►
From YouTube: SolarWinds Breach - Lessons Learned & Practical Tips
Description
In this webinar, Rubi Arbel, Scribe's CEO, talked with Tim Brown, CISO of SolarWinds, on his takeaways in the aftermath of the famous SolarWinds hack.
We'll hear what lessons can be learned for the rest of us and how did Tim and his team secure their pipelines to increase their resilience to software supply chain attacks.
Tim Brown's LinkedIn profile - https://www.linkedin.com/in/tim-brown-93639a1
Rubi Arbel's LinkedIn profile - https://www.linkedin.com/in/rubi-arbel-791631101/
Scribe Security's LinkedIn profile - https://www.linkedin.com/company/77925111
Scribe Security's website - https://scribesecurity.com/
A
A
A
A
A
See
you
nice
to
have
you
with
us
so
I'm
very
happy
to
host
here
with
me,
Tim
Brown
and
assist
of
solarwinds
a
very
short
synopsis
about
what
we'll
do
here
today.
So
in
this
webinar,
we
will
talk
with
the
again
team
Brown.
The
cease
of
Sorrow
means
on
his
takeaways
in
the
aftermath
of
the
famous
Sunburst
attack.
What
lessons
can
we
learned
from
it
for
the
rest
of
us
and
how
the
team
and
his
team
secure
their
pipelines
to
increase
the
resilience
of
software
supply
chain
attacks?
A
A
After
the
Sunburst
attack
in
December,
2020
team
led
the
response
and
Remediation
efforts.
Team
has
spoken
to
thousands
of
customers
and
has
been
instrumental
in
all
customer
mediation,
support
and
services.
He
has
worked
closely
with
the
solarwind
CEO
in
designing
the
future
state
of
security
and
their
secure
by
Design
philosophy.
A
He
is
also
an
avid
inventor
and
holds
18
issued
patents
on
security
related
topics.
That's
a
marketable
team
really.
A
I
I'll
introduce
myself
really
quickly:
I'm
Ruby,
arbel
CEO
of
scribe
security.
Swipe
is
the
first
evidence-based
security
trust
Hub.
A
describe
platform
serves
as
a
hub
for
software
producers
and
consumers
to
share
at
the
stations
like
s-bombs
code,
vulnerabilities
software,
integrity
and
provenance
and
the
salsa
compliance
sdlc
processors
Etc.
All
these
attestations,
which
are
cryptographic
evidence
are
attestation
to
the
software's
trustworthiness,
equals
teams
and
organizations
before
that
I
had
a
long
cyber
career
in
the
8
to
100
unit
and
then
as
the
founder
and
VP
at
Cyber
companies
in
the
private
sector.
A
B
Absolutely
so
yeah
we
are
coming
up
on
our
two-year
anniversary,
essentially
December
12th,
so
December
12
20,
essentially
2020
is
when
we
heard
about
the
incident.
Essentially
Mandy
and
FireEye
contacted
us
on
a
Saturday
morning.
B
I
talked
to
their
their
CTO
quickly
thereafter,
and
in
this
instance
you
know.
Normally
we
have
to
investigate
a
law
to
determine
if
it's
real
Mandy
and
gave
us
enough
information
to
say
you
know,
here's
decompiled
code,
that
decompiled
code
was
not
yours
right,
it
was,
it
was
inserted
into
the
product.
We
could
see
that
just
the
way
that
the
code
was
written,
it
was
head
markers
that
it
shouldn't
have
been
doing
some
of
the
stuff
that
it
was
doing
so
investigation
had
went
very
quickly
right.
B
We
were
able
to
determine
a
lot
in
the
first
day.
We
determined
that
it
did
not.
Thought
was
not
present
anywhere
in
our
source
control
system,
and
that
was
kind
of
the
first
thing
that
we
determined:
okay,
it's
not
in
our
source
control
system.
So
something
happened
in
the
middle
between
us
building,
something
and
shipping
it,
and
we
didn't
know
what
happened,
but
that's
why
we
coined
it
internally
a
supply
chain
attack
on
day,
one
right
or
day
two
when
we
announced
it
publicly
so
essentially
on
Sunday
everything
went
public.
B
We
put
public
announcements
out
at
that
point.
We
did
call
it
a
supply
chain,
we
weren't
sure
where
the
insertion
point
was,
but
we
also
said
that
it
affect
18
000
customers,
because
we
took
a
high
number.
We
said
this:
this
is
the
maximum
amount
of
people
that
ever
downloaded
these
versions.
We
knew
that
three
versions
were
affected
that
were
produced
between
March
and
June
and
had
this
code
new
versions
that
were
produced
before
that
versions
that
were
produced
after
that
did
not
have
the
code.
B
It
was
one
kind
of
side,
one
that
in
October
a
test
run
occurred,
so
they
essentially
were
just
did
a
no
Code
test
run
determined
they
could
have,
could
essentially
accomplish
their
goal
and
then
came
back
in
February
and
inserted
the
code
so
sophistication
on
both
sides
so
sophistication
in
the
way
they
attacked
us
was
so
sorry.
So
it's
attributed
to
the
Russian
svr
apt-29
Cozy
Bear,
so
depending
on
who
you're,
who
you
listen
to
also
known
as
New
bellium,
which
nobody
ever
knew
from
Microsoft.
B
So
essentially,
what
happened
is
yeah
very
quiet,
very
stealthy
coming
into
us
compromised,
email
first
and
they
basically
looked
at
email
or
were
able
to
monitor
over
365
environment,
to
learn
about
the
environment
underneath
once
they
did
that
they
said.
Okay.
Where
can
we
insert
ourselves
that
can
make
the
least
noise
and
least
likelihood
for
discovery
that
ended
up
being
in
a
transient
virtual
machine
as
part
of
our
build
process,
and
they
essentially
inserted
something
that
now
known
as
Sunspot?
B
B
Not
you
know,
incredibly,
you
know
Innovative
or
inventive.
They
didn't
like
use,
machine
learning
and
AI,
but
just
very
thoughtful
in
their
program,
the
code
that
they
dropped.
Essentially
waited
14
days
before
it
started,
wouldn't
run
inside
of
soul
and
which
wouldn't
run
inside
of
Microsoft,
wouldn't
run
inside
of
a
number
of
different
places.
We
essentially
were
blacklisted
so
just
thoughtful
and
the
way
that
they,
you
know,
thought
about.
How
can
I
not
be
detected?
B
You
know
they
did
make
mistakes
because
they
did
get
detected
in
the
end
right,
but
the
message
for
everybody
out
there
is
that
you
know
we
found
this
or
fire.
I
found
this
essentially
by
mistake,
and
we
don't
know
how
many
are
out
there
today.
We
don't
know
how
many
missions
others
are
on
at
the
same
time,
so
for
everybody
this
should
be
seen
as
a
wake-up
call.
A
wake-up
call
is
that
it
can
happen
to
others.
B
Similar
things
can
happen
that
that
mission-centric
adversary
is
really
real
and
patient
I
mean
you're
talking
a
year
and
a
half
before
they
get
to
their
target,
to
do
things
so
extremely
patient,
extremely
thoughtful,
extremely
determined
on
what
they
were
attempting
to
do
so
originally
18
000.
What
we
now
know
is
that
well
under
a
hundred
customers
went
to
a
secondary
attack,
meaning
that
they
cared
about,
meaning
that
the
the
threat
actor
did
some
actions.
B
We
now
know
that
government
agencies
were
a
primary
target
with
originally
we
said
nine.
A
GAO
report
called
out
that
there
were
four
government
agencies
that
were
affected,
so
we
don't
discount
what
went
on
in
those
at
all,
because
we
don't
know
so.
A
B
So
you
know,
incident
went
on
internet
had
a
lot
of
good
learnings
for
people,
and
you
know
I
think
what
we.
What
we
come
out
with
at
the
end
is
a
lot
of
things
that
kind
of
helped
the
industry
and
helped
the
world
move
forward.
A
Yeah
well
obviously,
solarwinds
experience
a
very
sophisticated
apt
by
a
resourceful
nation
state.
I
think
this
is
kind
of
the
attack
that
very
few
organizations
in
the
world
could
protect
from
and
what's
impressed
me
is
that
you
guys
were
very
transparent
from
day
one
about
everything
that
happened
to
you
and
the
lessons
that
can
be
learned
from
it,
and
you
really
were
very
vocal
about
what
can
be
learned
from
others.
B
A
Typical
but
like
what
can
the
average
software
company
can
take
from
this
to
to
protect
themselves?.
B
Yeah,
so
you
know
some
of
the
first
things
right,
really,
you
know
try
not
to
have
it
happen
to
you
at
first
right.
That's
the
first
one,
take
an
assumed
breach,
process
and
assume
breach,
means
that
essentially,
no
one's
trusted
in
your
environment
always
have
double
and
triple
checks
on
the
most
important
things
that
you
do
so
we
published
our
new
build
system
and
published
how
to
do
essentially,
parallel
builds
with
no
one
person
having
access
to
multiple
of
them
and
we
run
multiple
builds
essentially
staging
and
production
separately.
B
And
very
you
know,
two
people
have
access
to
production.
They
don't
have
access
to
staging.
So
in
order
to
to
affect
my
build
today,
you
would
need
collusion
amongst
multiple
people,
and
they
happen
to
be
my
Architects,
which
would
be
very
difficult
to
have
collude
so
always
thinking
the
fact
of
you
know.
How
can
you
assume
that
you
have?
You
know
compromised
individuals
within
the
environment
now
we
did
not
see
an
Insider
aspect
of
this
attack
but
very
easily.
It
could
be,
and
we
think
that
it
will
be.
B
You
know
for
others
or
has
been
for
others.
So
if
you
take
an
assumed
breach
approach,
then
you're
starting
to
say,
okay,
what
happens
if
Tim's
breached
okay?
What
happens
if
Tim
isn't
working
for
us?
B
What
happens
in
these
cases
and
how
do
you
Safeguard,
against
those
that's
kind
of
one
to
try
to
you
know
get
get
yourself
to
you
know
essentially
avoid
some
of
these
things
potentially
having
happened
now,
no
matter
what
you
do,
nothing's
ever
perfect
right,
so
you
can
put
as
I
said:
I
need
multiple
people
to
collude
doesn't
mean
it
couldn't
occur
right.
So
nothing
is
a
hundred
percent
risk-free
so
assume
that
as
well.
B
If
something
happens
to
you
right
now,
this
can
be
a
ransomware
event,
which
we
see
a
lot
of.
We
see
more
sophisticated
red
somewhere
happening
all
the
time
or
if
it
is
a
big
attack,
you
know
a
few
lessons
right
make
your
customer
first.
If
we
try
to
answer
every
question
or
every
misinformation
that
was
going
in
press,
then
that's
what
we
would
still
be
doing
today.
Right
we'd,
be
fighting
press
and
fighting
press,
because
during
an
incident
the
the
main
players
don't
talk
to
press.
B
We
didn't
talk
to
press
yeah,
we're
we're
so
you
who
they
talk
to
is
you
know
old
ex-employees.
They
talk
to
anybody
that
they
can
talk
to
you
to
build
a
story,
but
if
you
spend
your
time
just
trying
to
focus
on
that
side
of
the
world,
you
won't
get
stuff
done
yeah.
What
we
wanted
to
make
sure
was,
we
gave
people,
you
know
our
customers
were
they
affected.
Were
they
not
affected?
That's
a
big
question
for
them
back
to
supply
chain
right.
They
didn't
know
where
we
fit.
B
The
price
of
our
product
often
did
not
get
to
the
point
of
having
a
lot
of
evaluation
done,
so
it
really
didn't
even
make
the
list
of
critical
vendors
simply
because
of
price.
So
that's
another
thing
that
we
look
at
is
saying:
how
do
we
make
it?
So
when
vendors
are
evaluated,
it's
not
just
on
price,
but
it's
also
on
kind
of
where
they
fit
in
the
in
the
mech
so
where
they
fit
in
the
supply
chain.
B
So
think
about
that
too,
from
a
evaluation
perspective,
kind
of
where
things
go,
focus
on
customers
focus
on
information
share.
What
you
can
right
and
the
more
you
can
share
kind
of
the
better
folks
will
be
being
able
to
understand
what
risks
they
face
so
get
out
there
and
do
what
you
can
to
help
the
customers
get
to
the
right
place
as
soon
as
they
can
publish
everything.
B
B
We
had
Krebs
and
Stamos
as
a
partner,
so
we
grabbed
a
lot
of
Partners
and
helping
in
in
different
places,
and
then
you
know
just
keep
communicating
to
everybody
that
you
can
and
pushing
messages
out,
and
that
seems
to
have
worked
right
so
yeah
it
just
takes
a
while.
So
don't
expect
it
to
happen
overnight.
It
is
a
marathon,
it's
not
a
Sprint.
B
It
probably
took
four
months
for
somebody
to
say
something
good
about
me
for
us
to
say
something
good
about
me,
so
you
just
have
to
accept
that
right
and
grow
a
hard
shell
to
some
of
those
things,
but.
B
Right
absolutely
absolutely
personal
resilience
and
resilience
of
your
organization,
resilience
of
the
individuals,
and
you
just
keep
trying
to
do
the
right
thing
and.
A
All
right,
so
so,
let's
say
in
talk
about
the
right
thing:
okay,
I
mean
you,
you
do
gigantic
efforts,
really
I
I,
don't
like
the
number
it's
it's
huge
effort
to
put
this
reproducible
build
in
place,
and
then
you
know
how
the
new
pipeline
Etc
and
you
talked
about
talking
to
customers
and
putting
the
customers
first.
So
I
would
like
to
ask
you:
how
did
you
regain
in
the
end
of
the
day,
your
customers
based
trust
from
this
event?
A
A
B
You
know
for
six
months
we
focus
solely
on
security,
so
400
Engineers
focused
on
security
focused
on
common
repos
focused
on
new
builds
focused
on
all
of
those
saying,
so
they
say:
okay,
wow
you
you
did
that,
then
you,
you
know
short
up
your
infrastructure
and
then
you
short
up
your
security
team
with
additional
things.
B
So
yeah
before
I
ran
one
sock
now,
I
run
three,
so
I've
got
crowdstrike
I've
got
secure,
works,
I've
got
my
own
sock,
so
I've
got
a
lot
more
visibility
across
the
environment,
so
things
like
that
just
say:
okay,
these
guys
have
not
just
been
okay.
They've
been
exemplary
through
that.
B
Now,
with
that,
we
also
are
very
willing
to
answer
any
questions.
Customers
have
so
in
the
past
we
were
a
little
bit
less.
Sharing
on
details
right,
I,
wouldn't
tell
you
that
I
run
white
source
and
check
marks
on
every
build.
I
would
tell
you
I
run
a
you
know,
static
code,
analysis
and
I
ran.
You
know:
yeah
Dynamic
code,
analysis,
I,
wouldn't
name
products.
Now
I'll
tell
you
that
I
do
these
things
and
we
become
much
more
transparent
about.
You
know
how
we
protect
our
infrastructure
right.
I
have
44
pairs
of
Palos
I.
B
B
You
know
very
good,
exemplary
in
those
processes,
and
that
goes
a
long
way
to
gain
trust
to
people.
They
say:
okay,
well,
you're,
going
above
and
beyond
you're
doing
these
things
you're
doing
these
things
you're
doing
these
thing
to
shut
down
development
for
six
months
is
a
huge,
both
costs,
but
a
you
know
at
the
end
of
the
day
of
benefit.
So
that's
what
customers
see
that
we
took
it
seriously
where
we
own
it,
it
did
happen
and
that
we've
moved
continue
to
move
forward
yeah
with
security.
A
B
I
also
hired
an
internal
auditor
similar
to
an
external
auditor
for
finance,
but
an
internal
auditor
focus
on
auditing
our
line
of
code
to
production
or
line
of
code
service
and
I'm
not
ready
to
publish
there
yet.
But
you
know,
sometime
in
the
future,
I'll
be
ready
to
publish
really
an
internal
audit
of
that,
because
I
think
that's
another
place
that
we'll
see
see
regulation
in
the
future
and
we
just
want
to
be
ready
for
it.
A
A
B
It's
under
my
GRC
group
yeah
and
and
it's
a
different
function
right,
it's
a
with
the
charter
to
really
do
what
I
just
said.
It's
audit
and.
A
B
A
Our
discussion,
because
scribe
automates,
that
so
that's.
B
Really
cool
automate,
but
you
have
to
get
some
of
it's
not
automatable
yet
right.
So
hence
the
person
but
yeah
I
mean
supply
chain
fits
everywhere
in
here.
And
how
can
you
give
confidence
in
the
supply
chain,
for
you
know
for
your
customers
and
that's
a
critical.
You
know
critical
component,
it's
getting
even
more
critical.
A
B
So
when
you
think
about
why
I
say
our
incident
was
a
wake-up
call,
yeah
right
is
because
so
many
customers
did
not
know
where
we
fit
inside
of
their
supply
chain,
their
large
supply
chain,
the
big
supply
chain,
Power
and
energy
right
power
generation.
Now
we
were
sitting
there
monitoring
some
things
right
and
could
we
have
had
controller
code
in
placed
in
our
product
rather
than
rather
than
the
code
that
required
you
to
connect
to
the
internet?
Could
it
have
been
another
stuck
snap
right
and
the
answer
is
yeah?
B
That
code
could
have
been
anything
somebody
wanted
it
to
be,
so
that
reminds
us
that
it
could
have
just
encrypted
things.
It
could
have
done
random
damage.
It
could
have
done
so
many
different
things.
So
what
it
did
was
limited
to.
You
know
still
very
important
right,
but
from
a
harm
perspective
across
the
world,
you
could
have
seen
a
lot
worse.
B
Things
occur
just
from
random
harm,
so
that
says:
well,
you
had
better
know
what
was
in
your
supply
chain
and
so
many
of
the
customers
that
I
said
you
know
talked
to
I
ruined
their
Christmas
as
well
right
because
they
had
to
figure
out.
Where
is
soloist.
Where
is
Orion?
Where
is
it
in
my
supply
chain?
So
they're
sitting
there
saying
wow
I'm
trying
to
figure
all
this
out
and
I
didn't
even
know
it
was
there.
B
So
that's
why
it's
important
so
when
I
look
at
supply
chain,
I
like
to
think
about
little
and
big
right,
okay,
I
think
is
power.
Power
generation
is
my
how
I
manufacture
it's
a
big.
You
know
a
big
side
of
everything
that
involves
in
there
little
supply
chain
is
what
goes
into
building
my
product
right.
What
components
are
under
my
product,
my
s-spawn,
those
types
of
things,
that's
kind
of
how
I
look
at
it,
because
they're
very
different
from
both
extremely
important,
but
very
different
from
you
know.
B
A
Yeah,
so
in
in
a
typical
supply
chain,
right
there
is
the
software
producer
in
your
okay
solarwinds
and
the
software
consumer,
and
sometimes
there
are
many
software
producers
and
consumer
and
integrators
and
consumers.
So
what
what
in
in
your
opinion,
is
the
difference
between
the
needs
of
the
software
producer
and
the
software
consumer
like
do
they
look
for
the
the
same
thing
and
I
think
that's
has
a
lot
to
do
with
the
big
supply
chain
and
little
supplies.
B
Yeah,
so
so
the
the
producer
right
wants
to
be
able
to
efficiently
produce
their
software
bills
materials
with
accuracy
right,
because
just
because
you
happen
to
be
using
a
library
that
is
out
of
date,
which
happens
all
the
time,
are
you
vulnerable
to
the
issue
that
was
in
that
Library?
Are
you
using
the
function?
B
Here's
what
makes
me
either
vulnerable
or
not
vulnerable
to
these
known
these
known
vulnerabilities
that
are
in
libraries,
so
you
want
to
have
an
accurate
depiction
of
what
you
look
like
and
you
want
to
get
that
as
easily
as
possible,
and
you
want
to
have
it
in
a
form
that
can
be
consumed
by
others.
B
Now
from
the
consumer
side,
the
consumer
side
needs
to
understand
those
details
in
different
ways,
so
they
want
to
know
everybody.
That's
using
open,
SSL
good
example
right
we're
expecting
a
vulnerability
to
be
announced
this
week
on
openssl.
So
who's
affected
I
need
to
know
what
my
products
are
that
are
out
there.
That
would
be
affected
by
this
okay.
Now,
where
do
they
fit?
How
important
are
they?
Who
should
I,
take
care
of
first?
Where
do
they
fit
in
my
Supply?
My
big
supply
chain
right?
Are
they
do
they
have
access
to
my
network?
B
Do
they
have
have
access
to
sensitive
data
where
do
they
fit
so
that
I
know,
because
I've
got
a
thousand
vendors
which
one
should
I
look
at
first,
how
can
I
come
across
that?
So,
as
a
consumer,
you
really
want
somebody
to
help.
You
look
at
that
information
holistically
and
be
able
to
prioritize
and
be
able
to
develop
a
plan.
B
A
Yeah
so
so
vulnerabilities
is,
is
one
thing
and
you
talked
about
whether
or
not
a
specific
vulnerability
is
relevant
to
your
product
as
a
software
producer,
maybe
you're
not
using
specific
function,
so
it's
not
relevant
or
the
environment
is
makes
it
irrelevant.
But
what
what
else
is
there
like?
You
talked
well
before
about
like
the
the
auditor
that
is
looking.
B
So
you
get
the
low
level
kind
of
s-bomb
right.
That
says
these
are
my
individual
components
and
this
and
that,
but
how
do
I
build
it
right?
How
do
I
test
it?
How
do
I
articulate
the
level
of
quality
associated
with
my
product
or
my
component
or
my
thing
from
a
producer
right?
How
can
I
show
the
consumers
that
yeah
I
run
a
very
strong
sglc
process
right?
B
Here's,
what
the
steps
are
so
being
able
to
depict
both
evaluations
of
individual
components
that
can
change
kind
of
real
time
because
of
s-bomb
and
a
new
library
and
a
new
vulnerability
comes
out,
but
then
what
doesn't
change
as
fast
as
here's
my
methodology
right
here
are
the
things
that
I'm
doing.
Oh,
you
want
to
see
my
you
know
steps
that
I'm
doing
you
want
to
understand
how
I
protect
my
infrastructure.
You
want
to
understand
how
I'm
building
software
you
want
to
understand
what
could
affect
me.
So
that's
the
difference
right!
A
Amazing,
so
you
know
I'm
thinking
you
you
put
like
half
a
year
of
100
people
or
so
right
and
to
to
harden
your
pipelines
to
build
a
reproducible,
build
to
demonstrate
your
compliance
to
the
requirements
and
like
the
trustworthiness
of
everything
that
you're
doing
but
most
of
the
companies
in
the
world.
Even
the
big
ones.
Don't
have
the
time
and
the
resources
to
do
that.
So
what
what
could
they
do?.
B
Yeah,
so
you
know
start
at
the
right
levels:
right.
Do
things
step
wise,
look
at
a
a
you
know,
a
couple
of
different
stuff
things
right,
assume
breach.
You
can
start
doing
today.
Right,
increase
visibility
inside
your
environment.
You
can
do
today,
you
know
s-bombs,
you
know
you're
going
to
be
forced
into
s-bombs
as
a
vendor
and
be
ready
for
that
right,
be
able
to
be
ready
to
produce
them
and
be
able
to
to
defend
them.
B
B
We
see
signs
of
the
dod
going
to
require
s-bombs
right,
we're
seeing
signs
of
others
as
soon
as
soon
as
that
kind
of
starts
down
that
path,
we're
going
to
see
more
and
more
commercial
folks,
asking
and
yeah
the
more
that
they
ask
the
more
visibility
they're
going
to
want
to
have
now
what
they
do
with
that
visibility
today
is
going
to
be
a
little
bit
of
a
challenge
because
you
know
how
do
you
accept?
B
You
know
visibility
from
all
of
these
vendors
and
how
do
you
get
to
a
point
you
can
evaluate
it.
That's
one
of
our
big
challenges.
Right
now
from
the
the
consumer
side
right
is,
you
know
how
do
I
evaluate
how
do
I
know
if
it's
good
or
bad?
How
do
I
get
the
right
information
to
be
able
to
do
that
evaluation
and
then
how
do
I?
B
You
know
watch
for
improvements
Etc,
so
you
know
I,
think
we're
at
the
beginning
of
this
journey,
but
I
think
that
the
overall
objective
is
for
producers
to
be
able
to
show
that
they're
doing
a
good
job
show
what
they
have
and
that
they
have
built,
and
then
consumers
to
be
able
to
consume
at
volume
a
lot
of
these
types
of
information
and
then
be
able
to
also
build
up
their
knowledge
of
hey
I've
got
these
things
here.
B
Therefore,
when
something
comes
out,
I'm
able
to
do
it
or
when
I
want
to
evaluate
my,
you
know,
power
grid
right,
I
can
look
and
say:
okay,
these
guys
are
affecting
it
and
it
doesn't
have
to
do
with
cost
of
thing
it
has
to
do
of
where
they
fit
in
that
yeah
that
supply
chain
and
what
they
have
access
to.
So
I
think
that's
our
ideal
scenario.
It's
just
going
to
take
us
a
little
while
to
get
there.
A
Yeah,
so
so
I
completely
get
why
a
a
software
consumer
would
like,
like
a
full
visibility
of
everything
and
but
I
I
also
can
see
many
software
producers
saying
to
themselves.
You
know
solarwinds
had
to
be
transparent
in
order
to
maintain
their
business,
but
I'm
not
in
their
position.
So
why
should
I
provide
that
kind
of
transparency?
So
what.
B
B
Won't
be
me,
it
will
be
the
event
it
will
be.
The
it'll
be
the
consumers
right:
okay,
yeah
those
who
would
those
who,
with
the
pocketbook
always
drive,
drive
us
vendors
to
do
what
they
want
right,
yeah,
so
essentially,
they're
going
to
be
looking
for
in
their
pre-evaluation
of
software.
They'll
be
starting
to
look
for
more
information,
more
details,
they're
going
to
look
for
more
in
contracts.
B
We've
already
seen
that
occurring,
but
transparency
is
going
to
be
expected
more
and
we
just
have
to
plan
on
that
and
I
think
it
will
not
I
think
it
will
be
forced
by
those
those
consumers
of
the
technology,
no
question
that
they
will
start
for
it
not
to
occur.
A
A
B
Dod
says:
I
am
not
acquiring
any
products
that
don't
fit
this
and
don't
provide
this
to
me
that
will
force
some
change.
If
Finance
industry
goes
in
the
direction
that
will
force
change,
so
I
think
regulations
will
kind
of
be
a
a
a
means
to
start
moving
things
and
then
they'll
start
moving
pretty
quickly.
So
you
know
we
all
need
to
be
ready
for
that
to
occur,
because
I
think
it
I
think
it
will
I
think
as
long
as
it's
time
for
the
right
reasons,
I
think
it
will.
B
You
know
kind
of
improve
where
we
are
so,
but
it
it
will
be
forced.
A
Okay,
all
right,
so
maybe
this
is
a
good
time
team
to
take
some
questions
that
we
have
from
the
audience
here.
So
let's
take
the
the
first
question
and
where
is
it
yeah.
B
How
do
you
secure
open
source
software
published
on
GitHub,
yeah,
so
open
source?
Is
you
know
one
of
those
questions
right
and
I
think
we
will
start
seeing
additional,
especially
their
supply
chain
to
their
supply
chain
to
their
supply
chain,
so
we're
going
to
start
seeing
because
of
requirements
coming
out
from
others,
that
the
open
source
components
also
publish
their
supply
chain.
I
also
published
their
response,
because
I
think
it's
necessary
right
now.
A
B
Certain
levels
of
trust
that
you
can
have
one
of
the
things
that
we
did
is
we
don't
get
our
we.
We
get
versions
of
Open
Source
and
put
them
into
our
own
repositories.
We
don't
always
pull
from
the
outside
just
in
case
there's
something
that
slips
in.
So
we
get
a
validated
version
that
we
stay
with.
That
was
both
Google
and
Microsoft's
idea
of
how
they're
dealing
with
essentially
open
source.
They
don't
pull.
What's
you
know,
current
they're
always
get
their
version
tested
and
then
pull
that
in
so
that.
A
B
So
it
prevent
is
a
hard
word
right,
so
you
know
the
to
be
able
to
recover,
to
be
able
to
act,
to
be
able
to
move
forward
faster,
to
be
able
to
understand
what
you
have
yeah.
Absolutely
no
question.
Our
supply
chain
attack
was
very
unique
right.
A
very
yeah,
uniquely
position
where
somebody
came
in
and
were
able
to.
You
know
to
disrupt
something
on
our
internal
supply
chain
of
how
we
build
software.
B
So
I
don't
think
these
would
help
so
much
in
preventing
those
things
that
type
of
an
attack.
But
when
you
look
at
others,
when
you
look
at
the
future
attack,
when
you
look
at
you
know
the
you
know
underlining
software
that
we're
putting
into
products
and
the
things
that
could
go
on
in
there,
absolutely
that
we
can
help
there
right,
because
we
can
put
more
knowledge
and
information
on
where
what's
inside
of
products,
what's
it,
how
they're
built
how
they're
secured
and
what
you
know
kind
of
what
level
of
maturity
they
have.
B
A
A
Think,
like
you
team
that
this
is
something
that
is
deeply
missing
in
the
market
today,
and
this
is
something
that
can
be
a
very
a
strong
in
the
terms
that,
like
it,
can
provide
the
level
of
trust
that
is
missing
today
between
the
software
producers
and
the
software
consumers,
and
they
I
do
like.
You
think
that
this
would
and
should
be
the
the
future
of
self
supply
chain.
So.
B
A
I
agree
so
to
wrap
it
up.
If
you
anybody
here
that
is
listening,
want
to
read
more
about
what
software
supply
chain
is
and
what
tools
and
Frameworks
are
out
there
that
can
assist
you
to
reduce
your
software
supply
chain
risk.
Please
visit
the
resource
page
on
a
squibe
website.
It's
a
swipe
security.com
and
if
you
have
any
questions,
please
feel
free
to
reach
out
to
us
via
our
contact
us
form
in
our
website,
and
we
can
also
pass
the
questions
to
to
Tim
and
that's
it.
A
A
You
know
this
is
not
our
first
talk
yet
still.
Every
time
we
talk,
I
learn
new
things.
B
A
For
me,
it
was
highly
educated
and
there
are.
There
are
at
least
four
four
things
that
I've
heard
for
the
first
time
today.
So
thanks
for
spending
your
precious
time
with
us
today
and
that's
it
have
a
great
day.
Everybody-
and
thank
you
for
being
here.