the open source code. You should be taking on liability for the work you're paid to do.” [00:24:02] “Coding to me is a freedom of speech.” [00:24:27] “My personal view is they'll be public private enterprises or initiatives, and they will hold code that is sanitized or curated for usage in the public sector.” [00:24:38] “I think we'll see governments wanting that and it's not an OSPO, it's a hybrid. It's somewhere between a foundation and an OSPO.” [00:27:40] “Chainguard started creating their own Docker images with their own version of Nginx and Linux, and I think we're going to see that trend continue.” [00:28:29] “What we don't want is for governments to get everything from companies, because if they do, they're going to end up back in a situation of vendor lock-in.” [00:35:58] “In the US at one time, you couldn't buy insurance around open source because it was too unknown. I think there's going to be a big space there where we can also manage some of this risk and some of the government money can go into that too and help protect the bigger picture.” Spotlight [00:37:58] Justin's spotlight is opensauced.pizza founded by Brian Douglas. [00:38:30] Ben's spotlight is Stellarium 1.0. [00:39:25] Richard's spotlight is Collins Bird Guide and the app. [00:40:39] Amanda's spotlight is Eddie Jaoude, a GitHub All-Star. Links SustainOSS (https://sustainoss.org/) SustainOSS Twitter (https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) SustainOSS Discourse (https://discourse.sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) Richard Littauer Twitter (https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Justin Dorfman Twitter (https://twitter.com/jdorfman?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Ben Nickolls Twitter (https://twitter.com/BenJam?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Amanda Brock-OpenUK (https://openuk.uk/profiles/amanda-brock/) Amanda Brock Twitter (https://twitter.com/amandabrockuk) Amanda Brock LinkedIn (https://uk.linkedin.com/in/amandabrocktech?trk=people-guest_people_search-card) OpenUK (https://openuk.uk/) OpenUK Twitter (https://twitter.com/openuk_uk) OpenUK LinkedIn (https://uk.linkedin.com/company/openuktechnology) All Things Open Twitter (https://twitter.com/AllThingsOpen) All Things Open-2022 (https://2022.allthingsopen.org/) Sustain Podcast-Episode 49: What OpenUK does with Amanda Brock & Andrew Katz (https://podcast.sustainoss.org/49) Open Source Law, Policy, and Practice by Amanda Brock (https://global.oup.com/academic/product/open-source-law-policy-and-practice-9780198862345?cc=gb&lang=en&) Neil Chue Hong (https://www.software.ac.uk/about/staff/person/neil-chue-hong) Software Sustainability Institute (https://www.software.ac.uk/) OpenForum Europe (https://openforumeurope.org/) Ecosyste.ms (https://ecosyste.ms/) OpenSauced (https://opensauced.pizza/) Stellarium 1.0 (https://stellarium.org/release/2022/10/01/stellarium-1.0.html) Collins Bird Guide (https://en.wikipedia.org/wiki/Collins_Bird_Guide) Collins Bird Guide App (https://apps.apple.com/gb/app/collins-bird-guide-ultimate/id868827305) Eddie Jaoude Twitter (https://twitter.com/eddiejaoude?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Eddie Jaoude GitHub (https://github.com/eddiejaoude) Credits Produced by Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/) Special Guest: Amanda Brock.

Dan Lorenc is Founder & CEO of Chainguard, the platform to secure your software supply chain. Chainguard supports many popular open source projects such as Sigstore, SLSA, and Tekton. Chainguard has raised $55M from investors including Sequoia and Amplify Partners. In this episode, we discuss the importance of market education when creating a new category of software, assessing market timing when launching your company, some of Chainguard's unique content strategies, and more!

On this week's episode of Reimagining Cyber, hosts Stan Wisseman and Rob Aragao welcomed guest Dan Lorenc, founder and CEO of Chainguard Inc., to talk about SLSA, software supply chain security risks, and his opinions on Software Bill of Materials (SBOMs).

Dan Lorenc (@lorenc_dan, Founder/CEO @chainguard_dev) talks about modern software-supply chains, Sigstore and SBOM.SHOW: 655CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotwCHECK OUT OUR NEW PODCAST - "CLOUDCAST BASICS"SHOW SPONSORS:Datadog Application Monitoring: Modern Application Performance MonitoringGet started monitoring service dependencies to eliminate latency and errors and enhance your users app experience with a free 14 day Datadog trial. Listeners of The Cloudcast will also receive a free Datadog T-shirt.CDN77 - Content Delivery Network Optimized for Video85% of users stop watching a video because of stalling and rebuffering. Rely on CDN77 to deliver a seamless online experience to your audience. Ask for a free trial with no duration or traffic limits.SHOW NOTES:Chainguard (homepage)Sigstore - standard for signing, verifying and protecting softwareCISA SBOM (Software Bill of Materials)Topic 1 - Welcome to the show. Let's talk about your background, and led you to found Chainguard. Topic 2 - Over the last couple years, we've seen several high-profile hacks where malicious code was a big part of the problem. As an industry, where are we in terms of managing the security around software? Topic 3 - Now that we're building software much faster, and software is coming from so many different (and often unknown/untrusted) places, what are some of the technology shifts that are happening to address these new environments?Topic 4 - Chainguard is focused on both secure container images and now secure supply-chain solutions. Walk us through how your offers fit into today's software challenges.Topic 5 - There is a new term we're hearing quite a bit, SBOM (Secure Bill of Materials). How does SBOM fit into this bigger picture? What are the technologies behind the scenes that make it possible?Topic 6 - For anyone focusing on this area, what are some good ways to get involved with the new technologies and way of thinking about software security?FEEDBACK?Email: show at the cloudcast dot netTwitter: @thecloudcastnet

Security firm Chainguard has created a simple, open-source way for organizations to defend the cloud against some of the most insidious attacks.

Security firm Chainguard has created a simple, open-source way for organizations to defend the cloud against some of the most insidious attacks.

People tend to trust the software they buy, or download, just because it's available online, that doesn't make it safe. Join Dan Lorenc, the co-founder and CEO of Chainguard, as he explains the importance of a good software supply chain and what happens when you trust software that has vulnerabilities. Lorenc, an expert in his field, is a graduate of MIT, Massachusetts Institute of Technology, and came up at companies like Microsoft and Google, while he was chasing his passion for creating software you can trust. You can find and connect with Dan on LinkedIn.

Dan Lorenc got into tech in a roundabout way. Most of his time in school was dedicated to the study of Mechanical Engineering, building in the world of atoms in machine shops and with 3d printers. He learned how to program through Matlab, and he got hooked. He lives in Austin, enjoys taking in the live music scene, and likes to get outdoors - when it's not 108 degrees, like it was when we did this recording.While Dan was at Google, the well known Solarwinds attack happened, illustrating the gaps and holes in the software supply chain space. Given he had experience in this space, paired with the Biden Administration's executive order to secure this space, led Dan and his co-founders to give this startup a try.This is the creation story of Chainguard.SponsorsAirbyteDopplerHost.ioIPInfomablLinksWebsite: https://www.chainguard.dev/LinkedIn: https://www.linkedin.com/in/danlorenc/Support this podcast at — https://redcircle.com/code-story/donationsAdvertising Inquiries: https://redcircle.com/brandsPrivacy & Opt-Out: https://redcircle.com/privacy

Ask a developer about how they got into programming, and you learn so much about them. In this week's episode of The New Stack Makers, Chainguard founder Dan Lorenc said he got into programming halfway through college while studying mechanical engineering. "I got into programming because we had to do simulations and stuff in MATLAB," Lorenc said. And then I switched over to Python because it was similar. And we didn't need those licenses or whatever that we needed. And then I was like, Oh, this is much faster than you know, ordering parts and going to the machine shop and reserving time, so I got into it that way." It was three or four years ago that Lorenc got into the field of open source security. "Open source security and supply chain security weren't buzzwords back then," Lorenc said. "Nobody was talking about it. And I kind of got paranoid about it." Lorenc worked on the Minikube open source project at Google where he first saw how insecure it could be to work on open source projects. In the interview, he talks about the threats he saw in that work. It was so odd for Lorenc. State of art for open source security was not state of the art at all. It was the stone age. Lorenc said it felt weird for him to build the first release in MiniKube that did not raise questions about security. "But I mean, this is like a 200 megabyte Go binary that people were just running as root on their laptops across the Kubernetes community," Lorenc said. "And nobody had any idea what I put in there if it matched the source on GitHub or anything. So that was pretty terrifying. And that got me paranoid about the space and kind of went down this long rabbit hole that eventually resulted in starting Chainguard. Today, the world is burning down, and that's good for a security startup like Chainguard. "Yeah, we've got a mess of an industry to tackle here," Lorenc said. "If you've been following the news at all, it might seem like the software industry is burning on fire or falling down or anything because of all of these security problems. It's bad news for a lot of folks, but it's good news if you're in the security space." Good news, yes ,but how does it fit into a larger story? "Right now, one of our big focuses is figuring out how do we explain where we fit into the bigger landscape," Lorenc. said. "Because the security market is massive and confusing and full of vendors, putting buzzwords on their websites, like zero trust and stuff like that. And it's pretty easy to get lost in that mess. And so figuring out how we position ourselves, how we handle the branding, the marketing, and making it clear to prospective customers and community members, everything exactly what it is we do and what threats our products mitigate, to make sure we're being accurate there. And conveying that to our customers. That's my big focus right now."

James Strong, lead solution architect at Chainguard, discusses the challenges of securing software supply chains and recommendations for developers

GitHub steps in it this week, Microsoft's Linux distribution now runs on bare metal, FFmpeg gets IPFS support, and the odd thing going on with the kernel.

GitHub steps in it this week, Microsoft's Linux distribution now runs on bare metal, FFmpeg gets IPFS support, and the odd thing going on with the kernel.

Chainguard co-founder, Kim Lewandowski joins Rob to discuss the ways she presses forward in the fear-driven world of software supply chain security. In any kind of mistake or failure, security breaches have to be something that we can learn from. On the other hand, particularly during investigation, there are often walls of trust and other factors affecting fully transparent communication. Does this impact our ability to learn? Is there something we have to do differently to get better at it?Tune in to this episode to hear Kim share valuable insights on how to educate through moments of panic and how to help others focus on the next step.Have a topic you want us to discuss? Reach out to us on Twitter at @circleci!

A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here. Today's podcast features appearances from Dan Lorenc, CEO and Founder of Chainguard, and Pearce Barry, principal security researcher at Rumble Network Discovery, this episode's sponsor. Show notes Risky Biz News: FIRST releases TLP v2.0

At the start of the global coronavirus pandemic, nearly everyone was forced to learn about the "supply chain." Immediate stockpiling by an alarmed (and from a smaller share, opportunistic) public led to an almost overnight disappearance of hand sanitizer, bottled water, toilet paper, and face masks. In time, those items returned to stores. But then a big ship got stuck in the Suez, and once again, we learned even more about the vulnerability of supply chains. They can handle little stress. They can be derailed with one major accident. They spread farther than we know. While the calamity in the canal involved many lessons, there was another story in late 2020 that required careful study in cyberspace—an attack on the digital supply chain. That year, attackers breached a network management tool called Orion, which is developed by the Texas-based company SolarWinds. Months before the attack was caught, the attackers swapped malicious code into a legitimately produced security update from SolarWinds. This malicious code gave the attackers a backdoor into every Orion customer who both downloaded and deployed the update and who had their servers connected online. Though the initial number of customers who downloaded the update was about 18,000 companies, the number of customers infected with the attackers' malware was far lower, somewhere around 100 companies and about a dozen government agencies. This attack, which did involve a breach of a company, had a broader focus—the many, many clients of that one company. This was an attack on the software supply chain, and since that major event, similar attacks have happened again and again. Today, on the Lock and Code podcast with host David Ruiz, we speak with Kim Lewandowski, founder and head of product at Chainguard, about the software supply chain, its vulnerabilities, and how we can fix it.   Show notes, resources, and credits:   Kubernetes diagram:   https://user-images.githubusercontent.com/622577/170547400-ef9e2ef8-e35b-46df-adee-057cbce847d1.svg   Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com)  

This week we discuss work life balance, the State of Continuous Delivery Survey and recap WWDC. Plus, some thoughts on Buddha and parenting… Runner-up Titles The Buddha had no kids The Air Fryer is a PaaS. Rundown Work vs. Life Office workers get little reward for returning to the office – an idle factory is taboo (https://cote.io/2022/06/08/office-workers-get-little-reward-for-returning-to-work-an-idle-factory-is-taboo/) CEOs had a phenomenal year. Workers, less so (https://thehustle.co/05312022-CEO-vs-Worker-Pay/) Tesla monitored its employees on Facebook with help of PR firm during 2017 union push (https://www.cnbc.com/2022/06/02/tesla-paid-pr-firm-to-surveil-employees-on-facebook-in-2017-union-push.html) Elon Musk asks all Tesla employees to come back to the office or quit (https://electrek.co/2022/06/01/elon-musk-tesla-employees-come-back-office-or-quit/) Ford factory workers get 40-hour week (https://www.history.com/this-day-in-history/ford-factory-workers-get-40-hour-week) Survey Says State of Continuous Delivery (https://cd.foundation/wp-content/uploads/sites/78/2022/06/The-State-of-CD-Q1-2022.pdf) Chainguard raises $50M Series A for supply chain security (https://techcrunch.com/2022/06/02/chainguard-raises-50m-to-guard-supply-chains/) WWDC Apple WWDC 2022: the 16 biggest announcements (https://www.theverge.com/2022/6/6/23141939/apple-wwdc-2022-biggest-announcements-ios-16-macbook-air-macos-watchos) Create macOS or Linux virtual machines - WWDC22 - Videos (https://developer.apple.com/videos/play/wwdc2022/10002/) Apple will allow Linux VMs to run Intel apps with Rosetta in macOS Ventura (https://arstechnica.com/gadgets/2022/06/macos-ventura-will-extend-rosetta-support-to-linux-virtual-machines/) All the New Features Coming to Your Mac This Fall (https://www.wired.com/story/apple-ventura-macos-13-preview/) EU reaches deal to make USB-C a common charger for most electronic devices (https://www.engadget.com/eu-reaches-deal-to-make-usb-c-a-common-charger-for-most-electronic-devices-104605067.html) Relevant to your Interests Earnings HashiCorp quarter (https://siliconangle.com/2022/06/02/kubecost-launches-open-source-opencost-project-keep-lid-kubernetes-spending/https://twitter.com/jaminball/status/1532457687778312213?s=21&t=FiXLrZJc1LtYPQyeU27CEg) MongoDB quarter (https://twitter.com/jaminball/status/1532094080418607104) GitLab quarter (https://twitter.com/jaminball/status/1533906440695316480?s=21&t=K30ROu7mTJp1DgbvYxhDCA) Salesforce stock jumps as it raises profit forecast (https://www.cnbc.com/2022/05/31/salesforce-crm-earnings-q1-2023.html) Tech Valuations Tumble, but Business Software Stocks Are Cushioned by the Cloud (https://www.wsj.com/articles/tech-valuations-tumble-but-business-software-stocks-are-cushioned-by-the-cloud-11654164000?mod=djemalertNEWS) A Framework for Navigating Down Markets (https://future.com/framework-valuation-navigating-down-markets/) VMware Good thread (VMware history) (https://twitter.com/jdooley_clt/status/1528688334394077184) Broadcom buying VMware makes sense for IoT infrastructure (https://www.theregister.com/2022/05/26/broadcom_buying_vmware_makes_sense/) Broadcom plans 'rapid subscription transition' for VMware (https://www.theregister.com/2022/05/27/broadcom_vmware_subscriptions/) Broadcom buying VMware makes sense for IoT infrastructure (https://www.theregister.com/2022/05/26/broadcom_buying_vmware_makes_sense/) Brian Madden's brutal and unfiltered thoughts on the Broadcom / VMware deal (https://www.linkedin.com/pulse/brian-maddens-brutal-unfiltered-thoughts-broadcom-vmware-brian-madden/?trackingId=m%2FeClBkjQxSyYPzRVcnpHQ%3D%3D) Broadcom will tame the VMware beast (https://siliconangle.com/2022/05/27/broadcom-will-tame-vmware-beast/) VMware Blockchain (https://www.vmware.com/products/blockchain.html) Bolt, the payments start-up, has begun laying off employees. (https://www.nytimes.com/2022/05/25/business/bolt-layoffs.html) Layoffs.fyi - Tech Layoff Tracker and Startup Layoff Lists (https://layoffs.fyi/) Proton Is Trying to Become Google—Without Your Data (https://www.wired.com/story/proton-mail-calendar-drive-vpn/) OpenStack, except it's outer space, (https://twitter.com/Kemp/status/1530198772872933377) Microsoft confirms it's taking a 'new approach' with its game streaming device | Engadget (https://www.engadget.com/microsoft-confirms-its-taking-a-new-approach-to-its-game-streaming-device-090144247.html) How to do fun and interesting executive dinners, round tables, etc. – online and in-person (https://cote.io/2022/05/27/how-to-do-executive-dinners/) Over 380 000 open Kubernetes API servers | The Shadowserver Foundation (https://www.shadowserver.org/news/over-380-000-open-kubernetes-api-servers/) Twitter fined $150M for misusing 2FA data (https://www.techtarget.com/searchsecurity/news/252520746/Twitter-fined-150M-for-misusing-2FA-data) First she documented the alt-right. Now she's coming for crypto. (https://www.washingtonpost.com/technology/2022/05/29/molly-white-crypto/) Exclusive: Microsoft continues to iterate on an Xbox cloud streaming device codenamed 'Keystone' (https://www.windowscentral.com/gaming/xbox/exclusive-microsoft-continues-to-iterate-on-an-xbox-cloud-streaming-stick-codenamed-keystone) Microsoft won't lower software costs on AWS, Google clouds (https://www.techtarget.com/searchenterprisedesktop/news/252520735/Microsoft-wont-lower-software-costs-on-AWS-Google-clouds) A researcher's avatar was sexually assaulted on a metaverse platform owned by Meta, making her the latest victim of sexual abuse on Meta's platforms, watchdog says (https://www.businessinsider.com/researcher-claims-her-avatar-was-raped-on-metas-metaverse-platform-2022-5) Forget LinkedIn—Your Next Job Offer Could Come via Slack (https://www.wsj.com/articles/job-hunters-workers-use-slack-to-find-job-offers-fast-11653918510) Sheryl Sandberg will leave Meta after 14 years this fall (https://www.protocol.com/sheryl-sandberg-meta-coo) This crypto startup believes 'sex-to-earn' is the future of web3 (https://www.inputmag.com/tech/sexn-crypto-startup-sex-to-earn-web3-nfts) ExpressVPN rejects CERT-In directives, removes its India servers (https://economictimes.indiatimes.com/tech/technology/expressvpn-rejects-cert-in-directives-suspends-india-ops/articleshow/91956961.cms) MongoDB CTO on (no)SQL, Superapps, and Southeast Asia (https://future.com/mongodb-cto-cloud-providers-southeast-asia/) Google is combining Meet and Duo into a single app for voice and video calls (https://www.theverge.com/2022/6/1/23149832/google-meet-duo-combination-voice-video) This VR headset will measure a user's brain activity (https://www.pcgamer.com/this-vr-headset-will-measure-a-users-brain-activity) Tesla has to respond to increase in phantom braking complaints (https://electrek.co/2022/06/03/tesla-respond-increase-phantom-braking-complaints/) Amazon's retail CEO is resigning after 23 years (https://www.theverge.com/2022/6/3/23153327/amazon-ceo-consumer-retail-businesses-dave-clark-resigning) Zoom Hires Greg Tomb as President (https://www.globenewswire.com/news-release/2022/06/06/2457166/0/en/Zoom-Hires-Greg-Tomb-as-President.html?utm_source=newsletter&utm_medium=email&utm_campaign=newsletter_axioslogin&stream=top) Peloton hires Amazon Web Services executive Liz Coddington as new CFO in latest shakeup (https://techcrunch.com/2022/06/07/peloton-hires-amazon-executive-liz-coddington-new-cfo-latest-shakeup/) Musk accuses Twitter of 'resisting and thwarting' his right to information on fake accounts (https://www.cnbc.com/2022/06/06/musk-says-twitter-is-refusing-to-share-data-on-spam-accounts.html) ‘A new IBM': How the tech giant simplified its marketing (https://www.marketingweek.com/ibm-simplifying-marketing/) Coinbase extends hiring pause for 'foreseeable future' and plans to rescind some offers (https://www.cnbc.com/2022/06/02/coinbase-hiring-pause-for-foreseeable-future-and-will-rescind-offers.html) Evading the Big Blue Name Police (https://www.itjungle.com/2022/06/08/evading-the-big-blue-name-police/) IBM CEO explains why company offloaded Watson Health (https://www.theregister.com/2022/06/08/ibm_ceo_arvind_krishna_explains/) MongoDB fires up new cloud, on-premises releases (https://venturebeat.com/2022/06/07/mongodb-fires-up-new-cloud-on-premise-releases/) In reversal, Twitter plans to comply with Musk's demands for data (https://www.washingtonpost.com/technology/2022/06/08/elon-musk-twitter-bot-data/) OpenCost: Open Source Collaboration on Kubernetes Cost Standards (https://thenewstack.io/opencost-open-source-collaboration-on-kubernetes-cost-standards/) Kubecost launches open-source OpenCost project (https://siliconangle.com/2022/06/02/kubecost-launches-open-source-opencost-project-keep-lid-kubernetes-spending/) Datadog's 2022 State of Serverless repor (https://www.datadoghq.com/state-of-serverless/)t (https://www.datadoghq.com/state-of-serverless/) The IRS needs digital transformation (https://twitter.com/josephzeballos/status/1534189391328976897?s=21&t=uPoXtZtzX-q_GAtodVVbsg) Oracle quietly closes $28B deal to buy electronic health records company Cerner (https://techcrunch.com/2022/06/07/oracle-quietly-closes-28b-deal-to-buy-electronic-health-records-company-cerner/) Nonsense The Cast of HBO's 'Silicon Valley' Cast Explains What Real Startups Do (NSFW) (https://www.youtube.com/watch?v=5Y64UeNeiOM) WSJ News Exclusive | Justin Timberlake Sells Song Catalog to Blackstone-Backed Fund (https://www.wsj.com/articles/justin-timberlake-sells-song-catalog-to-blackstone-backed-fund-11653557400) Every person in the U.S. now receives an average of 65 packages a year. (https://twitter.com/mims/status/1529222322686672896) Spotify Podcasters Are Making $18,000 a Month With Nothing But White Noise (https://www.bloomberg.com/news/articles/2022-06-01/how-to-make-money-on-spotify-a-white-noise-podcast-could-bring-you-big-bucks) Flying ice cream? Unilever links with drone delivery service Flytrex (https://www.fooddive.com/news/flying-ice-cream-unilever-links-with-drone-delivery-service-flytrex/624541/) Texas to reclaim home of the largest Buc-ee's (https://www.kxan.com/news/texas/texas-to-reclaim-home-of-the-largest-buc-ees/) Sponsors Teleport — The easiest, most secure way to access infrastructure. (https://goteleport.com/?utm_campaign=eg&utm_medium=partner&utm_source=sdt) Listener Feedback / Jobs Tim wants you to work at Biogen as a Global DevOps Lead, Commercial & Medical IT (https://jobs.smartrecruiters.com/Biogen/743999821251393-global-devops-lead-commercial-medical-it) Walmart is hiring Principal Software Engineer - Linux Kernel in Sunnyvale, California (https://www.linkedin.com/jobs/view/2945555862) Ryan wants you to work at DataDog as the Vice President, Events and Field Marketing (https://www.datadoghq.com/careers/detail/?gh_jid=4252681) J&J Senior Algorithm Analytics Engineer in Redwood City, California | Medical Devices (https://jobs.jnj.com/jobs/2206008429W?lang=en-us) NYTimes is hiring a Staff Software Engineer - CI/CD Platform (https://nytimes.wd5.myworkdayjobs.com/Tech/job/New-York-NY/Staff-Software-Engineer---CI-CD-Platform_REQ-012710) Conferences FinOps X (https://events.linuxfoundation.org/finops-x/), June 20-21, 2022, Matt's there! DevOps Loop (https://devopsloop.io), June 22nd. Free! Coté put the agenda together. Open Source Summit North America (https://events.linuxfoundation.org/open-source-summit-north-america/), June 21-24, 2022, Matt's there! DevOpsDayLA (https://www.socallinuxexpo.org/scale/19x/devops-day-la) is happening at SCALE19x (https://www.socallinuxexpo.org/scale/19x), July, 29th, 2022 Discount code: DEVOP THAT Conference Wisconsin (https://that.us/call-for-counselors/wi/2022/), July 25, 2022 Discount code: SDTFriendsWI50 - $50 off 4-Day everything ticket Discount code:: SDTFriendsWI25 - $25 off 3-Day Camper ticket VMware Explore 2022, August 29 – September 1, 2022 (https://www.vmware.com/explore.html?src=so_623a10693ceb7&cid=7012H000001Kb0hQAC) SpringOne Platform (https://springone.io/?utm_source=cote&utm_medium=podcast&utm_content=sdt), SF, December 6–8, 2022 THAT Conference Texas Call For Counselors (https://that.us/call-for-counselors/tx/2023/) Jan 16-19, 2023, SDT news & hype Join us in Slack (http://www.softwaredefinedtalk.com/slack). Get a SDT Sticker! Send your postal address to stickers@softwaredefinedtalk.com (mailto:stickers@softwaredefinedtalk.com) and we will send you free laptop stickers! Follow us on Twitch (https://www.twitch.tv/sdtpodcast), Twitter (https://twitter.com/softwaredeftalk), Instagram (https://www.instagram.com/softwaredefinedtalk/), LinkedIn (https://www.linkedin.com/company/software-defined-talk/) and YouTube (https://www.youtube.com/channel/UCi3OJPV6h9tp-hbsGBLGsDQ/featured). Use the code SDT to get $20 off Coté's book, (https://leanpub.com/digitalwtf/c/sdt) Digital WTF (https://leanpub.com/digitalwtf/c/sdt), so $5 total. Become a sponsor of Software Defined Talk (https://www.softwaredefinedtalk.com/ads)! Recommendations Brandon: Apple Watch SE (https://www.apple.com/apple-watch-se/?afid=p238%7CsZvcBV5q2-dc_mtid_1870765e38482_pcrid_584606532877_pgrid_117189313172_pntwk_g_pchan__pexid__&cid=aos-us-kwgo-watch--slid---product-) for Tweens Coté: Matt Levine interview on (https://longform.org/posts/longform-podcast-490-matt-levine) The Longform podcast (https://longform.org/posts/longform-podcast-490-matt-levine). Photo Credits Banner (https://unsplash.com/photos/88IMbX3wZmI) ArtWork (https://unsplash.com/photos/5cFwQ-WMcJU)

Chainguard, a startup that focuses on securing software supply chains, announced today that it has raised a $50 million Series A funding round led by Sequoia Capital.

Chainguard, a startup that focuses on securing software supply chains, announced today that it has raised a $50 million Series A funding round led by Sequoia Capital.

This is the post-KubeCon CloudNativeCon EU 2022 week. Gerhard is talking to Matt Moore, founder & CTO of Chainguard about all things Knative and Sigstore. The most important topic is swag, because none has better stickers than Chainguard. The other topic is the equivalent of Let's Encrypt for securing software.

This is the post-KubeCon CloudNativeCon EU 2022 week. Gerhard is talking to Matt Moore, founder & CTO of Chainguard about all things Knative and Sigstore. The most important topic is swag, because none has better stickers than Chainguard. The other topic is the equivalent of Let's Encrypt for securing software.

Today we are at KubeCon CloudNativeCon EU 2022, talking to Adolfo García Veytia about securing Kubernetes releases. Adolfo is a Staff Software Engineer at Chainguard, and one of the technical leads for SIG release, meaning that he helps ship Kubernetes. You most likely know him as Puerco, and have seen first-hand his passion for securing software via SBOMs, cosign and SLSA. Puerco's love for bikes and Chainguard are a great match

Today we are at KubeCon CloudNativeCon EU 2022, talking to Adolfo García Veytia about securing Kubernetes releases. Adolfo is a Staff Software Engineer at Chainguard, and one of the technical leads for SIG release, meaning that he helps ship Kubernetes. You most likely know him as Puerco, and have seen first-hand his passion for securing software via SBOMs, cosign and SLSA. Puerco's love for bikes and Chainguard are a great match

Ville Aikas is the founder of the supply chain security startup, Chainguard. We learn about foreign exchange student programs, early internet operating systems, working at Google, and working on projects like Kubernetes / Knative.  Connect with Ville:Twitter: https://twitter.com/AikasVilleLinkedIn: https://www.linkedin.com/in/villeaikas/Email: vaikas@chainguard.devChainguard: https://chainguard.dev/Mentioned in today's episode:Google Cloud: https://cloud.google.com/History of Google Voice: https://en.wikipedia.org/wiki/Google_Voice#HistoryHistory of Kubernetes: https://en.wikipedia.org/wiki/Kubernetes#HistoryKnative: https://knative.dev/VMware: https://www.vmware.com/Want more from Ardan Labs? You can learn Go, Kubernetes, Docker & more through our video training, live events, or through our blog!Online Courses: https://ardanlabs.com/education/Live Events: https://www.ardanlabs.com/live-training-events/Blog: https://www.ardanlabs.com/blogGithub: https://github.com/ardanlabs

About SethSeth Vargo is an engineer at Google. Previously he worked at HashiCorp, Chef Software, CustomInk, and some Pittsburgh-based startups. He is the author of Learning Chef and is passionate about reducing inequality in technology. When he is not writing, working on open source, teaching, or speaking at conferences, Seth advises non-profits.Links:Twitter: https://twitter.com/sethvargo TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: The company 0x4447 builds products to increase standardization and security in AWS organizations. They do this with automated pipelines that use well-structured projects to create secure, easy-to-maintain and fail-tolerant solutions, one of which is their VPN product built on top of the popular OpenVPN project which has no license restrictions; you are only limited by the network card in the instance.Corey: Couchbase Capella Database-as-a-Service is flexible, full-featured and fully managed with built in access via key-value, SQL, and full-text search. Flexible JSON documents aligned to your applications and workloads. Build faster with blazing fast in-memory performance and automated replication and scaling while reducing cost. Capella has the best price performance of any fully managed document database. Visit couchbase.com/screaminginthecloud to try Capella today for free and be up and running in three minutes with no credit card required. Couchbase Capella: make your data sing.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I have a return guest today, though it barely feels like it qualifies because Seth Vargo was guest number three on this podcast. I've had a couple of folks on since then, and for better or worse, I'm no longer quite as scared of the microphone as I was back in those early days. Seth, thank you for joining me.Seth: Yeah, thank you so much for having me back, Corey. Really excited to figure out whatever we're talking about today.Corey: Well, let's start there because last time we spoke, you were if memory serves a developer advocate at Google Cloud.Seth: Correct.Corey: And you've changed jobs, but not companies—but kind of companies because, welcome to large environments—but over the past few years, you have remained at Google. You are no longer at Google Cloud and you're no longer a developer advocate. In fact, your title is simply ‘Engineer at Google.' And what you've been focusing on, to my understanding, is helping Alphabet companies, namely—you know, the Alphabet, always in parentheses in journalistic styles, Google's parent company because no one thinks of it in terms of Alphabet—is—you're effectively helping companies within the conglomerate umbrella securely and privately consume public cloud.Seth: Yes, that is correct. So, I used to work in what we call the Cloud PA—PA stands for product area. Other product areas are like Chrome and Android—and I moved to the Core PA where I'm helping lead and run an initiative that, like you said, is to help Alphabet companies to, you know, securely and privately use public cloud services.Corey: So, I am going to go out on a limb because my position on multi-cloud has always been pick a cloud—I don't particularly care which one—but pick one and focus on that. I'm going to go out on a limb and presume that given that you are not at Google Cloud anymore, but you are at Google, you probably have a slight preference as far as which public cloud these various companies within the umbrella should be consuming.Seth: Yeah. I mean, obviously, I think most viewers will think the answer is GCP. And if you said GCP, you would be, like, 95% correct.Corey: Well, you'd also be slightly less than that correct, because they're doing a whole rebrand and calling it Google Cloud in public, as opposed to GCP. You really don't work for the same org anymore. You're not up-to-date on the very latest messaging talking points.Seth: I missed—ugh, there's so many TLAs that you lose all your TLAs over time.Corey: Oh, yes.Seth: So, Google Cloud would be, like, 95% correct. But what you have to really understand is, Google has its own, you know, cloud—we didn't call it a cloud at the time, you might call it on-prem or legacy infrastructure, if you will—primarily built on a scheduling system called Borg, which is like Kubernetes version zero. And a lot of the Alphabet companies have workloads that run onboard. So, we're actually talking about hybrid cloud here, which, you know, you may not think of Google is like a hybrid cloud customer, but a workload that runs on our production infrastructure called Borg that needs to interact with a workload that runs on Google Cloud, that is hybrid cloud, it's no different than a customer who has their own data center that needs peering to a public cloud provider, you know, whether that's Google Cloud, or AWS, or Azure.I think the other thing is if you look at, like, the regulatory space, particularly a lot of the Alphabet companies operate in, say, like healthcare, or finance, or FinTech, where certain countries and certain jurisdictions have regulations around, like, you must be multi-cloud. You know, some people might say that means you have to run, you know, the same instance of the same app across clouds, or some people say your data can be here, but your workloads can be over there. That's to be interpreted, but you know, I would say 95% of GCP, but there is a—or sorry, 95% is Google Cloud—Corey: There we go.Seth: But there is a small percentage that is definitely going to be other cloud providers and hybrid cloud as well.Corey: My position on multi-cloud has often—people like to throw it in my face of, “See you gave this general guidance, and therefore whenever you say something that goes against it, you're a giant phony.” And it's yeah, Twitter doesn't do so well with the nuance. My position of pick a provider and go all-in is intended as general guidance for the common case. There are exceptions to this and any individual company or customer is going to have more context than that general guidance will. So, if you say you need to be in multiple clouds for certain reasons, you're probably correct.If you say you need to be in multiple clouds because your regulator demands it, you are certainly correct. I am not arguing against that in any way. I do want to disclaim my one of my biases here as well, and that is specifically that if I were building a startup today and I were not me—by which I mean having spent ten years in the AWS ecosystem learning, not just how it works, but how it breaks because that's important in production, and you know, also having a bunch of service owners at AWS on speed dial—and I, were approaching this from the naive, I need to pick a cloud, which one would I go with, my bias is for Google Cloud. And the reason behind that is the developer experience is spectacular as the primary but not only perspective on that. So, I am curious to know that as you're helping what are effectively internal customers move to Google Cloud, is their interaction with Google Cloud as a platform the same as it would be if I as a random outside customer, were using Google Cloud? Is there a bunch of internal backchannels? “Oh, you get the good kind of internal Google Cloud that most of us don't get access to?” Or something else?Seth: Yeah, so that's a great question. So first, you know, thank you for the kind words on the developer experience—Corey: They were honest words, to be clear. Let me be very direct with you, if I thought your developer experience was trash, I might not say it outright in their effort not to be, you know, actively antagonistic to someone I'm having on the show right now, but I would not say it if I didn't believe it.Seth: Yeah. And I totally—I know you, I've known you for many years. I totally believe you. But I do thank you for saying that because that was the team that I was on before this was largely responsible for that across the platform. But back to your original question around, like, what does the support experience look like? So, it's a little bit of both.So, Alphabet companies, they get a technical account manager, very similar to how, you know, reasonable-sized spend customer would get a technical account manager. That account manager has access to the Cloud support channels. So, all that looks the same. I think we're things look a little bit different is because myself and some of our other leads came from Cloud, you know, I generally don't like this phrase, but we know people. So, we tend not to go directly to Cloud when we can, right?We want Alphabet companies to really behave and act as if they were an external entity, but we're able to help the technical account manager navigate the support process a little bit better by saying like, “You need to ask for this person,” right? You need to say these words to get in front of the right person to get this ticket assigned to the right person. So, the process is still the same, but we're able to leverage our pre-existing knowledge with Cloud. The same way, if you had a [unintelligible 00:07:45] or an ex-Googler who worked for your company, would be able to kind of help move that support process along a little bit faster.Corey: I am quite sincere when I say that this is a problem that goes far beyond simply Google. A disturbing portion of my job as a cloud economist helping my clients consists of nothing other than introducing Amazonians to one another. And these are hard problems at scale. I work at a company with a dozen people in it. And it turns out that yeah, it's pretty easy to navigate who's responsible for what. When you have a hyperscale-size company in the trillion-dollar range, a lot of that breaks down super quickly.Seth: And there's just a lot of churn at all levels of the organization. And, you know, we talked about this when I first joined the show, like, I switched roles, I used to be in Cloud, and now I'm in what we call Core. I still get people who are reaching out to me, at Google and externally, who are saying, “Oh, can you answer this question? Hey, how do I do this?” And I, you know, I've gradually over the past couple of months, you know, convinced people that I don't work on that anymore, and I try to be helpful where I can, but the—Corey: You use the old name and everything. They're eventually going to learn, right?Seth: I know. They'll be like, “What do you call this? GCP? Okay, great. We don't need you anymore.” But it's true, right? Like, there's people leave the organization, people join the organization, there's reorgs, there's strategic changes, people, you know, switch roles within the org, and all of that leads to complexity with, you know, navigating, what is the size of a small nation, in some cases.Corey: Your line in your biography says that you enable Alphabet companies to securely and privately consume public cloud. Now, that would make perfect sense and I would really have no further questions based on what we've already said, except for the words securely and privately, and I want to dive into that, first. Let's work backwards with the second one first. What is ‘privately' mean in this context?Seth: So, privately means, like, privacy-preserving for both the Alphabet company and the users or customers that they have. So, when we look at that from the perspective of the Alphabet company, that means protecting their data from the eyes of the cloud provider. So, that's things like customer-managed encryption keys, you know, bring-your-own-encryption, that's making sure that you have things like, actually, transparency so that if at any point the cloud provider is accessing your data, even for a legitimate purpose, like submitting a support ticket or something—or diagnosing a support ticket, that you have visibility into that. Then the privacy-preserving side on the Alphabet company's customers is about providing that same level of visibility to their customers as well as making sure that any data that they're storing is, you know, private, it's not accessible to certain parties, it's following whether it's like, you know, actual legislation around how long data can be persisted, things like GDPR, or if it's just a general, like, data retention, insider risk management, all of that comes into this idea of, like, building a private system or privacy-preserving system.Corey: Let's be very clear that my position on it is that Google's relationship with privacy has been somewhat challenged, in due to no small part to the sheer scale of how large Google has grown. And let's be clear, I believe firmly that at certain points of scale, yeah, you deserve elevated levels of scrutiny. That is how we want society to function, by and large. And there are times where it feels a little odd on the cloud side. For example, as the time is recording, somewhat recently, there was a bug in some of the copyright detection stuff where Google Drive would start flagging files as having copyright challenges if they contained just the character ‘1' in them.Which, okay, clearly a bug, but it was a bit of a reminder for some folks that wait, but that's right, Google does tend to scan these things. Well, when you have a bunch of end-user customers and in the ways that Google does, that stuff is baked in and it shapes how you wind up seeing things. From Amazon's perspective, historically, they basically sold books and then later underpants. And doing e-commerce transactions was basically the extent of their data work with customers. They weren't really running large-scale, file sharing systems and abilities—in collaboration suites, at least not that really had any of those pesky things called customers.So, that is not built into their approach and their needs in the same way. To be clear, I am sympathetic to the problems, but it's also… it's a challenging problem, especially as you continue to evolve and move things into cloud, you absolutely must be able to trust your cloud provider, or you should not be working on that cloud provider, has been my approach.Seth: Yeah, I mean, there's certainly things that you can do to mitigate. But in general, like, there is some level of trust, forget the data, on the availability side, right? Like when the cloud provider says, “This is our SLA.” And you agree to that SLA, like, yeah, you get money back if they mess it up, but ultimately, you're trusting them to adhere to that SLA, right? And you get recompense if they fail to do so, but that's still, like, trust—trust is far more than just on the privacy side, right? It's on… the promise on the roadmap, it's on privacy, it's on the SLA, right?Corey: Yeah. And you see that concern expressed more articulately from enterprise customers, when there's a matter of trusting companies to do what they say, such as the continued investment that Alphabet slash Google is making in Google Cloud. It's easy to take the approach of well, you've turned off a bunch of consumer services, so therefore, you're going to turn off the cloud at some point, too. No, let me be very clear, for the record, I do not believe that you are going to one day flip a switch and turn off Google Cloud. And neither do your customers.Instead, the approach, the way that enterprises express this, it's not about you flipping the switch and turning it off—that's what contracts are for—their question, and they enshrine this in contracts, in some cases, in the event, not that you turn it off, but that you fail to appropriately continue to invest in the platform. Because at enterprise scale, this is how things tend to die. It is not through flipping a switch, in most cases, it's through, “We're just going to basically mothball it, keep it more or less exactly as it is until it slowly fades into irrelevance for a long period of time.” And when you're providing the infrastructure to run things for serious institutions, that part isn't okay. And credit where due, I have seen every indication that Google means it when they say this is an area of strategic and continued ongoing focus for us as a company.Seth: Yeah, I mean, Google is heavily investing in cloud. I mean, this is a brand new group that I'm working in and we're trying to get Alphabet companies onto cloud, so obviously there's some very high-level top-down executive support for this. I will say that the—a hundred percent agree with everything you're saying—the traditional enterprise approach of build this Java app—because let's be honest, it's always Java—build this Java app, compile it into a JAR and run it forever is becoming problematic. We saw this recently with, like, the log4j—Corey: Yeah, to be in a container. What the hell?Seth: [laugh].Corey: I'm kidding. I'm kidding. Please don't send me email, whatever you do.Seth: What's a container? I'm just kidding. Like, the idea of, like, software rotting is very real and it's becoming more and more of a risk to security, to privacy, to public cloud providers, to enterprises, where when you see something like log4j happen and you can't answer the question, like, do we have any code that uses that? Like, if getting the answer to that question takes you six weeks, [sigh] boy like, a lot of stuff can happen in six weeks while that particular thing is exploited. And you know, kind of gets into software supply chain a little bit, but I do agree that, like, secure, private, and stable APIs are super important, and it's an area where Google is investing. At the same time, I think the industry is moving, the enterprise industry is moving away a little bit from set-it-and-forget-it as a strategy.Corey: I want to talk about the security portion as well as far as securely consuming public cloud goes. And let me start off with a disclaimer here because I don't want people to misconstrue what I'm about to say. If you are migrating to one of the big three cloud providers, their security will be better than anything you will be able to achieve as a company yourself. Not you personally because Google is a bit of an asterisk to that statement, given what you have been doing and have been doing since the '90s in your on-prem world with Borg and the rest, but my philosophy on the relative positioning of the security of cloud providers relative to one another has changed. I spent four months beating the crap out of Azure forever having an issue where there was control plane access and then really saying nothing about it.And after I wound up finding—the day after I put out a blog post on that topic because I was tired of the lack of response, it came out that right at the same time AWS had a very similar problem and had not said anything themselves. And they went back and forth, apparently waiting to wind up doing a release until this happened, Orca Security wound up putting one out there, and it was frustrating on a couple of levels. First, the people at both of these companies who work in security are stars. There is no argument, no bones about that. Problems are going to happen, things are going to occur as a result, and the only saving grace then is the transparency and communication around it, and there was none of it from them.I'm also more than a little bit irked that my friends at AWS were aware of this, basically watched me drag Azure for four months knowing that they'd done the same thing and never bothered to say a word. But okay, that's a choice. I've been saying for a while that of the big three, Google's security posture is the most impressive. And it used to be a slight difference. Like, you nosed ahead of AWS in that respect, not by a huge margin, but by a bit.I don't think it's nearly as close these days, in my mind, and talking to other large companies about these things, and people who are paid to worry about these things all day long, I am very far from alone in that perspective. So, I guess my question for you is, as you look at moving the workload securely to Google Cloud, it feels like security is baked into everything that all aspects of your company have done. Why is that a specific area of focus? Or is that how it gets baked into everything you folks do?Seth: So, you kind of like set up the answer for this perfectly. I swear we didn't talk about this extensively beforehand.Corey: You didn't know any of that was coming, by the way, just to be very clear here. I don't sit here and feed, “All right, I'm going to say this. And here's the right res—” No, this is an impromptu, more or less ad hoc show every time I do it.Seth: Yeah. And I'm going to preface this by saying, like, I don't want this to sound, like, egotistical, but I have never found a company that has as rigorous security and privacy policies, reviews, and procedures as Google.Corey: I thought I had and I was wrong.Seth: Yeah. And—Corey: And I have a lot of apologizing to people to do as a result of that.Seth: And honestly, every time I interact with our internal security engineering teams, or our IP protection teams, I'm that Nathan Fillion meme, where he's like, what—you know, like, “Okay, I get it. I get it.” Right?Corey: And then facepalm it, uh, I should say some—I can't—yeah. Oh, yeah.Seth: The reason that it's hard for Alphabet companies to securely and privately move to cloud specifically for security, is because Alphabet's stance is so much more rigorous than anyone else in the industry, to the point where, in some cases, even our own cloud provider doesn't meet the bar for what we require for an internal workload. And that's really what it comes down to is, like, the reason that Google is the most secure cloud is because our bar is so high that sometimes we can't even meet it.Corey: I have to assume that the correct answer on this is that you then wind up talking to those product teams and figure out how to get them to a point where they can support that bar because the alternative is effectively, it's like, “Oh, yeah, this is Google Cloud and it's absolutely right for multinational banks to use, but you know, not Google workloads. That stuff's important.” And I don't think that is necessarily how you folks tend to view these things.Seth: So, it's a bidirectional stream, right? So, a lot of it is working with a product management team to figure out where we can add these additional security properties into the system—I should say, tri-directional. The second area is where the policy is so specific to Google that Google should actually build its own layer on top of it that adds the security because it's not generally applicable to even big, huge cloud customers. And then the third area is Google's a very big company. Sometimes we didn't write stuff down, and sometimes we have policies where no one can really articulate where that policy came from.And something that's new with this approach that we're taking now is, like, we're actually trying to figure out where that policy came from, and get at the impetus of what it was trying to protect against and make sure that it's still applicable. And I don't know if you've ever worked with governments or you know, large companies, right, they have this spreadsheet of hundreds of thousands of lines—Corey: You are basically describing my client list. Please continue.Seth: I mean, like, sometimes they have to use an Access database because they exhaust the number of rows in an Excel spreadsheet. And it's just checklist upon checklist upon checklist. And that's not how Google does security, right? Security is a very all-encompassing, kind of, 360 type of thing. But we do have policies that are difficult to articulate what they're actually protecting against, and we are constantly re-evaluating those, and saying, like, “This made sense on Borg. Does it actually make sense on Cloud?” And in some cases, it may not. We get the same protections using, say, a GCP-native service, and we can omit that requirement for this particular workload.Corey: This episode is sponsored by our friends at Oracle Cloud. Counting the pennies, but still dreaming of deploying apps instead of “Hello, World” demos? Allow me to introduce you to Oracle's Always Free tier. It provides over 20 free services and infrastructure, networking, databases, observability, management, and security. And—let me be clear here—it's actually free. There's no surprise billing until you intentionally and proactively upgrade your account. This means you can provision a virtual machine instance or spin up an autonomous database that manages itself, all while gaining the networking, load balancing, and storage resources that somehow never quite make it into most free tiers needed to support the application that you want to build. With Always Free, you can do things like run small-scale applications or do proof-of-concept testing without spending a dime. You know that I always like to put asterisks next to the word free? This is actually free, no asterisk. Start now. Visit snark.cloud/oci-free that's snark.cloud/oci-free.Corey: I think that when it comes to things like policies that are intelligently crafted around security, you folks—and to be fair, the AWS security engineers as well—have been doing it right in that, okay, we're going to build a security control to make sure that a thing can't happen. That's not enough. Then there's the defense-in-depth. Okay, let's say that control fails for some variety of ways. Here are the other things we're going to do to prevent cross-account access, for example.And that in turn, winds up continuing to feed on itself and build into a culture of assuming that you can always continue to invest in security. How far is enough? Well, for most folks, they haven't gone far enough yet.Seth: Another way to put this is like, how well do you want to sleep at night? You know, there's folks on the Google security engineering team who are so smart, and they work on, like, our offensive security team, so their full-time job is to try to hack Google and then figure out how to prevent that. And, you know, so I've read some of the reports and some of the ways they think and I'm like, “How do you… how do you pick up a mobile phone and go to like, any website confidently knowing what you know?” Right? [laugh] and like, how do you—Corey: Who said anything about confidently? Yeah.Seth: Yeah. Yeah. How do you use self-checkout at a supermarket and, like, not just, like, wear your entire full-body tinfoil hat suit? But you know, I think the bigger risk is not knowing what the risks are. And this is a lot what we're seeing in software supply chain, too, is a lot of security is around threat modeling and not checklists. But we tend to, like, gravitate toward checklists because they're concrete.But you really have to ask yourself, like, do I need the same security properties on my static blog website that is stored on an S3 bucket or a GCS bucket that's public to the internet, that I do on my credit card processing service? And a lot of times we don't treat those differently, we don't apply a different threat model to them, and then everything has to have the same level of security.Corey: And then everything is in-scope for whatever it is you're trying to defend against. And that is a short path to madness.Seth: Yes. Yes. Your static HTML files and your GCS bucket are in scope for SOC 1 and 2 because you didn't have a way to say they weren't.Corey: Yeah. You've also done some—again, the nice thing about being at a company for a while—from what I can tell, given that I've never done until I started this place—is you move around and work on different projects. You were involved as well, personally, in the exposure notifications project, the joint collaboration thing between a number of companies in the somewhat early days of the pandemic that all of our phones talk to one another and anonymously and in a privacy-preserving way, let us know that hey, by the way, someone you were in close contact with has tested positive for Covid 19 in the previous fixed period of time. What did do you do over there?Seth: Yeah, so the exposure notifications project was a joint effort, primarily between Apple and Google to use Android and iOS devices to help stop the spread of Covid or reduce the spread of Covid as much as possible. The idea being because the incubation period is roughly 14 days, at least pre-Omicron, if we could tell you hey, you might have been exposed and get you to stay at home for three or four days, self-isolate, we could dramatically reduce the spread of Covid. And we know from some of the studies that have come out of, like, the UK and European region that, like, the technology actually reduced the spread of cases by, like, fourteen-hundred percent in some cases. I was one of the tech leads for the server-side. So, the way the system works is it uses the low-energy Bluetooth on iOS and Android devices to basically broadcast random IDs.So, I know this is Screaming into the Cloud, but if we can just quickly Screaming into the Void as a rebrand—Corey: Oh, yeah.Seth: —that's basically what's happening. [laugh]. You're generating these random identifiers, and just, like, yelling them, and there's other phones out there who are listening. And they collect these we'll call RPIs—or Rolling Indicators. They have no data in them.They're like literally, like, a UUID or 32 bytes of random data, they aren't at all, like, associated with your device or your person. So, then what happens is, like, let's say you're in a supermarket, you're near someone for, you know, every so often, and your phones exchange these IDs. If you then test positive, those IDs go up to a centralized server, the server again, also has no idea who you are, so the whole thing is privacy-preserving, end-to-end, then the server basically bundles all of what we call the TEKs, or the Temporary Exposure Keys—into a tarball that go up onto a CDN, and then every night, all of the devices that are participating in EN download this into a local key match. So, at no point does the server ever know that you were in a supermarket with someone else, only your phone knows that you came in contact with this TEK in the past 14 days—or 21 days in some jurisdictions—and it'll generate an exposure notification or an exposure alert, which says, like, “Hey, in the past 14 days, you've come in contact with someone who's confirmed positive for Covid.” And then there's guidance kind of varies by state and by health jurisdiction of, like, self-isolate, or go get tested, or whatever. But the idea—Corey: Or go to the bar in some places, apparently.Seth: Oh. Yeah. The server itself is actually—there's a verification component because ideally, like, we don't want people to just be like, oh, I'm Covid positive, and then like, all their friends get an alert, right? There needs to be some kind of verification mechanism where you either have a positive test, or you have a clinician or a physician who issues you code that you can put into your app so you can then release your keys. And then there's the actual key server component, which I kind of already described.So, it's a pretty complex system and actually is entirely serverless. So, the whole thing, including all, like, background job processing, it was designed to be serverless from the beginning. Total greenfield project, right, like, nothing like this exists, so we're really fortunate there. We made some fun and interesting design decisions to keep costs down while, you know, abusing slash using some of the features of serverless like auto-scaling and, you know, being able to fan out across multiple regions and things like that—Corey: And using DNS as a database. My personal favorite approach to things?Seth: We don't use DNS as a database. We do use Postgres—Corey: A missed opportunity.Seth: —a real database. But we do use DNS, just not for storing information.Corey: So, one question I have for you is that you've been at Google for a while and you've done an awful lot of things there, but previously, you've also done things that don't really directly aligne any of this stuff going on there. You were at HashiCorp and you were at Chef, neither of whom, to my understanding are technologies that Google makes extensive use of internally for their own stuff. It seems like—and even when you're at Google, you have been continually reinventing what it is that you do. I find that admirable because very often, when you see people at a company for a protracted period of time, they sort of get more or less pigeonholed into the role that looks fairly similar from year-to-year. You've been incredibly dynamic. Was it intentional and how do you do it?Seth: So, I have a diagnosed medical condition called Career-DHD. I'm just kidding, but I do. I get bored, and it's actually something that I'm really forward with my managers about. I've always been very straight with my managers and the people I work with it, like, 8 to 12 months from now, I will be doing something different. It will be different.Corey: I wish I'd figured that out earlier on. In my case, the way that I wound up solving for that is I've got to come in, I'm going to solve a interesting problem. When I'm done with that, the consulting engagement is over and then I'm going to go away and everyone knows the score going in. Works out way better than, and then I'm going to go cause problems on purpose in other people's parts of the org because I see problems there. That was where I always went off the rails.Seth: [laugh]. Yeah, I mean, I don't take a dissimilar approach. You know, I try to find high-priority, strategic things that also align with my interest. And it's important to me that there's things that I can provide and things that I can learn. I never like to be the smartest person in the room because you shouldn't be in that room anymore; there's no one for you to learn from. And it's great to share knowledge, but—Corey: I'm not convinced I'm the smartest person in the room right now, despite the fact that right now I'm the only person in the room that I'm sitting in.Seth: I mean, that Minecraft store is pretty intelligent.Corey: I saw Chihuahua wandering around here, too, a—Seth: [laugh].Corey: —minute ago, so there is that.Seth: But, you know, I think from, like, a career advice standpoint, I tell everyone, you should interview somewhere else at least once a year. You never know what's out there, and worst-case scenario, you kept your interview skills up to date.Corey: Keeping those skills in tune is so critically important just because it's a unique skill set that, for many folks, does not have a whole lot of applicability in their day-to-day job. So, if you suddenly have to find a new job, great, you're rusty at this, it's been years, and you're trying to remember, like, okay, when someone asks you what you're looking for in your next job, they're not trying to pick a fight. Don't respond as if they were. Like, the basic stuff. It's a skill, like anything else.Seth: Yeah. And, like, the common questions like, you know, “What do you want to do with your life?” Or like, “What accomplishment are you most proud of?” Like, having those not prepared, but like knowing in general what you want to say from those is very important when you're thinking about interviewing for other jobs. But even in a big company, like the transfer process is, pretty similar for, like, applying externally to other roles; like sometimes there's interviews—Corey: Do they make you code on whiteboards to solve algorithm problems?Seth: Not me. But—Corey: Good.Seth: —in general—Corey: Google has evolved its interview process since the last time I went through that particular brand of corporate hazing. Good, good, good.Seth: Yeah. The interview process has definitely been refactored a lot, especially with Covid and remote, but also just trying to be accessible to folks. I know one of the big changes Google has made is we no longer require, like, eight congruent hours of your time. You can split interviews out over multiple days, which has been really accommodating for folks that have, you know, already have a full-time job or have family obligations at home that don't let them just, like, take eight hours away and devote a hundred percent of their time to interviews. So, I think that is, you know, not a whole lot of positive things that come out of Covid, but the flexibility with, like, interviewing has enabled more people to participate in the interview process that otherwise would not have been able to do so.Corey: And there's something to be said, for making this more accessible to folks who come from backgrounds that don't all look identical. It's incredibly important.Seth: Yep.Corey: One thing that I definitely want to make sure we get to before the end of this is something you've been talking about that's a bit orthogonal, but maybe not entirely so, which is software supply chain security. That has been a common thread of discussion in some circles for a while. What is it, for those who are unfamiliar, like me sometimes, and what does it imply?Seth: Yeah, so I mean, in the past year—but if you look back, you'll find more cases of it—. We live in a world where no company—Google, Amazon, the US government—writes every line of code that they run. And even if you do, right, even if you could find a company that doesn't rely on any external dependencies, what language are they using? Did they write that language? Okay, let's say hypothetically, you write every single line of code and you wrote your own language, and only your employees contribute to that language.What operating system are you running on? Because I guarantee you, Linus probably contributed to it, or Gates contributed to it, and they don't work for you. But let's say you wrote your own operating system, right—so we're getting into, like, crazy Google things now, right? Like, only Google would write their own programming language and their own operating system, right? Who manufactured your CPU, right? Like, did you actually—Corey: There's always dependencies all the way down. We see this sometimes with companies talk about oh, yeah, we're going to go to multiple clouds or a different clouds so that we don't get impacted if there's another AWS outage in us-east-1. Cool, great. Power to you, but are you sure your payment providers not going to go down? Are they taking a dependency on us-east-1?Great, let's say that they're not. Are you sure that their vendors who are in the critical path are also not taking critical and core dependencies on that? And are you sure that they're aware of who all of those critical dependencies and those vendors are, and so on and so forth? It is a vast interconnected web. This is a problem. Dependency sprawl is real and I don't think that there's a good way to get to the bottom of it, particularly across company boundaries like that.Seth: Yeah. And this is where if you look at the non-software supply chain, like, if you look at construction, right? If you're working with a reputable construction agency, they're actually able to tell you, given a granite countertop or, you know, a quartz countertop, from what beach and what lot on what date the grains of sand in that countertop came from. That is a reality of that industry that is natural. You think about, like, automotive, like, VIN, the Vehicle Identification Numbers, like, they tell you exactly what manufacturer, and then there's records that show you exactly what human being on the line put that particular part in that machine.And we don't have that in software today. Like, we have some, you know, bastardized versions of, like, Software Bills of Material, or SBOM, but the simple fact of the matter is like because software has grown organically and because this wasn't ingrained in software from the beginning like it was from, you know, traditional manufacturing, you're going to have an insecure software supply chain for most of my life. Now, what does that actually mean, right—insecure has this negative connotation—it means that you need to make sure that you're aware of everything that you're depending on—which is kind of what you were saying is, like, both the technical dependencies and the process or the people dependencies—and you need to have a rigorous process for how you're going to respond to these incidents. And I think log4j was a really good eye-opening moment for folks when they realized that they didn't have a way to make a large-scale dependency update across their entire fleet of applications.Corey: Because who has to do that on a consistent basis? It happens rarely, but when it happens, it's super important.Seth: But I do think that more and more, we're going to see it happened more and more frequently. And ideally, you know, my opinion is that we're going to get to a point where this is inescapable, but ideally, we get to the point where it's like, “Oh, okay, this dependency is vulnerable. I have a playbook. I follow the playbook. Everything is patched in 30 minutes or less, and I can move on with my life.” And it's not a six-week fire drill with people working late and, you know, going super crazy, trying to mitigate these issues.You know, there's a lot of work happening in this space. We have, like, SLSA, which is an open standard—SLSA—for how you declare, kind of like, your software bill of materials and things like binary authorization and attestations. There's, like, Sigstore, there's Chainguard, there's some companies evolving in this space. Every time I talk to GitHub, I tell them, I'm like, “Hey, if this VP and that VP, like, talked together and, like, worked on something, you could do something amazing in this space.” But I think it's going to be quite a while until we get to a point where we can say the software supply chain is secure.Because like I was saying at the beginning, like, until you manufacture your own CPU, like, you're dependent on Intel and AMD. And until you write your own programming language, you're dependent on Ruby, Python, Go, whatever it might be. And until you take no dependencies on some external system—which by the way, might be a bad business decision, like, if someone did the work for you already in an open-source ecosystem, it's probably a better business decision to evaluate and use that than to build it yourself. Until we have the analysis on that supply chain, and we can in a dashboard, or the click of a button, or the run of a command, very easily see the security status of our supply chain—software supply chain—and determine if a particular vulnerability is or is not relevant, I think we're still going to be in this firefighting mode for at least another couple of years.Corey: And I want to say you're wrong, but I know you're not. And that's what, I guess, keeps a lot of us awake at night for unfortunate reasons. Seth, I really want to thank you for taking the time to speak with me. If people want to learn more, where's the best place to find you?Seth: I'm on Twitter. You can find me at—Corey: I'm sorry to hear that. So, am I. It's the experience.Seth: Yeah, you can find me at @sethvargo. If you say mean and hateful things to me, I actually exercise this finger, and you can click the block button real fast. But yeah, I mean, my DMs are open. If you have any questions, comments, complaints, concerns, you can throw the complaints away and come to me for everything else.Corey: Thank you so much for being so generous with your time. I really appreciate it.Seth: Yeah, thanks for having me. It's always a pleasure.Corey: Seth Vargo, engineer at Google. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment asking how dare I malign the good name of the other cloud provider that isn't Google that also just so coincidentally happens to employ you.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

You've heard of the supply chain, but what about the software supply chain? Unlike the standard supply chain that you often hear about in the news, this week's episode of Dev Interrupted dives into the supply chain responsible for holding together the systems that companies, orgs and governments depend upon. Kim Lewandowski, a software supply chain security expert, co-founded Chainguard in 2021 with a mission to make the software supply chains secure by default.In our conversation, Kim discusses why hackers are way ahead of the game on the software supply chain, what companies can do about it and why excitement around open source may not align with the security threats of the future.She also details why 5 founders may be better than 2, why you might find her Easter eggs in nuclear codes and why Google is an amazing pit-stop in anyone's career.Chainguard's website: https://chainguard.dev/Join our Discord Community ►► discord.gg/devinterruptedOur Website ►► devinterrupted.com/Want to try LinearB?  Book a LinearB Demo and use the "Dev Interrupted Podcast" discount code.Have 60 seconds? Review the show on Apple Podcasts

By late last year, the alarm bells were just starting to ring. Researchers discovered that Russian spies had months earlier burrowed deep into the networks of several U.S. federal networks.

By late last year, the alarm bells were just starting to ring. Researchers discovered that Russian spies had months earlier burrowed deep into the networks of several U.S. federal networks.

In the second set of interviews from KubeCon North America 2021, Gerhard and Liz Rice talk about eBPF superpowers - Cilium + Hubble - and what's it like to work with Duffie Cooley. Jared Watts shares the story behind Crossplane reaching incubating status, and Dan Mangum tells us what it was like to be at this KubeCon in person. Dan's new COO role (read Click Ops Officer) comes up. David Ansari from VMware speaks about his first KubeCon experience both as an attendee and as a speaker. The RabbitMQ Deep Dive talk that he gave will be a nice surprise if you watch it - link in the show notes. Dan Lorenc brings his unique perspective on supply chain security, and tells us about the new company that he co-founded, Chainguard. How to secure container images gets covered, as well as one of the easter eggs that Scott Nichols put in chainguard.dev.

In the second set of interviews from KubeCon North America 2021, Gerhard and Liz Rice talk about eBPF superpowers - Cilium + Hubble - and what's it like to work with Duffie Cooley. Jared Watts shares the story behind Crossplane reaching incubating status, and Dan Mangum tells us what it was like to be at this KubeCon in person. Dan's new COO role (read Click Ops Officer) comes up. David Ansari from VMware speaks about his first KubeCon experience both as an attendee and as a speaker. The RabbitMQ Deep Dive talk that he gave will be a nice surprise if you watch it - link in the show notes. Dan Lorenc brings his unique perspective on supply chain security, and tells us about the new company that he co-founded, Chainguard. How to secure container images gets covered, as well as one of the easter eggs that Scott Nichols put in chainguard.dev.

Five former Googlers recently started Chainguard, a newly minted supply chain security company focusing on Zero Trust principles. Their mission is to help support DevOps teams with their monumental struggles of securing application code across the development, deployment and management cycle.“Supply chain security by default is our mission and making it really easy for developers to do the right thing,” Kim Lewandowski, founder and product, for Chainguard, said during a The New Stack Makers podcast  recorded live at KubeCon + CloudNativeCon in October.Alex Williams, founder and publisher of TNS, hosted the podcast.