POPULARITY
4 episodes with sigstore
2 episodes with sigstore
2 episodes with sigstore
2 episodes with sigstore
2 episodes with sigstore
2 episodes with sigstore
2 episodes with sigstore
2 episodes with sigstore
2 episodes with sigstore
1. Concerns About AGI DevelopmentDeepMind's 108-page report outlines four major risks of Artificial General Intelligence (AGI):Misuse: AGI used maliciously (e.g., creating viruses).Misalignment: AGI acting contrary to intended goals.Mistakes: Errors causing unintended harm, especially in high-stakes sectors like defense.Structural Risks: Long-term impacts on trust, power, and truth in society. While safety measures are urged, full control of AGI remains uncertain.2. Improving Machine Learning SecurityThe open-source community is adopting model signing (via Sigstore), applying digital signatures to AI models. This ensures the model's authenticity and integrity—helping prevent the use of tampered or untrusted code in AI systems.3. Risks from AI Coding AssistantsA newly identified threat—Rules File Backdoor—allows attackers to embed malicious instructions in configuration files used by AI coding assistants (like GitHub Copilot or Cursor). This can lead to AI-generated code with hidden vulnerabilities, increasing risk through shared or open-source repos.4. Italy's Controversial Piracy ShieldPiracy Shield, Italy's system for blocking pirated content, has mistakenly blacklisted legitimate services like Google Drive. Critics highlight issues around lack of transparency, violations of net neutrality and digital rights, and risks of censorship. Despite backlash, the system is being expanded, raising further concerns.5. EU's Push on Data Access and EncryptionThe EU's ProtectEU strategy includes strengthening Europol into a more FBI-like agency and proposing roadmaps for law enforcement access to encrypted data. This indicates a potential push toward backdoor access, reigniting debates on privacy vs. security.6. Cyberattacks on Australian Pension FundsCoordinated cyberattacks have compromised over 20,000 accounts across Australian retirement funds, with some user savings stolen. The incidents expose vulnerabilities in financial infrastructure, prompting a government initiative to bolster sector-wide cybersecurity.7. Lessons from Oracle's Security BreachesOracle reported two separate breaches in a short span. The latest involved theft of outdated login credentials. These incidents reveal persistent challenges in securing large tech platforms and highlight the need for ongoing security improvements and scrutiny of legacy systems.8. Closure of OpenSNP Genetic DatabaseOpenSNP is shutting down after 14 years, deleting all user data due to rising concerns over misuse of genetic data, especially amid growing political threats from authoritarian regimes. The founder emphasized protecting vulnerable populations and reevaluated the risks of continued data availability versus its research value.
The duo are back for a discussion on securing machine learning models using Sigstore, based on a recent blog post from Google Security. Followed by some spicy takes on opinions on vibe coding and its effects on application and product security. Finally, short-lived tokens used to exploit RCE against the GitHub CodeQL Action.
EP 237. DeepMind just released a 108-page manual on not getting wiped out by our own invention. Highlighting the fact that planning for an AI apocalypse could now be a core business line function.Sigstore machine learning model signing - AI models are finally getting digital signatures, because “mystery code from the internet” just wasn't a scalable trust strategy.Turns out your AI programmer can be tricked into writing malware. Helping us understand that “copilot” isn't necessarily synonymous with “competent”.Italy's anti-piracy tool is blocking legit services like it's playing "whack-a-mole" blindfolded, but in this case the moles are cloud storage, like your Google drive.The EU wants Europol to act like the FBI because privacy for our citizens is important, except when we want to read their encrypted messages.Hackers hit Aussie retirement funds, proving the only thing scarier than blowing through all your retirement money is someone else blowing through it all for you.Oracle's been hacked again—because who doesn't love a sequel with worse security and a bigger cleanup bill?OpenSNP just quit the internet after realizing DNA + authoritarian vibes = one dystopia too many.This week is a wild ride, so saddle up and hold on tight!
In this episode, we sit down with Luke Hinds, CTO of Stacklok and creator of Sigstore, to learn from his extensive background in open source security. Luke shares insights into his journey and passion for security, highlighting the thrill of the 'cat and mouse' dynamics. He discusses Stacklok's project, Minder, a software supply chain platform designed to streamline security while boosting developer productivity. Luke also touches on Trusty, another Stacklok initiative aimed at assessing the security risks of open source packages using data science. The conversation expands to the impact of AI on code contributions and developer identity, reflecting on the evolving dynamics in software development and security. Finally, Luke shares thoughts on the ongoing challenges and opportunities in bridging the gap between operations and engineering to maintain robust security in fast-paced development environments. 00:00 Introduction 02:29 Personal Reflections on Security 04:14 Introduction to Stacklok and Minder 05:02 Minder's Features and Capabilities 07:38 Target Audience and Use Cases for Minder 10:41 Balancing Security and Developer Productivity 13:00 The Importance of Seamless Security 13:52 Introduction to Trusty: Understanding Open Source Security Risks 14:45 Analyzing Malicious Packages and Developer Contributions 18:06 The Role of Developer Identity in Open Source Projects 19:20 AI's Impact on Code Development and Security 20:10 Challenges and Future Directions in Developer Identity 23:31 Concluding Thoughts and Future Conversations Guest: Luke Hinds is the CTO of Stacklok. He is the creator of the open source project sigstore, which makes it easier for developers to sign and verify software artifacts. Prior to Stacklok, Luke was a distinguished engineer at Red Hat.
Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work. Show Notes Seth Larson XKCD PGP Signature Seth's Blog Python and Sigstore Deprecating PGP - PEP 761 Python SBOMs
This week on, Defense Unicorns Podcast we welcome Eddie Zaneski, the tech lead for open source here at Defense Unicorns, who takes us through his fascinating career journey from aspiring math teacher to a key player in the tech industry. Eddie shares his experiences transitioning into computer science, his passion for developer relations, and his significant contributions to the Kubernetes project. We dive into the evolution of software deployment, from bare metal servers to virtual machines and containers, and how Kubernetes has become essential in managing large-scale containerized applications. Eddie also reflects on his time at DigitalOcean, Amazon, and ChainGuard, highlighting his work on software supply chain security projects like Protobomb and Sigstore.Our conversation then turns to the security of open-source communities, challenging the misconception that open-source software is less secure than its closed-source counterparts. Eddie discusses the advantages of transparency in open source, using the XZ library's recent security breach as a case study to emphasize the importance of trust and identity verification. We also explore the potential for similar vulnerabilities in closed-source projects and the growing importance of supply chain security measures, including building integrity and software bills of materials (SBOM). The episode concludes with a thought-provoking discussion on the benefits of transparency in open source and whether proprietary software incidents would be as openly shared or understood.Eddie shares his enthusiasm for leveraging government funding to support open-source projects. He expresses his excitement about engaging with soldiers, airmen, and guardians to understand their challenges and explore open-source solutions. We also touch on innovative tools for air-gapped environments, like Zarf, and their applications across various industries. Listen in as Eddie recounts his experiences at Bravo hackathons, the unique challenges faced by developers in constrained environments, and offers valuable career advice for those passionate about open source and software development.Key Quote“There's lots of misconceptions and I'm sure you and I can talk about all of them. One of the big ones is, just. It's less secure, right? that's a massive myth. Open source security is less secure because all the code is in the open and everyone can go find the holes and generally quite the opposite actually, because the code is in the open, everyone can do their own audits and everyone can see what's happening under the covers of the magic box that you usually can't peer into with proprietary software. We have entire teams of like security. So the Kubernetes project is divided up into special interest groups or SIGs. So we have SIGs for security, we have a product security council and committee that is the incident response people for when there is a new CVE or a bug found, and all sorts of different types of things that are just tailored around security.”-Eddie ZaneskiTime Stamps:(00:02) Kubernetes and Open Source Evolution(08:17) Security in Open Source Communities(20:43) Software Bill of Materials for Cybersecurity(24:04) Exploring Defense Unicorns and Open Source(31:43) Navigating Careers in Open Source(42:25) Breaking Barriers in Defense Innovation(46:42) Collaborating for Defense Open SourceLinksConnect with Eddie
In this episode, Rich speaks with Adolfo García Veytia from Stacklok.Topics include: Writing Kubernetes in PHP, contributing to the Linux kernel, joining SIG Release, improving the supply chain security of the Kubernetes releases, the issue of CVEs in software, and release engineering.Show notesAdolfo's LinkedIn | X | GitHub | Rich's LinkedIn | Bluesky | LinktreeKubernetes SIG ReleaseSigstoreBob Callaway and Dan Lorenc's Sigstore talk from KubeCon LAWhat is an SBOMAdolfo and Carlos's KubeCon talkSLSAWolfiEpisode TranscriptLogo by the amazing Emily Griffin.Music by Monplaisir.Thanks for listening. ★ Support this podcast on Patreon ★
Josh and Kurt talk about a new to sign artifacts on GitHub. It's in beta, it's not going to be easy to use, it will have bugs. But that's all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default. Show Notes GitHub artifact attestation
Emily Fox joins us to discuss her role as Security Lead in Emerging Technologies at Red Hat and her involvement in the open source community as Chair of the Cloud Native Computing Foundation's Technical Oversight Committee. She discusses her team's research focusing on refining Sigstore and working on remote attestation and her career journey from working as a Creative Director in an entertainment company to becoming a Developer Security Lead for the National Security Agency. The conversation further touches on the need for better diversity, accessibility, and the imperative of a supportive community within the open source ecosystem. Lastly, she shares her perspectives on developer experience, its challenges, and the need for empathy and kindness as we navigate post-pandemic life. 00:00 Introduction and Guest Background 00:24 Role and Responsibilities at Red Hat 01:46 Involvement in Open Source and Cloud Native Computing Foundation 03:07 Journey from Creative Director to Tech Ecosystem 06:09 Challenges in Open Source Project Security 08:03 Improving Security Practices in Software Development 09:22 Expanding Security Expertise in Developers 11:23 Security in AI and Machine Learning 15:24 Importance of Diversity and Inclusion in Tech 18:40 Improving Developer Experience in Open Source 21:00 Closing Thoughts and Parting Words Guest: Emily Fox is a DevOps enthusiast, security unicorn, and advocate for Women in Technology. She promotes the cross-pollination of development and security practices. She has worked in security for over 13 years to drive a cultural change where security is unobstructive, natural, and accessible to everyone. Her technical interests include containerization, least privilege, automation, and promoting women in technology. She holds a BS in Information Systems and an MS in cybersecurity. Serving as chair on the Cloud Native Computing Foundation's (CNCF) Technical Oversight Committee (TOC) and co-chair for KubeCon+CloudNativeCon China 2021, Europe 2022, North America 2022, Europe 2023, and CloudNativeSecurityCon 2023, she is involved in a variety of open source communities and activities.
This episode of Software Engineering Daily is part of our on-site coverage of KubeCon 2023, which took place from November 6th through 9th in Chicago. In today's interview, host Jordi Mon Companys speaks with Santiago Torres-Arias who is a contributor to Sigstore, which is a system to register software supply chain actors using federated identity The post KubeCon Special: Sigstore with Santiago Torres-Arias appeared first on Software Engineering Daily.
This episode of Software Engineering Daily is part of our on-site coverage of KubeCon 2023, which took place from November 6th through 9th in Chicago. In today's interview, host Jordi Mon Companys speaks with Santiago Torres-Arias who is a contributor to Sigstore, which is a system to register software supply chain actors using federated identity The post KubeCon Special: Sigstore with Santiago Torres-Arias appeared first on Software Engineering Daily.
This episode of Software Engineering Daily is part of our on-site coverage of KubeCon 2023, which took place from November 6th through 9th in Chicago. In today's interview, host Jordi Mon Companys speaks with Santiago Torres-Arias who is a contributor to Sigstore, which is a system to register software supply chain actors using federated identity The post KubeCon Special: Sigstore with Santiago Torres-Arias appeared first on Software Engineering Daily.
Recorded: 09/20/2023 CERIAS Security Seminar at Purdue University Enhancing Software Supply Chain Security in Distributed Systems Christopher Nuland, Red Hat In the aftermath of the transformative 2020Solarwinds breach, securing software supply chains has surged to the forefront of modern software development concerns. This incident underscored the imperative for innovative approaches to ensure software artifacts' integrity and authenticity. The Supply Chain Level for Software Artifacts (SLSA)framework emerged as a response, emphasizing secure software development processes for supply chains. As compliance standards, notably enforced by the National Institute of Standards and Technology (NIST), intensify the call for robust security measures, the convergence of open-source technologies presents a compelling solution.In the contemporary landscape of distributed systems, like Kubernetes, the significance of signing critical artifacts, such as container images and builds, cannot be overstated. These signatures substantiate the origin and unaltered state of the artifacts, rendering them resistant to tampering or unauthorized access. Yet, with the escalating complexity of software supply chains, bolstered by the proliferation of distributed technologies, ensuring trustworthy artifact provenance becomes more formidable.This challenge is where SigStore, an innovative technology solution, steps in. SigStore enables cryptographic signing and verification of software artifacts, offering a robust mechanism to establish the authenticity of these components. By leveraging transparency log technologies, SigStore enhances the trustworthiness of the supply chain,creating a formidable barrier against malicious alterations.This talk will discuss the popular technologies in the industry that are utilizing a zero trust software supply chain. Why this type of supply chain is important, and outline the different technologies used in conjunction with SigStore to create zero-trust supply chains within the software development and deployment lifecycle.Christopher Nuland has been involved with container technology since 2010, when he worked with Oak Ridge Labs and Purdue's CdmHub on containerizing their simulations with OpenVZ. He joined RedHat in 2018 as a container specialist in the infrastructure and application development space for primarily Fortune 100 companies across the U.S. His work has focused mainly on cloud-native migrations into k8s-based platforms, and developing secure cloud-native zero-trust supply chains for the healthcare,life sciences, and defense sectors. About the speaker: Christopher Nuland has been involved with container technology since 2010, when he worked with Oak Ridge Labs and Purdue's CdmHub on containerizing their simulations with OpenVZ. He joined RedHat in 2018 as a container specialist in the infrastructure and application development space for primarily Fortune 100 companies across the U.S. His work has focused mainly on cloud-native migrations into k8s-based platforms, and developing secure cloud-native zero-trust supply chains for the healthcare,life sciences, and defense sectors.
Episode #422 consacré à sigstore avec Maya Costantini Références : Vidéo : https://passthesalt.ubicast.tv/videos/2023-introduction-to-sigstore-cryptographic-signatures-made-easier/ Slides : https://archives.pass-the-salt.org/Pass%20the%20SALT/2023/slides/PTS2023-Talk-12-Introduction-to-Sigstore_Cryptographic-signatures-made-easier.pdf The post sigstore appeared first on NoLimitSecu.
- First off, can you each tell us a bit about your backgrounds and experience in the space?- What made you all decide to found Stacklok, what gaps and opportunities in the ecosystem did you see?- What are your thoughts around the industry's response to software supply chain security and how do you see things such as OSS and Sigstore playing a role?- While we've seen tremendous adoption of OSS and for reasons such as speed to market, the robust OSS community, innovation and more, as you both know, OSS has its concerns too, such as pedigree/provenance, known vulnerabilities, lack of maintenance and support etc. How do organizations balance these concerns while still taking advantage of OSS?- No software supply chain security discussions would be complete without touching on SBOM, which has gotten a lot of industry attention on the topics. What are each of your thoughts on SBOM?- Another topic that is around every corner lately is AI and the disruption it will cause. We're seeing organizations integrate and market AI into every possible use case when it comes to cybersecurity while there is also a lot of FUD about malicious actors using AI and even calling it a possible "extinction event". What is your take on AI and the role it is and will have on software supply chain and cyber?
Join this episode of In the Nic of Time with Dan Lorenc, CEO, ChainGuard as they discuss the challenges and struggles around software supply chain and take a deep dive on Dan's incredible contributions to the open source community with his projects like Minikube, Sigstore, Distroless and Wolfi.
Here's a breakdown of what we cover: Cloud IDEs will mature as GitHub's Codespaces platform gains acceptance through its integration into the GitHub service. Other factors include new startups in the space, such as GitPod, which offers a secure, cloud-based IDE, and Uptycs, which uses telemetry data to lock-down developer environments. "So I think you'll, you're just gonna see more people exposed to it, and they're gonna be like, 'holy crap, this makes my life a lot easier '." FinOps reflects the more stringent views on managing costs, focusing on the efficiency of resources that a company provides for developers. The focus also translates to the GreenOps movement with its emphasis on efficiency. Software bill of materials (SBOMs) will continue to mature with Sigstore as the project with the fastest expected adoption. Witness, from Telemetry Project, is another project. The SPDX community has been at the center of the movement for over a decade now before people cared about it. GitOps and Open Telemetry: This year, KubeCon submissions topics on GitOps were super high. OpenTelemetry is the second most popular project in the CNCF, behind Kubernetes. Platform engineering is hot. Anisczyk cites Backstage, a CNCF project, as one he is watching. It has a healthy plugin extension ecosystem and a corresponding large community. People make fun of Jenkins, but Jenkins is likely going to be around as long as Linux because of the plugin community. Backstage is going along that same route. WebAssembly: "You will probably see an uptick in edge cases, like smaller deployments as opposed to full-blown cloud-based workloads. Web Assembly will mix with containers and VMs. "It's just the way that software works." Kubernetes is part of today's distributed fabric. Linux is now everywhere. Kubernetes is going through the same evolution. Kubernetes is going into airplanes, cars, and fast-food restaurants. "People are going to focus on the layers up top, not necessarily like, the core Kubernetes project itself. It's going to be all the cool stuff built on top."
Guest Dustin Ingram Panelists Richard Littauer | Justin Dorfman Show Notes Hello and welcome to Sustain! The podcast where we talk about sustaining open source for the long haul. Joining us today is Dustin Ingram, who's a Staff Software Engineer on Google's Open Source Security Team, where he works on improving the security of open source software that Google and the rest of the world relies on. He's also the director of the Python Software Foundation and maintainer of the Python Package Index. Today, we'll learn about the Open Source Security Team at Google, what they do, the bill they've contributed to for Securing Open Source Software Act of 2022, a rewards program they have to pay maintainers called SOS rewards, and Google's role in the Sigstore project. Also, Dustin talks about the Python Package Index, he shares his opinion on the difference between security and sustainability, and what he's most excited about with work going on in the next year or two. Download this episode now to find out more! [00:01:10] Dustin fills us in on the Open Source Security Team at Google, what they do there, how they prioritize which packages to work on, and which security bugs to work on. [00:03:25] We hear about the team at Google working on the bill 4913 Securing Open Source Software Act of 2022. [00:04:18] Justin brings up Dan Lorenc and Sigstore, and we learn Google's role in this project and making sure it's adopted more heavily in the supply chain. [00:06:05] Dustin explains the model on how Google is working to make sure these projects stick together, and he tells us how an open source maintainer can make their code more reliable by going to Sigstore and other sites to talk to people. [00:09:26] How does Google prioritize and choose which projects are the most important and where they're going to dedicate developer time to do that work? [00:11:02] Dustin works on the Python Package Index, and he explains what it is, and with the PSF, how many directors they have, and how much he interfaces with other people there. [00:12:17] We hear how Dustin dealt with the fallout from the backlash that happened during the mandatory multifactor authentication for the critical projects. [00:16:52] When it comes to security, Richard wonders if Dustin has put a lot of thought into different grades of where it exists and who it's for, as well as if there's a ten to fifty year plan for the maintainers who move on to do other things and people are not going to be developing at all. [00:19:13] Are there plans around educations for maintainers and communities on how to onboard new maintainers and how to increase security without increasing load time for the maintainers working on their projects? [00:20:21] We hear what the Securing Open Source Software Act is all about. [00:22:21] Now that open source is the dominant distribution, Dustin shares his thoughts on if open source will stop working and explains the real strength of open source. [00:24:09] Richard brings up the US government trying to secure their supply chain, working with future maintainers, code packages, working with foundations to figure out how we secure the ecosystem at a large, and wonders if Dustin sees a way for the government to try and secure open source and not regulate it, but try to figure how to manage it without the help of foundations or package managers. [00:26:56] Dustin shares his opinion on the difference between security and sustainability and what he thinks about that and what he's most excited about with work going on in the next year or two. [00:30:28] Find out where you can follow Dustin and his work on the web. Quotes [00:03:34] “After Log4j, the government got really spooked because they really didn't know what software they were consuming, and President Biden did an executive order on securing a nation's cybersecurity, which was about setting a policy for how the government should consume open source.” [00:08:11] “We also do some other things to make that a little easier for open source maintainers to adopt these technologies.” [00:08:17] “One thing we have is a rewards program called SOS.dev, and that's a way that maintainers can get paid for doing what we feel is relevant security work.” [00:21:01] “The US government consumes a lot of open source software. They have a dependency on a lot more than most large companies that you can think of.” [00:21:11] “The answer to Log4j is not to stop using open source, it's to get better practices around determining what you have and just do industry best practices for finding and fixing vulnerabilities.” Spotlight [00:31:17] Justin's spotlight is some awesome software called Rewind.ai. [00:32:32] Richard's spotlight is Geoff Huntley. [00:33:36] Dustin's spotlight is the Mozilla Open Source Support Program. Links SustainOSS (https://sustainoss.org/) SustainOSS Twitter (https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) SustainOSS Discourse (https://discourse.sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) Richard Littauer Twitter (https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Justin Dorfman Twitter (https://twitter.com/jdorfman?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Dustin Ingram Twitter (https://twitter.com/di_codes) Dustin Ingram LinkedIn (https://www.linkedin.com/authwall?trk=gf&trkInfo=AQFx--arUWM32wAAAYVVP7pwcaKJmtv_xwAO_dyvHEdFxj0JMheal1V_PnvzCU1Fo_b5mai0jP51x2cucIULaN2C_6Hw_WNXexVVFtrbaamCLoGTNV3KU0oNc8E_cJD2AWGXUZA=&original_referer=https://www.google.com/&sessionRedirect=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fdustingram%2F) Dustin Ingram Website (https://dustingram.com/) Open Source Vulnerability (OSV) (https://osv.dev/) Sustain Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at Google (https://podcast.sustainoss.org/guests/dan-lorenc) Sigstore (https://www.sigstore.dev/) SOS Rewards (https://sos.dev/) Python Package Index (PyPI) (https://pypi.org/) Sustain Podcast-Episode 75: Deb Nicholson on the OSI, the future of open source, and SeaGL (https://podcast.sustainoss.org/75) Open Technology Fund (https://www.opentech.fund/) Rewind (https://www.rewind.ai/) Geoff Huntley Twitter (https://twitter.com/GeoffreyHuntley) Explaining NFTs: Geoffrey Huntley interviewed by Coffeezilla about his NFT Bay Heist (YouTube) (https://www.youtube.com/watch?v=iLDOSnqN9-I) Mozilla Open Source Support Program (https://www.mozilla.org/en-US/moss/) Credits Produced by Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/) Special Guest: Dustin Ingram.
Dan Lorenc of Sigstore and Chainguard joins Doc Searls and Katherine Druckman on FLOSS Weekly to discuss the software supply chain.The open source software supply chains are increasingly vulnerable attack surfaces. Nobody knows more, or is doing more, to secure those surfaces than Dan Lorenc. Hosts: Doc Searls and Katherine Druckman Guest: Dan Lorenc Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsor: Code Comments
Dan Lorenc of Sigstore and Chainguard joins Doc Searls and Katherine Druckman on FLOSS Weekly to discuss the software supply chain.The open source software supply chains are increasingly vulnerable attack surfaces. Nobody knows more, or is doing more, to secure those surfaces than Dan Lorenc. Hosts: Doc Searls and Katherine Druckman Guest: Dan Lorenc Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsor: Code Comments
Dan Lorenc of Sigstore and Chainguard joins Doc Searls and Katherine Druckman on FLOSS Weekly to discuss the software supply chain.The open source software supply chains are increasingly vulnerable attack surfaces. Nobody knows more, or is doing more, to secure those surfaces than Dan Lorenc. Hosts: Doc Searls and Katherine Druckman Guest: Dan Lorenc Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsor: Code Comments
Dan Lorenc of Sigstore and Chainguard joins Doc Searls and Katherine Druckman on FLOSS Weekly to discuss the software supply chain.The open source software supply chains are increasingly vulnerable attack surfaces. Nobody knows more, or is doing more, to secure those surfaces than Dan Lorenc. Hosts: Doc Searls and Katherine Druckman Guest: Dan Lorenc Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsor: Code Comments
Dans ce long épisode, retrouvez Emmanuel, Guillaume, Antonio et Arnaud qui reviennent sur les dernières sorties de GraalVM, GoLang, JBanking, Spring, Spring Modulith, Quarkus, Apache Maven. Vous retrouverez aussi de nombreux sujets infrastructure, cloud, méthodologie le tout accompagné d’un pachyderme très à la mode en ce moment: Mastodon. Enregistré le 18 novembre 2022 Téléchargement de l'épisode LesCastCodeurs-Episode–288.mp3 News Langages Alina Yurenko annonce la sortie de GraalVM 22.3 https://medium.com/graalvm/graalvm–22–3-is-here-jdk–19-builds-jlink-support-new-monitoring-features-and-more-f6e2b2eeff95 l'article mentionne l'annonce faite à JavaOne qu'Oracle contribue GraalVM CE à la communauté Open JDK https://www.graalvm.org/2022/openjdk-announcement/ support du JDK 19 possibilité de télécharger facilement (dans un script) la distribution avec un one-line (bash/curl) possibilité de compiler jWebserver en un exécutable natif diverses améliorations sur le monitoring et l'expérience développeur de native image (JFR, jvmstat, head dump…) nouvelles versions des reachability metadata nouvelle API native image et diverses autres updates sur le support de Python, de Ruby, des contributions de la communauté Go fête ses 13 ans https://go.dev/blog/13years avec la grosse release de 1.18, avec le support des workspaces, du fuzzing, mais surtout des generics aussi une commande govuln qui fait analyse statique - intéressant la notion d'outil dans le langage les build go sont vérouillés vu qu'ils reconstruisent tout et qu'ils dépendent d'un sha1 pour les dependences git et beaucoup plus de choses ici https://go.dev/blog/supply-chain workspace qui permet de travailler sur plusieurs modules en parallèle sans avoir a changer tous les go.mod à la main Librairies Sortie de JBanking 4 par Marc Wrobel https://www.marcwrobel.fr/sortie-de-jbanking–4–0–0 Une librairie utilitaire pour assister dans le développement d'applications bancaires Support des codes ISO des pays, des monnaies, des codes BIC, des IBAN, et aussi du calendrier des jours fériés des banques internationales Spring Modulith, un projet expérimental d'Oliver Drotbohm, qui permet de s'assurer de la structure et architecture de ses projets Spring, par exemple pour vérifier les dépendances propres entre modules, pour bien structurer ses applications Spring Boot https://spring.io/blog/2022/10/21/introducing-spring-modulith Une version alpha de Quarkus 3 arrive ! https://quarkus.io/blog/road-to-quarkus–3/ Plein d'upgrades : Hibernate ORM 6, Jakarta EE 10, Eclipse MicroProfile 6, HTTP/3, io_uring, Virtual Threads de Loom et Structured Concurrency, java.util.concurrent.Flow pour s'affranchir de Reactive Streams Version cible Java 11, mais recommendation d'utiliser Java 17 les versions 3 seront en parallèle des versions 2 le temps que l’écosystème passe à la 3, notamment les dependences jakartaee peut essayer facilement depuis la CLI quarkus create app --stream=3.0 quelques casse de compatibilités attendues mais minimisées, spécialement dans le core garde java 11 car demande de la communauté Spring 6.0 est sorti https://spring.io/blog/2022/11/16/spring-framework–6–0-goes-ga Java 17+ de base Jakarta EE 9+ Hibernate 6+ foundations pour Ahead of Time transformations pour GraalVM Exploration des threads virtuels https://spring.io/blog/2022/10/11/embracing-virtual-threads tester sur les threads servlets et autre SpringBoot arrive plus tard Détail des changements https://github.com/spring-projects/spring-framework/wiki/What%27s-New-in-Spring-Framework–6.x/ Infrastructure Stop using CPU limits on Kubernetes https://home.robusta.dev/blog/stop-using-cpu-limits L'auteur fait une comparaison amusante avec le besoin de boire de l'eau ! Il vaut mieux définir des requêtes (des besoins en eau / CPU), plutôt que des limites (pas le droit de boire plus / d'utiliser plus de CPU) c'est plus nuancé que ca, parce que aux cas limites des choses peuvent mal se passer cas 1: on atteind 100% d'usage. Le process avait définit un request mais en fait a besoin de plus en pratique, et là paf il se met à mal fonctionner, donc dès que votre systeme stresse, vous avez des erreurs en cascade cas 2: un ou plusieurs noeuds sont recyclés, ce qui veut dire que vous avez beaucoup de redémarrages de pods et du coup ca met la pression sur le CPU, tester ces cas là, certaines applis qui démarrent trop lentement ont tendance à tomber en cascade Comment faire des attaques d'injection sur les intelligences artificielles qui recoivent du contenu utilisateur https://hackaday.com/2022/09/16/whats-old-is-new-again-gpt–3-prompt-injection-attack-affects-ai/ le jeu est de donner des phrases ambigues qui font faire à l'IA des choses qu'elle n'est pas sensé faire un des outils c'est ignore les instructions au dessus et fait un truc que je veux que tu fasses et qui n'est pas dans ta programmation initiale Voir toucher l'intention initiale de l'AI (lui faire dire) et donc d'atteindre des sphères non publiques du service Mastodon et la scalabilité https://framablog.org/2022/11/13/de-la-friture-sur-le-fediverse/ la decentralisatione et le protocole Mastodon est couteux en job donc une personne moderement populaire 27k personnes, devrait bouger vers son instance dédiée ce qui amènerait à couter assez cher par mois (en tous cas plus que 8$/mois) L’auteur explique que les devs devraient favorier un protocol fortement decentraliser plutot qu’optimiser pour les grosses instances un article qui couvre la configuration aux petits oignons de Sidekiq, qui traite les queues de tâches, pour scaler une instance Mastodon https://nora.codes/post/scaling-mastodon-in-the-face-of-an-exodus/ Rollouts de release a l’échelle avec Argo (rollback options) https://monzo.com/blog/2022/11/02/argo-rollouts-at-scale/ gros investissement sur ArgoCD Mais encore release à la main par les ingenieurs et tout ou rien pour une application idealement: push dans git et oublie, prometheus metriques dirigent le rollout basé sur des alertes génériques, garder le sisteme ouvert pour des stratégies de rollout alternatives dans le futur basé sur Argo Rollouts et sur des erreurs generiques (20% de calls en erreur, beaucoup d’erreurs de base de donnees, crashs notifie dans slack en async du success ou de l’echec interessant de voir qu’ils s’appuient sur des metriques simples Lessons apprises migration est un gros job automatiser la migration au maximum meme si c’est un one shot change le moteurt avant de changer l’UX (progressive rollout) ca simplifie les chosez Cloud Google adopte progressivement Adoptium Temurin comme version officielle de JDK dans ses produits https://glaforge.appspot.com/article/building-and-deploying-java–17-apps-on-cloud-run-with-cloud-native-buildpacks-on-temurin nous avions mentionné l'annonce de ce support dans l'épisode précédent https://blog.adoptium.net/2022/10/adoptium-welcomes-google/ dans l'article de Guillaume, il utilise les Cloud Native Buildpacks, configuré pour utiliser Java 17, et par défaut, c'est bien Temurin qui est utilisé quand on build à partir des sources dans l'exemple, une application Micronaut, développée avec Java 17, est déployée sur Google Cloud Run Pourquoi on quitte le Cloud https://world.hey.com/dhh/why-we-re-leaving-the-cloud–654b47e0 témoignage de DHH de 37Signal (basecamp et hey) Les 30% de marges d'Amazon viennent de quelque part. On dépense 500k en RDS et ES. On peut acheter beaucoup de machines pour ce prix La réduction des ops est un mythe. On a autant de personnes gérant les services AWS ou Google Cloud Le gain pourrait être la micro startup qui ne sait pas si elle aura des clients ou les volumes de demandes très variables et imprédictibles Mais on a une croissance planifiée Donc on rapatrie Présentation de Mickaël Roger de Thales, enregistrée à Cloud Nord, qui explique le fonctionnement de l'offre S3NS de Thales et Google Cloud pour le “cloud de confiance” https://www.youtube.com/watch?v=OBwBeqd-YFs Web Est-ce que le Web3 peut battre le cloud ? https://blog.scottlogic.com/2022/10/31/can-web3-beat-the-cloud.html Le Web3 est une autre approche pour des applications décentralisées, ce n'est pas un successeur du Web 2.0 classique, et il a généralement besoin du Web 2.0 pour offrir une interface à ses utilisateurs Ce n'est pas que pour faire des cryptomonnaies qui gâchent de l'électricité, ou des NFTs qui ne donnent pas vraiment de titre de propriété d'une oeuvre d'art Dans cet article, l'auteur essaie d'implémenter une fonctionnalité (le fait de pouvoir rajouter des “applaudissements” à un article, un peu comme sur Medium), en implémentant un smart contract en Web3. Mais il se heurte à plein d'écueils le long de sa route, à la dépendance à plein d'autres services, au fait que ce n'est pas la personne qui “vote” qui devrait payer l'action mais celui qui héberge. Au final, il est obligé d'ajouter plein d'adhérences qui font qu'au lieu d'être décentralisée, l'application dépends de trop d'autres services, et a finalement besoin du Web 2.0 pour fonctionner, et du Cloud L'autre déconvenue est sur le prix de chacune des transactions, qui est finalement exorbitant par rapport à une approche Web 2.0 classique Décentralisation amène de la lenteur (latence) Objectifs du Web3 c'est d'etre le propriétaire de ses processes et ses data et de mettre des agents qui interagissent avec des données Outillage Comment debugguer les images Docker slim ou distroless https://iximiuz.com/en/posts/docker-debug-slim-containers/ Les images slim / distroless sont sympas car elles permettent d'avoir des petits conteneurs qui ne prennent pas trop de place, qui parfois sont plus rapides à charger, mais également qui exposent une surface d'attaque beaucoup plus faible Par contre, comme il n'y a pas tous les outils (parfois pas de shell, par exemple), c'est plus compliqué de comprendre ce qu'il se passe à l'intérieur quand quelque chose ne fonctionne pas L'article propose quelques approches pour pallier à cela : Installer des outils à la demande dans un conteneur qui tourne (à coup de apt-get) Passer temporairement à une image plus grosse et plus complète (par ex, distroless a des images avec un tag debug) Utiliser docker run avec un shared namespace Utiliser docker exec et un mount Podman Desktop, une alternative à Docker Desktop, mais utilisant podman https://podman-desktop.io/ Docker annonce une technical preview de conteneurs WASM https://www.docker.com/blog/docker-wasm-technical-preview/ nouveau packaging qui wrap un exécutable WASM et le fait tourner avec le runtime wasmEdge c'est un nouveau type de conteneur il y a beaucoup d'activité autour de WASM, et il y a eu de nombreuses annonces et démonstration lors de la conférence CloudNativeCon et le jour spécial sur WASM, lors de KubeCon https://www.infoq.com/news/2022/11/cloud-native-wasm-day/ docker utilise Docker Desktop et docker engine pour demarrer des “shim" Ses shim (processeS) lancent soit runc (donc pour faire tourner un containeur) soit wasmedge pour faire tourner des modules wasm Donc docker s'éloigne des container et essaie de toucher l'orchestration Un petit tutoriel utilisant Docker et YouTube-dl pour récupérer / consulter les stats (views, likes) de vos vidéos (ou d'autres) sur YouTube https://glaforge.appspot.com/article/retrieve-youtube-views-count-with-youtube-dl-jq-and-a-docker-container Apache Maven propose une extension de “build cache” (qui devrait accélérer les builds, sans tout tout le temps recompiler) https://maven.apache.org/extensions/maven-build-cache-extension/ basé sur une clé construite des sources, des plugins etc par module permet paralelisation et de deploiement sur des agents genre dans le cloud on controle les regles de contournement des invarients (genre changement de compile, timestamp dans les manifests etc) Le guide complet pour publier une librairie Java sur Maven Central https://maciejwalkowiak.com/blog/guide-java-publish-to-maven-central/ Y compris l'intégration avec Github Actions et l'utilisation de Github Secrets pour les clés PGP Et enfin la configuration de JReleaser pour encore faciliter la tâche lorsque l'on pousse une nouvelle version Apache Maven 4.0.0-alpha–2 is out https://maven.apache.org/docs/4.0.0-alpha–2/release-notes.html améliorations cli: --also-make , --resume (plus besoin de pré ciser d'où le build doit recommencer), --non-recursive, --fail-on-severity Utilisation du même timestamps dans tous les modules build/consumer POMs (versioning automatique du parent, versioning automatique des dépendances dans le réacteur, détection automatique des sous modules) new maven 4 api et beaucoup d'autres choses: https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12351403&projectId=12316922 Data Faker le nouveau générateur de données de test https://github.com/datafaker-net/datafaker C'est un fork de Java Faker https://github.com/DiUS/java-faker Tout ça inspiré de Ruby Faker https://github.com/faker-ruby/faker La boite australienne qui l'avait créé ne maintenait plus le projet, ne le publiait plus dans Maven Central et il y avait des centaines de PRs Vous pouvez générer des données de centaines de provider (ex. adresse, compte bancaire, livres, films, etc) https://github.com/datafaker-net/datafaker#providers en plusieurs langues Exécuter facilement des programmes Java avec dépendances, sans build, avec JBang https://maciejwalkowiak.com/blog/single-file-java-with-jbang/ Dans la même veine que ce que Groovy propose depuis de nombreuses années avec sons système @Grapes qui récupère les dépendances nécessaires L'article montre un exemple simple, puis avec Spring Boot, comment faire un JAR aussi, voire comment conteneurisé sa petite appli Architecture Amélie Benoit continue ses fabuleux sketchnotes sur le thème des design patterns https://twitter.com/AmelieBenoit33/status/1587397290251149312 celui ci est sur le pattern Adapter il y a eu aussi le pattern Builder https://twitter.com/AmelieBenoit33/status/1584778615610228737 l'Observer https://twitter.com/AmelieBenoit33/status/1579706242318360576 ou le Singleton https://twitter.com/AmelieBenoit33/status/1570313646605234177 https://twitter.com/AmelieBenoit33/status/1589869904404316162 Un petit coup de décorateur https://twitter.com/AmelieBenoit33/status/1592468635599372289 35 misconceptions sur les dates et les heures https://www.meziantou.net/misconceptions-about-date-and-time.htm y a t'il toujours 24 heures par jour, 60 secondes dans une minute? ou 365 jours par an ? est-ce que les jours sont toujours consécutifs ? tout le monde a t'il le même calendrier ? lundi est il le premier jour de la semaine ? Méthodologies Interview d'un designer sur comment enlever la friction https://review.firstround.com/amazons-friction-killing-tactics-to-make-products-more-seamless?ct=t designer a Amazon (Music, Alexa), IMDB, Skype for Business types de fictions (choses non familières, friction inhérente - produit avancé - et chemin de friction important, friction par desalignement avec le comportement humain) la troisième catégorie difficile à anticiper en construisant des produits: on ajoute, enlève ou marque des frictions C'est sur le chemin du client Avant le premier contact Signature et premiere tâche transactionnelle (bien choisir la tache pour etre assez simple et ce que l'utilisateur répète) Premier moment de plaisir (regarder les points contre intuitifs dans les données, ou les cas d'utilisation en echec) l'indifférence genre la friction la plus importante pour les nouveaux produits Comment écouter son utilisateur? habitat naturel: sondes dans l'appli, tests chez l'utilisateur en milieu reel en utilisation du produit mentions et revues: aussi métriques d'usage (choses inhabituelles ou inattendues) standard de l'industrie: attentes des clients façonné par ça (barre de recherche en haut) Toujours migrer son audience vers le chemin de moindre resistance Comment éliminer la friction? réduire l'anxiété: décision et perte amènent de l'anxiété. supprimer les étapes non nécessaires: définir la liste des decisions du client et les questionner. (Heuristiques par defaut?) mitiger le changement de contexte: naviguer hors de l'appli pour faire quelque chose, risque d'abandon. Arrêter un livre pour lire un mot dans le dictionnaire, faciliter le retour et le rappel du contexte quand ils reviennent. Comment masquer la friction? temps d'attente: trouver de la valeur (message d'information) bouger la friction au début dans les services (carte credit tout de suite) s’ils investissent dans leur experience (vote), ils sont plus engagés et loyaux: friction positive : sense d'appartenance Glossaire et aide-mémoire sur l'approche de l'Event Storming https://github.com/ddd-crew/eventstorming-glossary-cheat-sheet Si vous ne connaissez pas event storming, ça ne va pas vous éclairer assez plutôt un outil pour rafraichir votre mémoire voir aussi episode sur event storming https://lescastcodeurs.com/2020/06/05/lcc–233-interview-sur-l-event-storming-avec-thomas-pierrain-et-bruno-boucard/ Sécurité Sigstore passe en General Availability, en version 1 https://opensource.googleblog.com/2022/10/sigstore-project-announces-general-availability-and-v1-releases.html Sujet également couvert par InfoQ https://www.infoq.com/news/2022/11/sigstore-stability-ga/ Sigstore est la pour aider au niveau de la sécurisation de la supply chain de code Notamment au niveau des signatures Ca addresse ce que fait PGP amis le rend plus utilisable et permet un usage supplémentaire par un log lisible par tous Plus d'infos dans une interview on espère Loi, société et organisation La proposition de loi sur la sécurisation de l'open source aux Etats-Unis https://blog.tidelift.com/tidelift-advisory-us-senators-introduce-the-securing-open-source-software-act-of–2022 (edited) Holly Cummins sur le sujet du code vestimentaire des femmes dans la tech https://hollycummins.com/fashion-and-programming-ii/ Pourquoi en 2023 on a encore autant d'abrutis qui font des remarques sur les vêtements que portent les femmes qui font des présentations à des conférences, et pire, sur le fait de savoir si elles sont à leur goût ou pas La tenue vestimentaire n'a rien à voir avec le talent, les connaissances, le professionnalisme, l'expertise des personnes Les femmes ont le droit de porter les vêtements qu'elles veulent sans être jugées par des idiots qui feraient mieux de retourner dans leur caverne Avec le rachat de Twitter par Elon Musk, beaucoup de gens commencent à s'intéresser de plus près à Mastodon. On trouve de nombreux articles sur Mastodon ces jours ci https://gorillasun.de/blog/getting-started-with-mastodon et vous, avez vous un compte sur Mastodon ? quelle instance avez-vous choisie ? quels outils (client, mobile, web, etc) utilisez vous ? Pour ma part je n’ai pas de compte Mastodon (je n’utilise pas twitter non plus). J’ai rapidement regardé ce matin ça n’est pas facile de trouver une instance : celles que j’ai regardé ont fermé les inscriptions (d’après ce que j’ai pu lire à cause de problèmes pour gérer l’afflux de nouveaux utilisateurs, à cause de l’augmentation de la création de comptes spam, ou dans l’objectif de répartir les utilisateurs sur d’autres instances moins connues). Du coup j’ai pour le moment abandonné l’idée de me créer un compte. Le site JavaBubble liste plein de développeurs Java qui ont maintenant un compte sur Mastodon https://javabubble.org/ Les Cast Codeurs sur Mastodon : @agoncal@fosstodon.org @aheritier@mastodon.social @glaforge@uwyn.net @emmanuelbernard@mamot.fr Conférences La liste des conférences provenant de Developers Conferences Agenda/List par Aurélie Vache et contributeurs : 23–25 novembre 2022 : Agile Grenoble 2022 - Grenoble (France) 25 novembre 2022 : HACK-IT-N 2022 - Bordeaux (France) 1 décembre 2022 : Devops DDay #7 - Marseille (France) 2 décembre 2022 : BDX I/O - Bordeaux (France) 2 décembre 2022 : DevFest Dijon 2022 - Dijon (France) 14–16 décembre 2022 : API Days Paris - Paris (France) & Online 15–16 décembre 2022 : Agile Tour Rennes - Rennes (France) 19–20 janvier 2023 : Touraine Tech - Tours (France) 25–28 janvier 2023 : SnowCamp - Grenoble (France) 2 février 2023 : Very Tech Trip - Paris (France) 2 février 2023 : AgiLeMans - Le Mans (France) 9–11 février 2023 : World AI Cannes - Cannes (France) 16–19 février 2023 : PyConFR - Bordeaux (France) 7 mars 2023 : Kubernetes Community Days France - Paris (France) 23–24 mars 2023 : SymfonyLive Paris - Paris (France) 5–7 avril 2023 : FIC - Lille Grand Palais (France) 12–14 avril 2023 : Devoxx France - Paris (France) 10–12 mai 2023 : Devoxx UK - London (UK) 12 mai 2023 : AFUP Day Lille & Lyon (France) 12–13 octobre 2023 : Volcamp 2023 - Clermont Ferrand (France) Nous contacter Pour réagir à cet épisode, venez discuter sur le groupe Google https://groups.google.com/group/lescastcodeurs Contactez-nous via twitter https://twitter.com/lescastcodeurs Faire un crowdcast ou une crowdquestion Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Tous les épisodes et toutes les infos sur https://lescastcodeurs.com/
Dan Lorenc, CEO and founder of Chainguard, joins Dennis Fisher to talk about supply chain security, asset inventory, Sigstore, and the challenges of helping developers write more secure code.
It's 5:05 on Thursday, November 10th, 2022. This is your daily update of open source and cybersecurity news that might have slipped by the major news sources. We have 20 reporters from around the world. Today's updates are from Edwin Kwan in Sydney, Australia. Mark Miller in New York City, DJ Schleen in Golden, Colorado and Olimpiu Pop from Transylvania, Romania. Let's get to it.Stories covered in this episodeDJ Schleen, Golden, ColoradoPeloton, Spotify, Intel, Oracle, Equifax, Microsoft, loom, Zillow, Synk, Open Door, Twitter, Zendesk, Salesforce, and Meta. What do these companies have in common? Laying off tens of thousands of employees in the last 30 days, and they're not the only ones. Olimpiu Pop, Transylvania, RomaniaSigstore announced the general availability of its ecosystem agnostic, no cost signing service during the inaugural SigStoreCon in late October. Sigstore, a newly accepted Linux Foundation project, is a critical and much needed step towards accessible software signing, which has become a key component of software supply chain management, and security.Mark Miller, New York CityOne of the people I check in with on a regular basis is Allan Friedman. Allan is leading CISA's efforts to coordinate SBOM efforts inside and outside the United States government. When he points out an article, you can be sure there's value in it. This morning he highlighted an article by Eric Goldstein, Executive Assistant Director for the Cybersecurity and Infrastructure Security Agency.Edwin Kwan, Sydney, AustraliaExperts are urging for cybersecurity to be taught to kids as young as five years old. There's been a huge increase in the number of data breaches being reported in Australia in the last few weeks. While the Australian government is making improvements to national cybersecurity and increasing financial penalties for companies, cybersecurity experts are urging that more needs to be done to raise the nation's security awareness.
Matt reports in from Detroit with all the news at KubeCon NA 2022. Plus, some tips on proper etiquette when stretching on International Flights. Watch the YouTube Live Recording of Episode 384 (https://www.youtube.com/watch?v=vx9J2sHM6ic&t=4s) Runner up titles Detriot style pizza I'm not doing high knees in the airplane bathroom Masks were required Not gonna get a lot of leads from your friendsd Maybe we're in the trough of disillusionment We Didn't Start the Fire for CNCF Projects He has to eat the spreadsheet Rundown CNCF Wasm microsurvey (https://www.cncf.io/blog/2022/10/24/cncf-wasm-microsurvey-a-transformative-technology-yes-but-time-to-get-serious/) Fermyon raises $20M to build tools for cloud app dev (https://techcrunch.com/2022/10/24/fermyon-cloud-app-webassembly-20m-funding-series-a/) Docker launches a first preview of its WebAssembly tooling (https://techcrunch.com/2022/10/24/docker-launches-a-first-preview-of-its-webassembly-support/) WebAssembly Platform Company Cosmonic Raises $8.5 Million Seed Funding, Launches PaaS (https://www.forbes.com/sites/justinwarren/2022/10/25/webassembly-platform-company-cosmonic-raises-85-million-seed-funding-launches-paas/) WeRun313 (https://www.werun313.com/) Detroit Running Club Relevant to your interests Why we're excited about the Sigstore general availability (https://github.blog/2022-10-25-why-were-excited-about-the-sigstore-general-availability/) Introducing Honeycomb Service Map (https://www.honeycomb.io/blog/service-map-launch) Documentary Film: Inside Prometheus (https://prometheusprojectdoc.com/) SDT news & hype Join us in Slack (http://www.softwaredefinedtalk.com/slack). Get a SDT Sticker! Send your postal address to stickers@softwaredefinedtalk.com (mailto:stickers@softwaredefinedtalk.com) and we will send you free laptop stickers! Follow us on Twitch (https://www.twitch.tv/sdtpodcast), Twitter (https://twitter.com/softwaredeftalk), Instagram (https://www.instagram.com/softwaredefinedtalk/), LinkedIn (https://www.linkedin.com/company/software-defined-talk/) and YouTube (https://www.youtube.com/channel/UCi3OJPV6h9tp-hbsGBLGsDQ/featured). Use the code SDT to get $20 off Coté's book, Digital WTF (https://leanpub.com/digitalwtf/c/sdt), so $5 total. Become a sponsor of Software Defined Talk (https://www.softwaredefinedtalk.com/ads)! Photo Credits Matt and Bridget (https://twitter.com/bridgetkromhout/status/1585456962845769730) Matt on the Run (https://twitter.com/sys_call/status/1585611293259595777) Job Board (https://twitter.com/cra/status/1586037318342873088?s=20&t=MmSglsBxRJ5fwpSe3peRBg)
Sigstore opens free software signing service Australian health insurer hacked Researcher details 20-year old SQLite bug Thanks to this week's episode sponsor, Votiro UFOs are everywhere.They're in your applications, cloud storage, endpoints, and emails. That's right – UFOs – Unidentified File Objects – are hiding in files across your organization. UFOs can contain malware that exfiltrates data or deploys ransomware. And 70% of UFOs can't be detected by traditional scanning solutions like Anti-Virus and Sandboxing. That's where Votiro comes in. Votiro prevents UFOs before they hitch a ride in on files – without detection, and without slowing down business. Do you believe? Learn more at Votiro.com/UFOs
In this episode of the Virtual Coffee with Ashish edition, we spoke with Luke Hinds (Luke's Twitter) the open source Sigstore project and how it is helping with software signing and protecting the software supply chain Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Luke Hinds (Luke's Twitter) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (01:39) https://snyk.io/csp (05:21) What is the software supply chain and why is it important? (08:20) Common supply chain attacks in Kubernetes (09:53) Codecov attack (11:14 )Kubernetes and API (14:10) Vulnerability scanning tools (16:38) Explaining the importance of supply chain security (19:19) What is a signing service (19:56 )The SLSA framework (20:42) Importance of signing service (23:35) What is Sigstore? (27:57) What is Lets Encrypt (31:48) The aim of sigstore (34:39) What is Co-Sign (36:40) Co-Signing and non-repudiation (46:29) Where to start
Dan Lorenc is Founder & CEO of Chainguard, the platform to secure your software supply chain. Chainguard supports many popular open source projects such as Sigstore, SLSA, and Tekton. Chainguard has raised $55M from investors including Sequoia and Amplify Partners. In this episode, we discuss the importance of market education when creating a new category of software, assessing market timing when launching your company, some of Chainguard's unique content strategies, and more!
Dan Lorenc (@lorenc_dan, Founder/CEO @chainguard_dev) talks about modern software-supply chains, Sigstore and SBOM.SHOW: 655CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotwCHECK OUT OUR NEW PODCAST - "CLOUDCAST BASICS"SHOW SPONSORS:Datadog Application Monitoring: Modern Application Performance MonitoringGet started monitoring service dependencies to eliminate latency and errors and enhance your users app experience with a free 14 day Datadog trial. Listeners of The Cloudcast will also receive a free Datadog T-shirt.CDN77 - Content Delivery Network Optimized for Video85% of users stop watching a video because of stalling and rebuffering. Rely on CDN77 to deliver a seamless online experience to your audience. Ask for a free trial with no duration or traffic limits.SHOW NOTES:Chainguard (homepage)Sigstore - standard for signing, verifying and protecting softwareCISA SBOM (Software Bill of Materials)Topic 1 - Welcome to the show. Let's talk about your background, and led you to found Chainguard. Topic 2 - Over the last couple years, we've seen several high-profile hacks where malicious code was a big part of the problem. As an industry, where are we in terms of managing the security around software? Topic 3 - Now that we're building software much faster, and software is coming from so many different (and often unknown/untrusted) places, what are some of the technology shifts that are happening to address these new environments?Topic 4 - Chainguard is focused on both secure container images and now secure supply-chain solutions. Walk us through how your offers fit into today's software challenges.Topic 5 - There is a new term we're hearing quite a bit, SBOM (Secure Bill of Materials). How does SBOM fit into this bigger picture? What are the technologies behind the scenes that make it possible?Topic 6 - For anyone focusing on this area, what are some good ways to get involved with the new technologies and way of thinking about software security?FEEDBACK?Email: show at the cloudcast dot netTwitter: @thecloudcastnet
Talk Python To Me - Python conversations for passionate developers
PyPI has been in the news for a bunch of reasons lately. Many of them good. But also, some with a bit of drama or mixed reactions. On this episode, we have Dustin Ingram, one of the PyPI maintainers and one of the directors of the PSF, here to discuss the whole 2FA story, securing the supply chain, and plenty more related topics. This is another important episode that people deeply committed to the Python space will want to hear. Links from the show Dustin on Twitter: @di_codes Hardware key giveaway: pypi.org OpenSSF funds PyPI: openssf.org James Bennet's take: b-list.org Atomicwrites (left-pad on PyPI): reddit.com 2FA PyPI Dashboard: datadoghq.com github 2FA - all users that contribute code by end of 2023: github.blog GPG - not the holy grail: caremad.io Sigstore for Python: pypi.org pip-audit: pypi.org PEP 691: peps.python.org PEP 694: peps.python.org Watch this episode on YouTube: youtube.com --- Stay in touch with us --- Subscribe to us on YouTube: youtube.com Follow Talk Python on Twitter: @talkpython Follow Michael on Twitter: @mkennedy Sponsors RedHat IRL Podcast AssemblyAI Talk Python Training
This week we discuss build vs. buy decisions, sustaining corporate strategies and Malcolm Gladwell's WFH comments. Plus, we announce the location of the Austin Meetup on August 27th. Runner-up Titles Strategy for eating mixed nuts. Finish in a flurry Eat Dessert First It's about where you is, not where you was. We don't even own a copy of Illustrator Lost his fastball Just a paycheck It's cool to be the “turns out” person Pizza, Beer, Enjoyment McKinsey Titles, the movie Rundown App Tracking Transparency (ATT) policy blew up the digital advertising ecosystem (https://twitter.com/eric_seufert/status/1555177364081999874) Only the paranoid survive in tech: Former Intel CEO (https://www.cnbc.com/2014/02/25/only-the-paranoid-survive-in-tech-former-intel-ceo.html) Netflix Games Engaging Less Than 1 Percent of Subscribers (https://www.macrumors.com/2022/08/08/netflix-games-note-engaging-subscribers/) Gladwell's take on Work from Home (https://www.tiktok.com/t/ZTRUT8Xh6/?k=1) Relevant to your Interests Cisco Networking And Cloud Leader Todd Nightingale To Join Fastly As CEO (https://www.crn.com/news/networking/cisco-networking-and-cloud-leader-todd-nightingale-to-join-fastly-as-ceo) Aviatrix CEO On Potential Post-Broadcom VMware Layoffs And Why On-Prem Market Is ‘The Titanic Going Down' | CRN (https://www.crn.com/news/cloud/aviatrix-ceo-on-potential-post-broadcom-vmware-layoffs-and-why-on-prem-market-is-the-titanic-going-down-) Gartner: Microsoft #1 in Database Revenue; AWS Passes Oracle; Google Cloud Gains (https://clouddb.substack.com/p/gartner-microsoft-1-in-database-revenue) Amazon and iRobot Sign an Agreement for Amazon to Acquire iRobot (https://www.businesswire.com/news/home/20220804006088/en/Amazon-and-iRobot-Sign-an-Agreement-for-Amazon-to-Acquire-iRobot?utm_source=newsletter&utm_medium=email&utm_campaign=newsletter_axioslogin&stream=top) Companies Disney Owns (https://www.titlemax.com/wp-content/uploads/every-company-disney-owns.jpeg) S3 Intelligent-Tiering: What It Takes To Actually Break Even (https://www.lastweekinaws.com/blog/s3-intelligent-tiering-breaking-even/) Twilio Shares Stumble as Investors Fear a Demand Slowdown (https://finance.yahoo.com/news/twilio-shares-stumble-investors-fear-213749401.html) Closing the cloud strategy technology, and innovation gap (https://www2.deloitte.com/content/dam/Deloitte/us/Documents/consulting/us-future-of-cloud-survey-report.pdf> 1 reply 4 days agoV) Cloudflare soars after beating on revenue and raising annual forecast (https://www.cnbc.com/2022/08/05/cloudflare-q2-2022-earnings-send-stock-soaring.html) Axios agrees to sell to Cox Enterprises for $525 million (https://www.axios.com/2022/08/08/axios-agrees-to-sell-to-cox-enterprises-for-525-million?utm_source=newsletter&utm_medium=email&utm_campaign=newsletter_axiosprorata&stream=top) New request for comments on improving npm security with Sigstore is now open (https://github.blog/2022-08-08-new-request-for-comments-on-improving-npm-security-with-sigstore-is-now-open/) The Billionaire's Dilemma (https://www.theatlantic.com/ideas/archive/2022/08/marc-andreessens-opposition-housing-project-nimby/671061/) Intel launches Arc Pro GPUs that are designed for workstations and pro apps (https://www.theverge.com/2022/8/8/23296836/intel-arc-pro-gpu-workstations-mobile-specs) AI systems can't patent inventions, US federal circuit court confirms (https://www.theverge.com/2022/8/8/23293353/ai-patent-legal-status-us-federal-circuit-court-rules-thaler-dabus) AppLovin offers to buy video game software maker Unity in $17.5 bln deal (https://www.reuters.com/markets/deals/applovin-offers-buy-unity-software-2022-08-09/) How the US Postal Service reads terrible handwriting (https://www.youtube.com/watch?v=XxCha4Kez9c) SoftBank posts a $21.6 billion quarterly loss on its Vision Fund, one of the highest in its history (https://www.cnbc.com/2022/08/08/softbank-vision-fund-posts-a-21point6-billion-quarterly-loss-.html) Ac (https://acorn.io)o (https://acorn.io)rn launches from the Cloud.com and Rancher Alumni (https://acorn.io) Nonsense French Scientist's Photo of ‘Distant Star' Was Actually Chorizo (https://www.vice.com/en/article/akeemk/chorizo-james-webb-space-telescope) Sponsors Teleport — The easiest, most secure way to access infrastructure. (https://goteleport.com/?utm_campaign=eg&utm_medium=partner&utm_source=sdt) Listener Feedback Conferences Register for the SDT Austin Meetup August 27th at 6:30 PM (https://www.eventbrite.com/e/software-defined-talk-meetup-in-austin-tx-tickets-396650401027) DevOpsDays DFW (https://devopsdays.org/events/2022-dallas/welcome/), August 24-25, 2022 - Coté speaking, along with John Willis, Andrew Shafer, and friends VMware Explore 2022, August 29 – September 1, 2022 (https://www.vmware.com/explore/us.html?srccode=na_pxkba4ap4tgmb&cid=7012H000001KawVQAS) - Coté's pitch (https://twitter.com/cote/status/1551895600270016512). Coté's VMware Explore 2022 Page (https://cote.io/explore/) SpringOne Platform (https://springone.io/?utm_source=cote&utm_medium=podcast&utm_content=sdt), SF, December 6–8, 2022 THAT Conference Texas Call For Counselors (https://that.us/call-for-counselors/tx/2023/) Jan 16-19, 2023 SDT news & hype Join us in Slack (http://www.softwaredefinedtalk.com/slack). Get a SDT Sticker! Send your postal address to stickers@softwaredefinedtalk.com (mailto:stickers@softwaredefinedtalk.com) and we will send you free laptop stickers! Follow us on Twitch (https://www.twitch.tv/sdtpodcast), Twitter (https://twitter.com/softwaredeftalk), Instagram (https://www.instagram.com/softwaredefinedtalk/), LinkedIn (https://www.linkedin.com/company/software-defined-talk/) and YouTube (https://www.youtube.com/channel/UCi3OJPV6h9tp-hbsGBLGsDQ/featured). Use the code SDT to get $20 off Coté's book, (https://leanpub.com/digitalwtf/c/sdt) Digital WTF (https://leanpub.com/digitalwtf/c/sdt), so $5 total. Become a sponsor of Software Defined Talk (https://www.softwaredefinedtalk.com/ads)! Recommendations Brandon: Sea of Tranquility (https://www.audible.com/pd/Sea-of-Tranquility-Audiobook/0593551990) Coté: The Sympathizer (https://en.wikipedia.org/wiki/The_Sympathizer) Photo Credits Banner (https://unsplash.com/photos/pUa1On18Jno) CoverArt (https://unsplash.com/photos/Z9AU36chmQI)
GitHub steps in it this week, Microsoft's Linux distribution now runs on bare metal, FFmpeg gets IPFS support, and the odd thing going on with the kernel.
GitHub steps in it this week, Microsoft's Linux distribution now runs on bare metal, FFmpeg gets IPFS support, and the odd thing going on with the kernel.
AUSTIN, TEX. —Everyone uses open source software — and it's become increasingly apparent that not nearly enough attention has been paid to the security of that software. In a survey released by The Linux Foundation and Synk at the foundation's Open Source Summit in Austin, Tex., this month, 41% of organizations said they aren't confident in the security of the open source software they use. At the Austin event, The New Stack's Makers podcast sat down with Brian Behlendorf, general manager of Open Source Security Foundation (OpenSSF), to talk about a new plan to attack the problem from multiple angles. He was interviewed for this On the Road edition of Makers by Heather Joslyn, features editor at The New Stack. Behlendorf, who has led OpenSSF since October and serves on the boards of the Electronic Frontier Foundation and Mozilla Foundation, cited the discovery of the Log4j vulnerabilities late in 2021, and other recent security “earthquakes” as a key turning points.“I think the software industry this year really woke up to not only the fact these earthquakes were happening,” he said, “and how it's getting more and more expensive to recover from them.” The Open Source Security Mobilization Plan sprung from an open source security summit in May. It identifies 10 areas that will be targeted for attention, according to the report published by OpenSSF and the Linux Foundation: Security education.Risk assessment.Digital signatures, such as though the open source Sigstore project.Memory safety.Incident response.Better scanning.Code audits.Data sharing.Improved software supply chains.Software bills of material (SBOMs) everywhere. The price tag for these initiatives over the initial two years is expected to total $150 million, Behlendorf told our Makers audience. The plan was sparked by queries from the White House about the various initiatives underway to improve open source software security — what they would cost, and the time frame the solution-builders had in mind. “We couldn't really answer that without being able to say, well, what would it take if we were to invest?” Behlendorf said. “Because most of the time we sit there, we wait for folks to show up and hope for the best.” The ultimate price tag, he said, was much lower than he expected it would be. Various member organizations within OpenSSF, he said, have pledged funding. “The 150 was really an estimate. And these plans are still being refined,” Behlendorf said. But by stating specific steps and their costs, he feels confident that interested parties will feel confident when it comes time to make good on those pledges. Listen to the podcast to get more details about the Open Source Security Mobilization Plan.
Josh and Kurt talk about what the actual purpose of signing artifacts is. This is one of those spaces where the chain of custody for signing content is a lot more complicated than it sometimes seems to be. Is delivering software over https just as good as using a detached signature? How did we end up here, what do we think the future looks like? This episode will have something for everyone to complain about! Show Notes Twitter thread Kurt's security advisory page Bug 998
Cet épisode une fois n'est pas coutume parle beaucoup de nouvelles dans la rubrique langage et beaucoup de Java, wouhou ! On parle aussi de sigstore, http/3, Micronaut et de VMWare. Enregistré le 10 juin 2022 Téléchargement de l'épisode LesCastCodeurs-Episode–280.mp3 News Langages Sept raisons pour lesquelles Java a a encore du sens après 26 ans communauté (dans toutes les grandes villes) force du langage et de la plateforme plus de problèmes résolus que non résolus (librairies) stabilité Innovation (Java 9 accélère l'innovation) outillage opportunité d'emploi Les débuts du projet Leyden Mark Reinhold lance le projet Leyden, pour adresser les problèmes de temps de démarrage lent de Java, de lenteur du temps jusqu'à la performance max, et d'empreinte un peu lourde à l'aide d'une image statique de votre application une image statique ne fait tourner qu'une seule et unique application sur son JDK, et est un “monde fermé” (ne peut pas charger de classe externes) mais les ingés de la JVM vont travailler sur une approche assez souple, et voire quelles contraintes peuvent être allégées, par rapport à un monde complètement fermé d'une image statique en espérant avoir des améliorations à différents niveaux, pour un max d'appli et de use case différents Le close world c'est ce qui amène la valeur de GraalVM native image et les avantages pour Micronaut, Quarkus et le autres donc pas de closed world: c'est encore un projet de recherche pour l'équipe de la JVM JFR plus facile à configuer dans Java 17 un wizard en UI ou CLI pour generer le fichier .jfc Proposition de structured concurrency via le projet Loom Targeted status for JDK 19. This incubating JEP, under the auspices of Project Loom, proposes to simplify multithreaded programming by introducing a library to treat multiple tasks running in different threads as a single unit of work. This can streamline error handling and cancellation, improve reliability, and enhance observability RedMonk analyse l'apparition du langage Dart, grâce à Flutter, dans leur top 20 des langages de programmation les plus populaires JavaScript, Python, Java, toujours en tête Mais Rust et Dart sont rentrés récemment L'arrivée de Dart coïncide surtout avec l'émergence de Flutter comme framework d'interface graphique, que ce soit pour Android/iOS, que pour le desktop et le web Sur les applis mobiles, il y a toujours eu beaucoup de développement natif, mais est aussi arrivé React Native, mais aussi Flutter Des applis de Google comme Google Pay et Google Ads sont développées en Flutter, mais aussi le récent SNCF Connect ou des entreprises telles que BMW ou Alibaba (modifié) (cf le talk sur le REX par les développeurs de SNCF Connect à Devoxx France) les investissements initiaux de Dart vs Kotlin ou Ceylon qui ont démarrés en meme temps étaient colossaux Dart en natif pour faire des applis iOS… qui tournent aussi sous Android Kotlin 1.7 est sorti Kotlin K2 compiler pour la JVM em Alpha (les plug ins ne fonctionne pas) amélioration des perf de Kotlin et du compilo pour la JVM build incremental Gradle annotation OptIn et inférence de Builder stabilisés classes implementee par delegation automatique sans consommation mémoire (via inlining) Librairies Sortie de Micronaut 3.5 Passage à GRAALVM 22.1.0 Compilation incrémentale lors des builds, en particulier intéressant pour les métadonnées pour GraalVM, ce qui permet d'éviter de faire tourner les processeurs d'annotation inutilement Inclusion de Micronaut Data 3.4, avec support des enums Postgres pour JDBC, la pagination pour les Reactive Repositories Intégration avec Turbo pour la vue (Turbo Frame et Turbo Views) Nouveau module pour MicroStream (un moteur de graphe d'objet natif Java, intégré à Helidon) Mise à jour de nombreux plugins et extensions (y compris plugins de build) Infrastructure Kubernetes signals massive adoption of Sigstore for protecting open source ecosystem Kubernetes 1.24 (sorti en mai) est la première version utilisant officiellement Sigstore, permettant une vérification transparente des signatures pour protéger contre les attaques de la chaîne d'approvisionnement Sigstore est une nouvelle norme pour la signature, la vérification et la protection des logiciels. Elle se veut être un remplaçant pour GPG par exemple. Sigstore offre une variété d'avantages à la communauté Kubernetes comme: Sigstore's keyless signing donne une grande expérience de développeur et supprime le besoin de la gestion de clé douloureuse. Le journal public et transparent de Sigstore (Rekor) avec ses API permettent aux consommateurs Kubernetes de vérifier les signatures. … Web RFC 9114 - HTTP/3 est validée (+ RFC 9204 - QPACK: Field Compression for HTTP/3 et RFC 9218 - Extensible Prioritization Scheme for HTTP) Basé sur le protocole de transport QUIC qui possède plusieurs fonctionnalités intéressantes telles que le multiplexage de flux, le contrôle de flux par flux et l'établissement de connexion à faible latence. QPACK : un format de compression pour représenter efficacement les champs HTTP à utiliser en HTTP/3. Il s'agit d'une variation de la compression HPACK qui vise à réduire la taille des headers. Extensible Prioritization Scheme for HTTP: schéma qui permet à un client HTTP de communiquer ses préférences quant à la façon dont le serveur en amont priorise les réponses à ses demandes, et permet également à un serveur d'indiquer à un intermédiaire en aval comment ses réponses devraient être priorisées lorsqu'elles sont transmises. Outillage VSCode Java 1.5 est sorti Java 18 support, inlay hints for method parameters, and improvements to class declaration navigation are just a few of the enhancements to expect. Architecture L'architecture Netflix Pas fou fou dans les infos mais ça fait longtemps qu'on a pas eu d'archi analyze the system design in terms of availability, latency, scalability and resilience to network failure basé sur AWS clients via un SDK est intelligent, contrôle le backend utilisé et la bande passante en temps réel Open Connect CDN: là ou les vidéos sont stockées le reste du bon vieux microservice en backend ramène les dix meilleurs points d'accès et le client choisi voire change API Gateway via Zuul: dynamic routing, traffic monitoring and security, resilience to failures at the edge of the cloud deployment etc Loi, société et organisation VMWare racheté par Broadcom 61 milliards de dollars Avec un objectif de passer de 3,5 à 8,5 milliard d'EBITA par an Bouger dans la division cloud avec Symantec VMWare était content de sa liberté retrouvée après la spin off de Dell Apparemment pas d'alignement de tech une expansion de portefeuiille dans le software pour broadcom VMWare a beaucoup changé de mains ces dernières années La strategie d'investissement de broadcom: acheter des franchises avec une bonne position de marcher et un potentiel de profitabilité augmenté sans gros investissements La rumeur un ex de VMWare qui pense que c'est la mort de VMWare Outils de l'épisode GitHub Copilot quand le code s'écrit tout seul … (en fait non, les développeurs ont encore des beaux jours devant eux) A voir aussi: Github Co-Pilot : Addictif ou Efficace ? (Johan Jublanc et Simon Provost) à Devoxx France 2022 Rubrique débutant Conférences Source: Developers Conferences Agenda/List by Aurélie Vache et contributeurs June 14: France API - Paris (France) 15–18: VIVA Technology - Paris (France) 17: Cloud Ouest 2022 - Nantes (FR) + Online 21–22: Voxxed Days Luxembourg - Luxembourg 23: ServerlessDays Paris - Paris (France) 24: SoCraTes Rennes - Rennes (France) 27–1: Hack in Paris - Paris (France) 28: Dev nation Day France - Paris (France) 29–1: BreizhCamp - Rennes (France) 30–1: Sunny Tech - Montpellier (France) 30–1: Agi'Lille 2022 - Lille (France) September 9: JUG SummerCamp - La Rochelle (France) 29: Cloud Nord - Lille (France) October 4–6: Devoxx Morocco - Agadir (Morocco) 6–7: Paris Web - Paris (France) 10–14: Devoxx Belgium - Antwerp (Belgium) 13–14: Volcamp 2022 - Clermont Ferrand (France) 20–21: DevFest Nantes - Nantes (France) 27–28: Agile Tour Bordeaux - Bordeaux (France) November 8–9: Open Source Experience - Paris (France) 15–16: ParisTestConf - Online 15–16: Agile Tour Toulouse - Toulouse (France) 17: Codeurs en Seine - Rouen (France) 18: Devfest Strasbourg - Strasbourg (France) 19–20: Capitole du Libre - Toulouse (France) December 1: Devops DDay #7 - Marseille (France) 2: BDX I/O - Bordeaux (France) 14–16: API Days Paris - Paris (France) & Online Nom de la conf du x au y mois à Ville - CfP jusqu'à y mois TODO: reprendre celles de l'épisode d'avant Nous contacter Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Faire un crowdcast ou une crowdquestion Contactez-nous via twitter https://twitter.com/lescastcodeurs sur le groupe Google https://groups.google.com/group/lescastcodeurs ou sur le site web https://lescastcodeurs.com/
This is the post-KubeCon CloudNativeCon EU 2022 week. Gerhard is talking to Matt Moore, founder & CTO of Chainguard about all things Knative and Sigstore. The most important topic is swag, because none has better stickers than Chainguard. The other topic is the equivalent of Let's Encrypt for securing software.
This is the post-KubeCon CloudNativeCon EU 2022 week. Gerhard is talking to Matt Moore, founder & CTO of Chainguard about all things Knative and Sigstore. The most important topic is swag, because none has better stickers than Chainguard. The other topic is the equivalent of Let's Encrypt for securing software.
Chris: We're undoubtedly seeing a growing discussion around Software Supply Chain, with several notable events and also now evolving guidance/legislation such as the Cyber EO, NIST guidance etc. Any thoughts on why this is just now becoming such a focused concern?Nikki: When a lot of people discuss software supply chain security, it can quickly turn into a discussion about SBOM or Log4j and SolarWinds. I think about software supply chain security as being part of a really good threat detection and response program - what are your thoughts on that?Nikki: I also wanted to address, expanding on the topic of threat detection and moving into threat modeling - do you think that with the attack surface expanding through the software supply chain that there are threat modeling techniques that can be used to understand and account for that growing attack surface?Chris: You've been pretty involved in efforts around software supply chain and DevSecOps, most notably sigstore - can you tell us what that is and why it is important or useful? Nikki: In the last couple of years ' technical debt' has become a bigger concern for organizations, but this includes software supply chain, dependencies, EOL or outdated software, etc. How do you think organizations can account for their software inventory better and more efficiently?Chris: As we look to the future of Software Supply Chain, with efforts such as SBOM, VEX, Sigstore, SLSA and more, where do you think we're headed? What does the state of software supply chain look like in say 3 years?
About SethSeth Vargo is an engineer at Google. Previously he worked at HashiCorp, Chef Software, CustomInk, and some Pittsburgh-based startups. He is the author of Learning Chef and is passionate about reducing inequality in technology. When he is not writing, working on open source, teaching, or speaking at conferences, Seth advises non-profits.Links:Twitter: https://twitter.com/sethvargo TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: The company 0x4447 builds products to increase standardization and security in AWS organizations. They do this with automated pipelines that use well-structured projects to create secure, easy-to-maintain and fail-tolerant solutions, one of which is their VPN product built on top of the popular OpenVPN project which has no license restrictions; you are only limited by the network card in the instance.Corey: Couchbase Capella Database-as-a-Service is flexible, full-featured and fully managed with built in access via key-value, SQL, and full-text search. Flexible JSON documents aligned to your applications and workloads. Build faster with blazing fast in-memory performance and automated replication and scaling while reducing cost. Capella has the best price performance of any fully managed document database. Visit couchbase.com/screaminginthecloud to try Capella today for free and be up and running in three minutes with no credit card required. Couchbase Capella: make your data sing.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I have a return guest today, though it barely feels like it qualifies because Seth Vargo was guest number three on this podcast. I've had a couple of folks on since then, and for better or worse, I'm no longer quite as scared of the microphone as I was back in those early days. Seth, thank you for joining me.Seth: Yeah, thank you so much for having me back, Corey. Really excited to figure out whatever we're talking about today.Corey: Well, let's start there because last time we spoke, you were if memory serves a developer advocate at Google Cloud.Seth: Correct.Corey: And you've changed jobs, but not companies—but kind of companies because, welcome to large environments—but over the past few years, you have remained at Google. You are no longer at Google Cloud and you're no longer a developer advocate. In fact, your title is simply ‘Engineer at Google.' And what you've been focusing on, to my understanding, is helping Alphabet companies, namely—you know, the Alphabet, always in parentheses in journalistic styles, Google's parent company because no one thinks of it in terms of Alphabet—is—you're effectively helping companies within the conglomerate umbrella securely and privately consume public cloud.Seth: Yes, that is correct. So, I used to work in what we call the Cloud PA—PA stands for product area. Other product areas are like Chrome and Android—and I moved to the Core PA where I'm helping lead and run an initiative that, like you said, is to help Alphabet companies to, you know, securely and privately use public cloud services.Corey: So, I am going to go out on a limb because my position on multi-cloud has always been pick a cloud—I don't particularly care which one—but pick one and focus on that. I'm going to go out on a limb and presume that given that you are not at Google Cloud anymore, but you are at Google, you probably have a slight preference as far as which public cloud these various companies within the umbrella should be consuming.Seth: Yeah. I mean, obviously, I think most viewers will think the answer is GCP. And if you said GCP, you would be, like, 95% correct.Corey: Well, you'd also be slightly less than that correct, because they're doing a whole rebrand and calling it Google Cloud in public, as opposed to GCP. You really don't work for the same org anymore. You're not up-to-date on the very latest messaging talking points.Seth: I missed—ugh, there's so many TLAs that you lose all your TLAs over time.Corey: Oh, yes.Seth: So, Google Cloud would be, like, 95% correct. But what you have to really understand is, Google has its own, you know, cloud—we didn't call it a cloud at the time, you might call it on-prem or legacy infrastructure, if you will—primarily built on a scheduling system called Borg, which is like Kubernetes version zero. And a lot of the Alphabet companies have workloads that run onboard. So, we're actually talking about hybrid cloud here, which, you know, you may not think of Google is like a hybrid cloud customer, but a workload that runs on our production infrastructure called Borg that needs to interact with a workload that runs on Google Cloud, that is hybrid cloud, it's no different than a customer who has their own data center that needs peering to a public cloud provider, you know, whether that's Google Cloud, or AWS, or Azure.I think the other thing is if you look at, like, the regulatory space, particularly a lot of the Alphabet companies operate in, say, like healthcare, or finance, or FinTech, where certain countries and certain jurisdictions have regulations around, like, you must be multi-cloud. You know, some people might say that means you have to run, you know, the same instance of the same app across clouds, or some people say your data can be here, but your workloads can be over there. That's to be interpreted, but you know, I would say 95% of GCP, but there is a—or sorry, 95% is Google Cloud—Corey: There we go.Seth: But there is a small percentage that is definitely going to be other cloud providers and hybrid cloud as well.Corey: My position on multi-cloud has often—people like to throw it in my face of, “See you gave this general guidance, and therefore whenever you say something that goes against it, you're a giant phony.” And it's yeah, Twitter doesn't do so well with the nuance. My position of pick a provider and go all-in is intended as general guidance for the common case. There are exceptions to this and any individual company or customer is going to have more context than that general guidance will. So, if you say you need to be in multiple clouds for certain reasons, you're probably correct.If you say you need to be in multiple clouds because your regulator demands it, you are certainly correct. I am not arguing against that in any way. I do want to disclaim my one of my biases here as well, and that is specifically that if I were building a startup today and I were not me—by which I mean having spent ten years in the AWS ecosystem learning, not just how it works, but how it breaks because that's important in production, and you know, also having a bunch of service owners at AWS on speed dial—and I, were approaching this from the naive, I need to pick a cloud, which one would I go with, my bias is for Google Cloud. And the reason behind that is the developer experience is spectacular as the primary but not only perspective on that. So, I am curious to know that as you're helping what are effectively internal customers move to Google Cloud, is their interaction with Google Cloud as a platform the same as it would be if I as a random outside customer, were using Google Cloud? Is there a bunch of internal backchannels? “Oh, you get the good kind of internal Google Cloud that most of us don't get access to?” Or something else?Seth: Yeah, so that's a great question. So first, you know, thank you for the kind words on the developer experience—Corey: They were honest words, to be clear. Let me be very direct with you, if I thought your developer experience was trash, I might not say it outright in their effort not to be, you know, actively antagonistic to someone I'm having on the show right now, but I would not say it if I didn't believe it.Seth: Yeah. And I totally—I know you, I've known you for many years. I totally believe you. But I do thank you for saying that because that was the team that I was on before this was largely responsible for that across the platform. But back to your original question around, like, what does the support experience look like? So, it's a little bit of both.So, Alphabet companies, they get a technical account manager, very similar to how, you know, reasonable-sized spend customer would get a technical account manager. That account manager has access to the Cloud support channels. So, all that looks the same. I think we're things look a little bit different is because myself and some of our other leads came from Cloud, you know, I generally don't like this phrase, but we know people. So, we tend not to go directly to Cloud when we can, right?We want Alphabet companies to really behave and act as if they were an external entity, but we're able to help the technical account manager navigate the support process a little bit better by saying like, “You need to ask for this person,” right? You need to say these words to get in front of the right person to get this ticket assigned to the right person. So, the process is still the same, but we're able to leverage our pre-existing knowledge with Cloud. The same way, if you had a [unintelligible 00:07:45] or an ex-Googler who worked for your company, would be able to kind of help move that support process along a little bit faster.Corey: I am quite sincere when I say that this is a problem that goes far beyond simply Google. A disturbing portion of my job as a cloud economist helping my clients consists of nothing other than introducing Amazonians to one another. And these are hard problems at scale. I work at a company with a dozen people in it. And it turns out that yeah, it's pretty easy to navigate who's responsible for what. When you have a hyperscale-size company in the trillion-dollar range, a lot of that breaks down super quickly.Seth: And there's just a lot of churn at all levels of the organization. And, you know, we talked about this when I first joined the show, like, I switched roles, I used to be in Cloud, and now I'm in what we call Core. I still get people who are reaching out to me, at Google and externally, who are saying, “Oh, can you answer this question? Hey, how do I do this?” And I, you know, I've gradually over the past couple of months, you know, convinced people that I don't work on that anymore, and I try to be helpful where I can, but the—Corey: You use the old name and everything. They're eventually going to learn, right?Seth: I know. They'll be like, “What do you call this? GCP? Okay, great. We don't need you anymore.” But it's true, right? Like, there's people leave the organization, people join the organization, there's reorgs, there's strategic changes, people, you know, switch roles within the org, and all of that leads to complexity with, you know, navigating, what is the size of a small nation, in some cases.Corey: Your line in your biography says that you enable Alphabet companies to securely and privately consume public cloud. Now, that would make perfect sense and I would really have no further questions based on what we've already said, except for the words securely and privately, and I want to dive into that, first. Let's work backwards with the second one first. What is ‘privately' mean in this context?Seth: So, privately means, like, privacy-preserving for both the Alphabet company and the users or customers that they have. So, when we look at that from the perspective of the Alphabet company, that means protecting their data from the eyes of the cloud provider. So, that's things like customer-managed encryption keys, you know, bring-your-own-encryption, that's making sure that you have things like, actually, transparency so that if at any point the cloud provider is accessing your data, even for a legitimate purpose, like submitting a support ticket or something—or diagnosing a support ticket, that you have visibility into that. Then the privacy-preserving side on the Alphabet company's customers is about providing that same level of visibility to their customers as well as making sure that any data that they're storing is, you know, private, it's not accessible to certain parties, it's following whether it's like, you know, actual legislation around how long data can be persisted, things like GDPR, or if it's just a general, like, data retention, insider risk management, all of that comes into this idea of, like, building a private system or privacy-preserving system.Corey: Let's be very clear that my position on it is that Google's relationship with privacy has been somewhat challenged, in due to no small part to the sheer scale of how large Google has grown. And let's be clear, I believe firmly that at certain points of scale, yeah, you deserve elevated levels of scrutiny. That is how we want society to function, by and large. And there are times where it feels a little odd on the cloud side. For example, as the time is recording, somewhat recently, there was a bug in some of the copyright detection stuff where Google Drive would start flagging files as having copyright challenges if they contained just the character ‘1' in them.Which, okay, clearly a bug, but it was a bit of a reminder for some folks that wait, but that's right, Google does tend to scan these things. Well, when you have a bunch of end-user customers and in the ways that Google does, that stuff is baked in and it shapes how you wind up seeing things. From Amazon's perspective, historically, they basically sold books and then later underpants. And doing e-commerce transactions was basically the extent of their data work with customers. They weren't really running large-scale, file sharing systems and abilities—in collaboration suites, at least not that really had any of those pesky things called customers.So, that is not built into their approach and their needs in the same way. To be clear, I am sympathetic to the problems, but it's also… it's a challenging problem, especially as you continue to evolve and move things into cloud, you absolutely must be able to trust your cloud provider, or you should not be working on that cloud provider, has been my approach.Seth: Yeah, I mean, there's certainly things that you can do to mitigate. But in general, like, there is some level of trust, forget the data, on the availability side, right? Like when the cloud provider says, “This is our SLA.” And you agree to that SLA, like, yeah, you get money back if they mess it up, but ultimately, you're trusting them to adhere to that SLA, right? And you get recompense if they fail to do so, but that's still, like, trust—trust is far more than just on the privacy side, right? It's on… the promise on the roadmap, it's on privacy, it's on the SLA, right?Corey: Yeah. And you see that concern expressed more articulately from enterprise customers, when there's a matter of trusting companies to do what they say, such as the continued investment that Alphabet slash Google is making in Google Cloud. It's easy to take the approach of well, you've turned off a bunch of consumer services, so therefore, you're going to turn off the cloud at some point, too. No, let me be very clear, for the record, I do not believe that you are going to one day flip a switch and turn off Google Cloud. And neither do your customers.Instead, the approach, the way that enterprises express this, it's not about you flipping the switch and turning it off—that's what contracts are for—their question, and they enshrine this in contracts, in some cases, in the event, not that you turn it off, but that you fail to appropriately continue to invest in the platform. Because at enterprise scale, this is how things tend to die. It is not through flipping a switch, in most cases, it's through, “We're just going to basically mothball it, keep it more or less exactly as it is until it slowly fades into irrelevance for a long period of time.” And when you're providing the infrastructure to run things for serious institutions, that part isn't okay. And credit where due, I have seen every indication that Google means it when they say this is an area of strategic and continued ongoing focus for us as a company.Seth: Yeah, I mean, Google is heavily investing in cloud. I mean, this is a brand new group that I'm working in and we're trying to get Alphabet companies onto cloud, so obviously there's some very high-level top-down executive support for this. I will say that the—a hundred percent agree with everything you're saying—the traditional enterprise approach of build this Java app—because let's be honest, it's always Java—build this Java app, compile it into a JAR and run it forever is becoming problematic. We saw this recently with, like, the log4j—Corey: Yeah, to be in a container. What the hell?Seth: [laugh].Corey: I'm kidding. I'm kidding. Please don't send me email, whatever you do.Seth: What's a container? I'm just kidding. Like, the idea of, like, software rotting is very real and it's becoming more and more of a risk to security, to privacy, to public cloud providers, to enterprises, where when you see something like log4j happen and you can't answer the question, like, do we have any code that uses that? Like, if getting the answer to that question takes you six weeks, [sigh] boy like, a lot of stuff can happen in six weeks while that particular thing is exploited. And you know, kind of gets into software supply chain a little bit, but I do agree that, like, secure, private, and stable APIs are super important, and it's an area where Google is investing. At the same time, I think the industry is moving, the enterprise industry is moving away a little bit from set-it-and-forget-it as a strategy.Corey: I want to talk about the security portion as well as far as securely consuming public cloud goes. And let me start off with a disclaimer here because I don't want people to misconstrue what I'm about to say. If you are migrating to one of the big three cloud providers, their security will be better than anything you will be able to achieve as a company yourself. Not you personally because Google is a bit of an asterisk to that statement, given what you have been doing and have been doing since the '90s in your on-prem world with Borg and the rest, but my philosophy on the relative positioning of the security of cloud providers relative to one another has changed. I spent four months beating the crap out of Azure forever having an issue where there was control plane access and then really saying nothing about it.And after I wound up finding—the day after I put out a blog post on that topic because I was tired of the lack of response, it came out that right at the same time AWS had a very similar problem and had not said anything themselves. And they went back and forth, apparently waiting to wind up doing a release until this happened, Orca Security wound up putting one out there, and it was frustrating on a couple of levels. First, the people at both of these companies who work in security are stars. There is no argument, no bones about that. Problems are going to happen, things are going to occur as a result, and the only saving grace then is the transparency and communication around it, and there was none of it from them.I'm also more than a little bit irked that my friends at AWS were aware of this, basically watched me drag Azure for four months knowing that they'd done the same thing and never bothered to say a word. But okay, that's a choice. I've been saying for a while that of the big three, Google's security posture is the most impressive. And it used to be a slight difference. Like, you nosed ahead of AWS in that respect, not by a huge margin, but by a bit.I don't think it's nearly as close these days, in my mind, and talking to other large companies about these things, and people who are paid to worry about these things all day long, I am very far from alone in that perspective. So, I guess my question for you is, as you look at moving the workload securely to Google Cloud, it feels like security is baked into everything that all aspects of your company have done. Why is that a specific area of focus? Or is that how it gets baked into everything you folks do?Seth: So, you kind of like set up the answer for this perfectly. I swear we didn't talk about this extensively beforehand.Corey: You didn't know any of that was coming, by the way, just to be very clear here. I don't sit here and feed, “All right, I'm going to say this. And here's the right res—” No, this is an impromptu, more or less ad hoc show every time I do it.Seth: Yeah. And I'm going to preface this by saying, like, I don't want this to sound, like, egotistical, but I have never found a company that has as rigorous security and privacy policies, reviews, and procedures as Google.Corey: I thought I had and I was wrong.Seth: Yeah. And—Corey: And I have a lot of apologizing to people to do as a result of that.Seth: And honestly, every time I interact with our internal security engineering teams, or our IP protection teams, I'm that Nathan Fillion meme, where he's like, what—you know, like, “Okay, I get it. I get it.” Right?Corey: And then facepalm it, uh, I should say some—I can't—yeah. Oh, yeah.Seth: The reason that it's hard for Alphabet companies to securely and privately move to cloud specifically for security, is because Alphabet's stance is so much more rigorous than anyone else in the industry, to the point where, in some cases, even our own cloud provider doesn't meet the bar for what we require for an internal workload. And that's really what it comes down to is, like, the reason that Google is the most secure cloud is because our bar is so high that sometimes we can't even meet it.Corey: I have to assume that the correct answer on this is that you then wind up talking to those product teams and figure out how to get them to a point where they can support that bar because the alternative is effectively, it's like, “Oh, yeah, this is Google Cloud and it's absolutely right for multinational banks to use, but you know, not Google workloads. That stuff's important.” And I don't think that is necessarily how you folks tend to view these things.Seth: So, it's a bidirectional stream, right? So, a lot of it is working with a product management team to figure out where we can add these additional security properties into the system—I should say, tri-directional. The second area is where the policy is so specific to Google that Google should actually build its own layer on top of it that adds the security because it's not generally applicable to even big, huge cloud customers. And then the third area is Google's a very big company. Sometimes we didn't write stuff down, and sometimes we have policies where no one can really articulate where that policy came from.And something that's new with this approach that we're taking now is, like, we're actually trying to figure out where that policy came from, and get at the impetus of what it was trying to protect against and make sure that it's still applicable. And I don't know if you've ever worked with governments or you know, large companies, right, they have this spreadsheet of hundreds of thousands of lines—Corey: You are basically describing my client list. Please continue.Seth: I mean, like, sometimes they have to use an Access database because they exhaust the number of rows in an Excel spreadsheet. And it's just checklist upon checklist upon checklist. And that's not how Google does security, right? Security is a very all-encompassing, kind of, 360 type of thing. But we do have policies that are difficult to articulate what they're actually protecting against, and we are constantly re-evaluating those, and saying, like, “This made sense on Borg. Does it actually make sense on Cloud?” And in some cases, it may not. We get the same protections using, say, a GCP-native service, and we can omit that requirement for this particular workload.Corey: This episode is sponsored by our friends at Oracle Cloud. Counting the pennies, but still dreaming of deploying apps instead of “Hello, World” demos? Allow me to introduce you to Oracle's Always Free tier. It provides over 20 free services and infrastructure, networking, databases, observability, management, and security. And—let me be clear here—it's actually free. There's no surprise billing until you intentionally and proactively upgrade your account. This means you can provision a virtual machine instance or spin up an autonomous database that manages itself, all while gaining the networking, load balancing, and storage resources that somehow never quite make it into most free tiers needed to support the application that you want to build. With Always Free, you can do things like run small-scale applications or do proof-of-concept testing without spending a dime. You know that I always like to put asterisks next to the word free? This is actually free, no asterisk. Start now. Visit snark.cloud/oci-free that's snark.cloud/oci-free.Corey: I think that when it comes to things like policies that are intelligently crafted around security, you folks—and to be fair, the AWS security engineers as well—have been doing it right in that, okay, we're going to build a security control to make sure that a thing can't happen. That's not enough. Then there's the defense-in-depth. Okay, let's say that control fails for some variety of ways. Here are the other things we're going to do to prevent cross-account access, for example.And that in turn, winds up continuing to feed on itself and build into a culture of assuming that you can always continue to invest in security. How far is enough? Well, for most folks, they haven't gone far enough yet.Seth: Another way to put this is like, how well do you want to sleep at night? You know, there's folks on the Google security engineering team who are so smart, and they work on, like, our offensive security team, so their full-time job is to try to hack Google and then figure out how to prevent that. And, you know, so I've read some of the reports and some of the ways they think and I'm like, “How do you… how do you pick up a mobile phone and go to like, any website confidently knowing what you know?” Right? [laugh] and like, how do you—Corey: Who said anything about confidently? Yeah.Seth: Yeah. Yeah. How do you use self-checkout at a supermarket and, like, not just, like, wear your entire full-body tinfoil hat suit? But you know, I think the bigger risk is not knowing what the risks are. And this is a lot what we're seeing in software supply chain, too, is a lot of security is around threat modeling and not checklists. But we tend to, like, gravitate toward checklists because they're concrete.But you really have to ask yourself, like, do I need the same security properties on my static blog website that is stored on an S3 bucket or a GCS bucket that's public to the internet, that I do on my credit card processing service? And a lot of times we don't treat those differently, we don't apply a different threat model to them, and then everything has to have the same level of security.Corey: And then everything is in-scope for whatever it is you're trying to defend against. And that is a short path to madness.Seth: Yes. Yes. Your static HTML files and your GCS bucket are in scope for SOC 1 and 2 because you didn't have a way to say they weren't.Corey: Yeah. You've also done some—again, the nice thing about being at a company for a while—from what I can tell, given that I've never done until I started this place—is you move around and work on different projects. You were involved as well, personally, in the exposure notifications project, the joint collaboration thing between a number of companies in the somewhat early days of the pandemic that all of our phones talk to one another and anonymously and in a privacy-preserving way, let us know that hey, by the way, someone you were in close contact with has tested positive for Covid 19 in the previous fixed period of time. What did do you do over there?Seth: Yeah, so the exposure notifications project was a joint effort, primarily between Apple and Google to use Android and iOS devices to help stop the spread of Covid or reduce the spread of Covid as much as possible. The idea being because the incubation period is roughly 14 days, at least pre-Omicron, if we could tell you hey, you might have been exposed and get you to stay at home for three or four days, self-isolate, we could dramatically reduce the spread of Covid. And we know from some of the studies that have come out of, like, the UK and European region that, like, the technology actually reduced the spread of cases by, like, fourteen-hundred percent in some cases. I was one of the tech leads for the server-side. So, the way the system works is it uses the low-energy Bluetooth on iOS and Android devices to basically broadcast random IDs.So, I know this is Screaming into the Cloud, but if we can just quickly Screaming into the Void as a rebrand—Corey: Oh, yeah.Seth: —that's basically what's happening. [laugh]. You're generating these random identifiers, and just, like, yelling them, and there's other phones out there who are listening. And they collect these we'll call RPIs—or Rolling Indicators. They have no data in them.They're like literally, like, a UUID or 32 bytes of random data, they aren't at all, like, associated with your device or your person. So, then what happens is, like, let's say you're in a supermarket, you're near someone for, you know, every so often, and your phones exchange these IDs. If you then test positive, those IDs go up to a centralized server, the server again, also has no idea who you are, so the whole thing is privacy-preserving, end-to-end, then the server basically bundles all of what we call the TEKs, or the Temporary Exposure Keys—into a tarball that go up onto a CDN, and then every night, all of the devices that are participating in EN download this into a local key match. So, at no point does the server ever know that you were in a supermarket with someone else, only your phone knows that you came in contact with this TEK in the past 14 days—or 21 days in some jurisdictions—and it'll generate an exposure notification or an exposure alert, which says, like, “Hey, in the past 14 days, you've come in contact with someone who's confirmed positive for Covid.” And then there's guidance kind of varies by state and by health jurisdiction of, like, self-isolate, or go get tested, or whatever. But the idea—Corey: Or go to the bar in some places, apparently.Seth: Oh. Yeah. The server itself is actually—there's a verification component because ideally, like, we don't want people to just be like, oh, I'm Covid positive, and then like, all their friends get an alert, right? There needs to be some kind of verification mechanism where you either have a positive test, or you have a clinician or a physician who issues you code that you can put into your app so you can then release your keys. And then there's the actual key server component, which I kind of already described.So, it's a pretty complex system and actually is entirely serverless. So, the whole thing, including all, like, background job processing, it was designed to be serverless from the beginning. Total greenfield project, right, like, nothing like this exists, so we're really fortunate there. We made some fun and interesting design decisions to keep costs down while, you know, abusing slash using some of the features of serverless like auto-scaling and, you know, being able to fan out across multiple regions and things like that—Corey: And using DNS as a database. My personal favorite approach to things?Seth: We don't use DNS as a database. We do use Postgres—Corey: A missed opportunity.Seth: —a real database. But we do use DNS, just not for storing information.Corey: So, one question I have for you is that you've been at Google for a while and you've done an awful lot of things there, but previously, you've also done things that don't really directly aligne any of this stuff going on there. You were at HashiCorp and you were at Chef, neither of whom, to my understanding are technologies that Google makes extensive use of internally for their own stuff. It seems like—and even when you're at Google, you have been continually reinventing what it is that you do. I find that admirable because very often, when you see people at a company for a protracted period of time, they sort of get more or less pigeonholed into the role that looks fairly similar from year-to-year. You've been incredibly dynamic. Was it intentional and how do you do it?Seth: So, I have a diagnosed medical condition called Career-DHD. I'm just kidding, but I do. I get bored, and it's actually something that I'm really forward with my managers about. I've always been very straight with my managers and the people I work with it, like, 8 to 12 months from now, I will be doing something different. It will be different.Corey: I wish I'd figured that out earlier on. In my case, the way that I wound up solving for that is I've got to come in, I'm going to solve a interesting problem. When I'm done with that, the consulting engagement is over and then I'm going to go away and everyone knows the score going in. Works out way better than, and then I'm going to go cause problems on purpose in other people's parts of the org because I see problems there. That was where I always went off the rails.Seth: [laugh]. Yeah, I mean, I don't take a dissimilar approach. You know, I try to find high-priority, strategic things that also align with my interest. And it's important to me that there's things that I can provide and things that I can learn. I never like to be the smartest person in the room because you shouldn't be in that room anymore; there's no one for you to learn from. And it's great to share knowledge, but—Corey: I'm not convinced I'm the smartest person in the room right now, despite the fact that right now I'm the only person in the room that I'm sitting in.Seth: I mean, that Minecraft store is pretty intelligent.Corey: I saw Chihuahua wandering around here, too, a—Seth: [laugh].Corey: —minute ago, so there is that.Seth: But, you know, I think from, like, a career advice standpoint, I tell everyone, you should interview somewhere else at least once a year. You never know what's out there, and worst-case scenario, you kept your interview skills up to date.Corey: Keeping those skills in tune is so critically important just because it's a unique skill set that, for many folks, does not have a whole lot of applicability in their day-to-day job. So, if you suddenly have to find a new job, great, you're rusty at this, it's been years, and you're trying to remember, like, okay, when someone asks you what you're looking for in your next job, they're not trying to pick a fight. Don't respond as if they were. Like, the basic stuff. It's a skill, like anything else.Seth: Yeah. And, like, the common questions like, you know, “What do you want to do with your life?” Or like, “What accomplishment are you most proud of?” Like, having those not prepared, but like knowing in general what you want to say from those is very important when you're thinking about interviewing for other jobs. But even in a big company, like the transfer process is, pretty similar for, like, applying externally to other roles; like sometimes there's interviews—Corey: Do they make you code on whiteboards to solve algorithm problems?Seth: Not me. But—Corey: Good.Seth: —in general—Corey: Google has evolved its interview process since the last time I went through that particular brand of corporate hazing. Good, good, good.Seth: Yeah. The interview process has definitely been refactored a lot, especially with Covid and remote, but also just trying to be accessible to folks. I know one of the big changes Google has made is we no longer require, like, eight congruent hours of your time. You can split interviews out over multiple days, which has been really accommodating for folks that have, you know, already have a full-time job or have family obligations at home that don't let them just, like, take eight hours away and devote a hundred percent of their time to interviews. So, I think that is, you know, not a whole lot of positive things that come out of Covid, but the flexibility with, like, interviewing has enabled more people to participate in the interview process that otherwise would not have been able to do so.Corey: And there's something to be said, for making this more accessible to folks who come from backgrounds that don't all look identical. It's incredibly important.Seth: Yep.Corey: One thing that I definitely want to make sure we get to before the end of this is something you've been talking about that's a bit orthogonal, but maybe not entirely so, which is software supply chain security. That has been a common thread of discussion in some circles for a while. What is it, for those who are unfamiliar, like me sometimes, and what does it imply?Seth: Yeah, so I mean, in the past year—but if you look back, you'll find more cases of it—. We live in a world where no company—Google, Amazon, the US government—writes every line of code that they run. And even if you do, right, even if you could find a company that doesn't rely on any external dependencies, what language are they using? Did they write that language? Okay, let's say hypothetically, you write every single line of code and you wrote your own language, and only your employees contribute to that language.What operating system are you running on? Because I guarantee you, Linus probably contributed to it, or Gates contributed to it, and they don't work for you. But let's say you wrote your own operating system, right—so we're getting into, like, crazy Google things now, right? Like, only Google would write their own programming language and their own operating system, right? Who manufactured your CPU, right? Like, did you actually—Corey: There's always dependencies all the way down. We see this sometimes with companies talk about oh, yeah, we're going to go to multiple clouds or a different clouds so that we don't get impacted if there's another AWS outage in us-east-1. Cool, great. Power to you, but are you sure your payment providers not going to go down? Are they taking a dependency on us-east-1?Great, let's say that they're not. Are you sure that their vendors who are in the critical path are also not taking critical and core dependencies on that? And are you sure that they're aware of who all of those critical dependencies and those vendors are, and so on and so forth? It is a vast interconnected web. This is a problem. Dependency sprawl is real and I don't think that there's a good way to get to the bottom of it, particularly across company boundaries like that.Seth: Yeah. And this is where if you look at the non-software supply chain, like, if you look at construction, right? If you're working with a reputable construction agency, they're actually able to tell you, given a granite countertop or, you know, a quartz countertop, from what beach and what lot on what date the grains of sand in that countertop came from. That is a reality of that industry that is natural. You think about, like, automotive, like, VIN, the Vehicle Identification Numbers, like, they tell you exactly what manufacturer, and then there's records that show you exactly what human being on the line put that particular part in that machine.And we don't have that in software today. Like, we have some, you know, bastardized versions of, like, Software Bills of Material, or SBOM, but the simple fact of the matter is like because software has grown organically and because this wasn't ingrained in software from the beginning like it was from, you know, traditional manufacturing, you're going to have an insecure software supply chain for most of my life. Now, what does that actually mean, right—insecure has this negative connotation—it means that you need to make sure that you're aware of everything that you're depending on—which is kind of what you were saying is, like, both the technical dependencies and the process or the people dependencies—and you need to have a rigorous process for how you're going to respond to these incidents. And I think log4j was a really good eye-opening moment for folks when they realized that they didn't have a way to make a large-scale dependency update across their entire fleet of applications.Corey: Because who has to do that on a consistent basis? It happens rarely, but when it happens, it's super important.Seth: But I do think that more and more, we're going to see it happened more and more frequently. And ideally, you know, my opinion is that we're going to get to a point where this is inescapable, but ideally, we get to the point where it's like, “Oh, okay, this dependency is vulnerable. I have a playbook. I follow the playbook. Everything is patched in 30 minutes or less, and I can move on with my life.” And it's not a six-week fire drill with people working late and, you know, going super crazy, trying to mitigate these issues.You know, there's a lot of work happening in this space. We have, like, SLSA, which is an open standard—SLSA—for how you declare, kind of like, your software bill of materials and things like binary authorization and attestations. There's, like, Sigstore, there's Chainguard, there's some companies evolving in this space. Every time I talk to GitHub, I tell them, I'm like, “Hey, if this VP and that VP, like, talked together and, like, worked on something, you could do something amazing in this space.” But I think it's going to be quite a while until we get to a point where we can say the software supply chain is secure.Because like I was saying at the beginning, like, until you manufacture your own CPU, like, you're dependent on Intel and AMD. And until you write your own programming language, you're dependent on Ruby, Python, Go, whatever it might be. And until you take no dependencies on some external system—which by the way, might be a bad business decision, like, if someone did the work for you already in an open-source ecosystem, it's probably a better business decision to evaluate and use that than to build it yourself. Until we have the analysis on that supply chain, and we can in a dashboard, or the click of a button, or the run of a command, very easily see the security status of our supply chain—software supply chain—and determine if a particular vulnerability is or is not relevant, I think we're still going to be in this firefighting mode for at least another couple of years.Corey: And I want to say you're wrong, but I know you're not. And that's what, I guess, keeps a lot of us awake at night for unfortunate reasons. Seth, I really want to thank you for taking the time to speak with me. If people want to learn more, where's the best place to find you?Seth: I'm on Twitter. You can find me at—Corey: I'm sorry to hear that. So, am I. It's the experience.Seth: Yeah, you can find me at @sethvargo. If you say mean and hateful things to me, I actually exercise this finger, and you can click the block button real fast. But yeah, I mean, my DMs are open. If you have any questions, comments, complaints, concerns, you can throw the complaints away and come to me for everything else.Corey: Thank you so much for being so generous with your time. I really appreciate it.Seth: Yeah, thanks for having me. It's always a pleasure.Corey: Seth Vargo, engineer at Google. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment asking how dare I malign the good name of the other cloud provider that isn't Google that also just so coincidentally happens to employ you.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
In this episode, Bill and I discuss operations research and supply chain concepts and how they apply to security. Bill gives an overview of his work with DOD on project DEDSORD. He also gives a great overview of DevOps Automated Governance and usage of Sigstore. We also touch on SBOM's. Bill can be found mainly on LinkedIn here: https://www.linkedin.com/in/billbensing/
Minimum Viable Secure ProductMinimum Viable Secure Product is a minimalistic security checklist for B2B software and business process outsourcing suppliers. How to Secure Python Web App Using BanditBandit is a tool developed to locate and correct security problems in Python code. To do that Bandit analyzes every file, builds an AST from it, and runs suitable plugins to the AST nodes. Once Bandit has completed scanning all of the documents, it generates a report. Explain Sigstore to me like I am fiveSigstore provides an easier way to seamlessly issue and validate signatures from constituent dependencies, including base images, all the way to the final deployed application artifact. Threat Matrix for CI/CD PipelineThis is an ATT&CK-like matrix focus on CI/CD Pipeline specific risk. Malware Found in NPM Package with Millions of Weekly DownloadsA massively popular JavaScript library, UAParser.is (npm package), was modified with malicious code that downloaded and installed a password stealer and cryptocurrency miner on systems where compromised versions were used.SHOW LESS
Guest Dan Lorenc Panelists Eric Berry | Justin Dorfman | Richard Littauer Show Notes Hello and welcome to Sustain! The podcast where we talk about sustaining open source for the long haul. Today, we have a very special guest, Dan Lorenc, who is a Staff Software Engineer and the lead for Google's Open Source Security Team. Dan founded projects like Minikube, Skaffold, TektonCD, and Sigstore. He blogs regularly about supply chain security and serves on the TAC for the Open SSF. Dan fill us in on how Docker fits into what he's doing at Google, he tells us about who's running the Open Standards that Docker is depending on, and what he's most excited for with Docker with standardization and in the future. We also learn a little more about a blog post he did recently and what he means by “package managers should become boring,” and he tells us how package managers can help pay maintainers to support their libraries. We learn more about his project Sigstore, and his perspective on the long-term growth of the software industry towards security and how that will change in the next five to ten years. Go ahead and download this episode now to find out much more! [00:01:09] Dan tells us his background and how he got to where he is today. [00:03:08] Eric wonders how Docker fits into what Dan is doing at Google and if he can compare Minicube and his work with what the Docker team is trying to drive. He also compares Kubernetes to Docker and how they relate. [00:06:13] Dan talks about if he sees a shift of adoption in the sphere of what he's seeing, and Eric asks if he feels that local development with Docker is devalued a little bit if you don't use the same Docker configuration for your production deploy. [00:08:49] Richard wonders in the long-term, if Dan thinks we're going to continually keep making Dockers, better Kubernetes, or at some point are we going to decide that tooling is enough. [00:10:35] We learn who's currently running the Open Standards that Docker is depending on and Dan talks about the different standards. [00:12:13] Dan shares how he thinks the shift towards open standards in particular with Docker, influences open source developers who are in more smaller companies, in SMEs, in medium-sized companies, or solo developers out there who may not have the time to get involved in open standards. [00:13:45] Find out what Dan is really excited about in terms of Docker, with standardization or in the future that will lead to a more sustainable ecosystem. [00:15:17] Justin brings up Dan's blog and a recent post he just did called, “In Defense of Package Managers,” and in it he mentions package managers should become boring, so he explains what he means by that. [00:18:01] Dan discusses how package managers can help pay maintainers to support their libraries. [00:22:03] Richard asks Dan if he has any thoughts on getting other ways of recognition to maintainers down the stack than just paying them. He mentions things that he loves that GitHub's been doing recently showing people their contribution history. [00:23:46] Find out about Dan's project Sigstore and what his adoption looks like so far. [00:26:35] Richard wonders if Dan thinks it's a good idea to have that ecosystem depend upon a few brilliant people like him doing this work or if there's a larger community of people working on security supply chain issues. Also, who are his colleagues that he bounces these ideas off of and how do we eliminate the bus factor here. Dan tells us they have a slack for Sigstore [00:30:03] We learn Dan's perspective on the long-term growth of the software industry towards security in general, how will that change over the next five to ten years, and how his role and the role of people like him will change. [00:31:35] Find out all the places you can follow Dan on the internet. Quotes [00:10:14] “You kind of move past that single point of failure and single tool shame that's actually used to manage everything.” [00:12:44] “So, they kind of helped contribute to the standardization process by proving stuff out by getting to try all the new exciting stuff.” [00:16:33] The “bullseye” release actually just went on a couple of days ago which was awesome.” [00:17:04] “It's a problem because there's nobody maintaining, which is a really good topic for sustainability.” [00:24:46] “But nobody's doing it for open source, nobody's signing their code on PyPy or Ruby Gems even though you can.” [00:29:50] “These are not the Kim Kardashians of the coding community.” [00:30:25] “Something that we've been constantly reminding, you know, the policy makers wherever we can, is that 80 to 90% of software in use today is open source.” [00:30:51] “And even if companies can do this work for the software that they produce if we don't think of, and don't take care of, and don't remember that these same requirements are going to hit opensource at the very bottom of the stack, and we're kind of placing unfunded mandates and burdens on these repositories and maintainers that they didn't sign up for it.” [00:31:11] “So we're really trying to remind everyone that as we increase these security standards, which we should do and we need to do, because software is serious, and people's lives depend on it.” Spotlight [00:32:32] Eric's spotlight is a game called Incremancer by James Gittins. [00:33:35] Justin's spotlight is Visual Studio Live Share. [00:34:04] Richard's spotlight is the BibTeX Community. [00:35:03] Dan's spotlight is the Debian maintainers. Links SustainOSS (https://sustainoss.org/) SustainOSS Twitter (https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) SustainOSS Discourse (https://discourse.sustainoss.org/) Dan Lorenc Twitter (https://twitter.com/lorenc_dan?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Dan Lorenc Linkedin (https://www.linkedin.com/in/danlorenc) Dan Lorenc Blog (https://dlorenc.medium.com/) Tekton (https://tekton.dev/) Minikube (https://minikube.sigs.k8s.io/docs/) Skaffold (https://skaffold.dev/) Open SSF (https://openssf.org/) Open Container Initiative (https://opencontainers.org/) Committing to Cloud Native podcast-Episode 20-Taking Open Source Supply Chain Security Seriously with Dan Lorenc (https://podcast.curiefense.io/20) “In Defense of Package Managers” by Dan Lorenc (https://dlorenc.medium.com/in-defense-of-package-managers-31792111d7b1?) Open Source Insights (https://deps.dev/) GitHub repositories Nebraska users (https://github.com/search?q=location%3Anebraska&type=users) CHAOSScast podcast (https://podcast.chaoss.community/) Sigstore (https://www.sigstore.dev/) RyotaK Twitter (https://twitter.com/ryotkak) Dustin Ingram Twitter (https://twitter.com/di_codes?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Incremancer (https://incremancer.gti.nz/) Visual Studio Live Share (https://visualstudio.microsoft.com/services/live-share/) Enhanced support for citations on GitHub-Arfon Smith (https://github.blog/2021-08-19-enhanced-support-citations-github/) Debian (https://www.debian.org/) Debian “bullseye” Release (https://www.debian.org/releases/bullseye/) Credits Produced by Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr at Peachtree Sound (https://www.peachtreesound.com/) Special Guest: Dan Lorenc.
Josh and Kurt talk to Dan Lorenc from Google about supply chain security. What's currently going on in this space and what sort of new thing scan we look forward to? We discuss Google's open source use, Project Sigstore, the SLSA framework and more. Show Notes Dan's Twitter Sigstore SLSA Framework
In episode 20 of The Kubelist Podcast, Marc and Benjie are joined by Dan Lorenc of Google. They discuss supply chain security and the Sigstore project, a new standard for signing, verifying and protecting software.
In episode 20 of The Kubelist Podcast, Marc and Benjie are joined by Dan Lorenc of Google. They discuss supply chain security and the Sigstore project, a new standard for signing, verifying and protecting software. The post Ep. #20, Sigstore with Dan Lorenc of Google appeared first on Heavybit.
In episode 20 of The Kubelist Podcast, Marc and Benjie are joined by Dan Lorenc of Google. They discuss supply chain security and the Sigstore project, a new standard for signing, verifying and protecting software.
Sigstore will make code signing free and easy for software developers, providing an important first line of defense.
Sigstore will make code signing free and easy for software developers, providing an important first line of defense.
The software development process, or software supply chain, is quite complex and involves a number of independent actors. Due to this ever-growing complexity has led to various software supply chain compromises: from XCodeGhost injecting malware on millions of apps, to the highly-publicized SolarWinds Compromise. In this talk, Santiago will introduce various research challenges, as well as attempts from both Open Source and Industry --- such as SigStore, CoSign and in-toto --- to protect millions of users across the globe. About the speaker: Dr. Torres-Arias' current research focuses on securing the software development life-cycle. Previously, his research focused on secure password storage mechanisms and update systems. He is the team lead of in-toto, a framework to secure the software development life-cycle, as well as PolyPasswordHasher, a password storage mechanism that's incredibly resilient to offline password cracking. He also contributes to The Update Framework (TUF), which is the software update system being integrated on a variety of projects like Docker, CPAN, and others.
The A-Team assembled to make open source more trustworthy, why we might be about to find out how much SUSE is worth, and some essential project updates.
© 2020-2025 Ivy Podcast Discovery LLC
