►
From YouTube: Keynote: DevSecOps and the Art of Not Ending Up On the Front Page- Fabio Rapposelli, VMware Tanzu
Description
Keynote: DevSecOps and the Art of Not Ending Up On the Front Page- Fabio Rapposelli, VMware Tanzu
DevSecOps is the seamless and transparent integration of security into emerging agile IT and DevOps development. Ideally, this is accomplished without reducing developers' agility or speed or requiring them to leave their development toolchain environment.
The SolarWinds Supply-Chain Attack is one of the most dangerous in recent memory. The malware was distributed as part of an update and was digitally signed by a valid digital certificate containing the company's name.
The software bill of materials (SBOM) is gaining new attention and notoriety in the aftermath of SolarWinds. Requiring SBOMs for all software entering your pipeline has become common sense. And in some cases it’s a mandate. For example, Executive Order 14028 requires an SBOM for all federal software procurements in the United States.
At the moment, less than half of companies create SBOMs for their software, and accountability for SBOMs appears to be lost in a rush to deliver new software.
Understanding which components are included in applications is critical for proactive vulnerability management. The SBOM is a versatile and adaptable approach that can be easily tailored to specific use cases. What should you put in SBOMs for software applications that your company makes, buys, or consumes?
A
Today
I
want
to
talk
about
so
like
the
worst
nightmare
of
all
the
public
relations
departments
out
there,
which
is
your
company
making.
You
know
national
news
because
of
a
security
breach
before
we
get
started,
though
I
just
want
to
acknowledge
something
like
it's
great
to
be
back
in
europe,
it's
great
to
be
back
in
person,
I'm
sure
many
of
you
can
relate
with
the
meme
up
there
on
the
screen,
and
I
can't
wait
to
see
old
friends
and
making
new
ones
here
in
valencia
this
week.
A
A
Now
it
was
a
humbling
moment,
for
you
know,
for
many
involved
in
the
software
development
life
cycle.
Business
myself
included
now.
Look
at
these
figures
here,
they're
taken
from
the
synopsis,
open
source
security
and
risk
analysis
report
made
in
2022.
This
is
made
from
by
the
same
company
that
makes
the
blackduck
scanner
you're
probably
familiar
with.
You
know,
there's
there's
a
number
of
interesting
findings
there
and
there's
a
link.
A
That
means
that
3
4
of
all
the
code
bases
that
were
audited,
which
means
that
you
know
code
bases
from
all
sorts
of
companies.
You
know
not
just
from
you
know,
software
development
companies,
but
this
is
like
from
all
industries
and
all
geographies.
Three
fourth
of
their
code
base
is
open
source
software.
A
This
means
that
three-fourth
of
their
code
base
is
software.
You
know
pulled
in
from
github
pulled
in
from
all
sorts
of
sources,
and
81
of
that
code
is
at
least
vulnerable
with
one
vulnerability.
Now,
if
you
stop
for
a
second
and
think
about
your
own
stack,
think
about
how
deep
is
your
stack
like
all
the
dependencies
you're
relying
on
you
know?
A
A
You
know
back
doors
even
in
the
code,
and
if
you
don't
know,
if
you
don't
do
anything
about
it,
then
you
end
up
with
backdoors
in
your
code
in
your
shipping
code.
Now
it's
obviously
easy
for
me
to
point
out
the
problem.
The
reality
is
that
as
engineers
we
tend
to
value
so,
like
you
know,
velocity
and
you
know
making
progress
way
more
than
we
value
compliance
in
general.
I
mean
I'm
guilty
of
that
myself.
A
So
we
deal
with
compliance
only
when
we
have
to
which
is
usually
when
you
have
somebody
knocking
on
your
door,
which
is
usually
the
security
team
or
the
legal
team.
If
things
get
worse
back
in
2017,
it
was
the
architect
for
product
at
vmware,
and
I
was
dealing
with
license
compliance.
We
have
a
large
code
base
in
go
and
we
had
a
number
of
obviously
number
of
packages
there
and
go
is,
as
many
of
you
know
is
a
at
least
back.
A
Then
it
was,
you
can
only
get
statically
compiled
binaries,
so
it
means
that
you
have
to
like
scrutiny
your
licenses,
because
some
licenses
are
incompatible
with
each
other
and
we're
trying
to
make
our
cicd
tool
smarter
to,
like
you,
know,
catch
a
licensed
creep
early
on.
So
I
built
a
tool,
and
I
went
to
a
conference
in
paris
called
go
to
present
it.
It's
still
available
on
youtube.
If
you
check
it
out
and
at
the
time
I
was
saying
you
know,
there's
actually
two
more
than
2
000
packages,
this
slides
from
2017.
A
A
A
You
know
there
are
tangible
benefits
in
adopting
something
like
this
for
everybody
involved,
not
just
for
a
legal
team.
You
know
being
able
to
sleep
at
night
so,
but
what
goes
inside
is
an
s-bomb.
So
there's
a
number
of
competing
standards
for
s-bomb,
there's,
there's
spd-x,
which
is
backed
by
linux
foundation.
A
There's
cyclone
dx,
there's
a
bunch
of
other
standards
out
there,
but
they're,
not
very
opinionated
in
what
goes
inside
an
s
bomb
they're,
just
opinionated
in
the
in
the
type
of
like
in
the
way
it
is
described,
but
not
in
the
way
that
you're
putting
information
inside
that.
So
right
now,
it's
not
like
a
common
belief
that
you
know
having
vulnerability,
scan
results.
A
The
license
audit,
the
metadata
on
the
build
system
that
I
actually
built,
the
artifact
all
the
dependencies
that
are
involved
in
so
like
building
that
specific
piece
of
code
that
specific
piece
of
artifact
and
so
like
the
relationship
that
exists
between
the
components
that
are
actually
built.
You
know
it's
so
like
an
acceptable.
You
know
list
of
information
to
generate
you
know
a
viable
set
of
tangible
benefits
to
the
teams
involved
and
why?
Why
is
that?
A
A
You
can
go
and
check
on
and
say:
okay,
I
have
you
know
out
of
the
entire
software
state
that
I
have
you
know
I'm
using
this
library
that
is
vulnerable
in
all
these
software
packets.
So
I
can
go
and
fix
them
and
know
exactly
where
to
go
instead
of
trying
to
scramble-
and
you
know,
audit
the
code
base
when
there's
a
day
zero
out
there.
That
is
sort
of
like
you
know,
impacting
you
now.
If
you
take
a
step
back,
you
know
now
we
have
s-bomb
in
our
toolbox.
A
You
know,
let's
take
a
step
back
and
look
at
how
that
fits
into
so
like
the
overall
security
of
the
system.
Now
having
an
s-bomb
generator
is
great,
it's
fantastic,
but
there
are
several
points
where
the
supply
chain
can
actually
be
attacked.
Now
you
know
securing
all.
This
is
obviously
hard
and
it's
you
know.
Probably
there
are
team
entire
teams
dedicated
to
fixing
this
problem.
Many
companies-
you
know
vmware
included
now,
but
how
do
we
do
that?
It's
actually
pretty
hard.
A
So
there
are
two
so
like
frameworks
that
are
so
like
standing
out
these
days.
One
of
them
is
the
salsa
framework,
which
was
you
know,
initiated
by
google,
and
so,
like
you
know
something
that
is.
You
know
something
that
is
there's
a
lot
of
buzz
around
it
right
now
and
also
there's
like
the
os
proactive
control
framework.
They
can
help
you
integrate.
A
You
know,
practices
and
automation
into
your
supply
chain,
trying
to
leveraging
the
same
platform
and
tools
that
you
know
your
developers
and
your
sre
teams
are
also
using
so
like
creating
a
connection
between
the
two
and
so
like
adding
sec
into
your
devops
cycle
into
your
devops
practices.
Now
work
in
this
area
is
still
pretty
nascent.
If
you
look
at
especially
if
you
look
at
salsa,
salsa
has
four
levels
level.
A
So
how
do
you
get
started
today
now
so
joe
joe
bida
is
one
of
the
kubernetes
co-founder
and
there's
one
line
that
I
always
use
when
talking
about
kubernetes
that
I
really
like,
which
is
kubernetes,
is
a
platform
platform
which
means
it's
a
platform
to
build
platforms.
Now
what
you
see
up
here,
it's
a
set
of
tools
that
are
available
today
to
so
like
build
your
own,
secure
supply
chain
platform
right.
A
I
want
to
highlight
some
some
of
these
notable
examples
here,
but
there
are
many
more
out
there,
so
this
is
not
like
a
complete
lease
by
any
stretch
of
imagination.
So
if
there's
nothing
here
that
fits
what
you
need
go
check
out:
the
cncf
landscape,
because
there's
likely
a
project
that
is,
you
know,
is
built
for
you.
A
So,
let's
quickly,
look
over.
You
know
what
we
have
here
in
total
performs
at
the
station,
so
it
which
is
basically
authenticated
metadata
on
for
your
software
artifacts.
So,
while
you're
building
your
software,
you
create
at
the
station
and
then
you
see
you
cryptographically
sign
them
and
you
basically
take
them
along
your
your
secure
pipeline.
A
You
have
you
know
cartographer,
which
is
a
choreographer
so
like
similar
concept
to
orchestration
for
secure
supply
chain.
This
works
in
conjunction
with
you,
know,
and
task
executioner,
like
you
know,
techton
or
even
jenkins,
and
then
you
have
six
store,
which
is
you
know,
toolkit
for
automatic
signing
and
verification
of
artifacts.