►
Description
Welcome to the Secure Cloud Cast!
Thanks for joining the first of many shows focused on security and all things Cloud Native. Today's show will discuss the updates in supply chain security that we have seen over the past year and how to address some of the high-level supply chain security issues you will face.
Joining us in our inaugural session we have Kirsten Newcomer, Director of Cloud and DevSecOps Strategy, here at Red Hat. We couldn't find anyone more qualified to discuss the supply chain security challenges you will face, so bring all of your security questions.
A
B
Hello,
hello
and
welcome
to
the
first
of
many
secure
cloudcasts
thanks
to
the
cloud
multiplier
group
for
the
handoff
seemed
like
a
really
cool
demo.
I
was
catching
I'm
sorry
to
cut
you
all
off
so
so
early,
but
yes,
the
secure
cloudcast,
the
monthly
show
for
all
things
cloud:
kubernetes
security,
open
source-
maybe
a
little
stack,
rocks
acs
mixed
in
there.
B
C
Hi,
I'm
kim
carlos
product
marketer
extraordinaire,
here
at
red
hat.
We're
really
happy
to
have
you
here
on
our
first
show
and
today
we're
going
to
be
discussing
the
hottest
topic.
Well,
maybe
not
hottest,
but
pretty
hot
today
in
security,
which
is
actually
the
secure
supply
chain.
So
we're
going
to
talk
more
about
that
and
the
risk
that
it's
posing
to
businesses
and
kind
of
what
they're
doing
about
it
are
best
practices.
B
For
sure
yeah
awesome
and
just
for
the
heads
up
for
everybody
who's
just
joining
us,
I'm
mike
foster
I've
been
in
kubernetes
for
around
five
years,
kubernetes
security
for
a
little
over
two
now
I
came
over
to
red
hat
during
the
stack
rocks
acquisition
and
I'm
helping
out
with
the
acs
product
in
various
amounts
of
ways,
including
the
open
source
project.
So
if
you
are
new,
definitely
check
out
stackrocks
kim,
you
want
to
tell
us
a
little
bit
about
yourself
as
well.
C
Sure
I
apologize
for
the
thunder
that
you
will
likely
be
hearing
because
it
is
very
loud,
but
my
name
is
kim
carlos.
I
just
recently
came
to
red
hat
this
year
to
focus
on
openshift
security,
use
cases
and
capabilities,
as
well
as
acs,
so
we'll
be
working
a
lot
with
that.
My
background
is
actually
in
various
areas
of
security,
so
everything
from
log
monitoring
to
volume,
vulnerability
and
risk
management
or
cyber
risk
management.
C
I've
done
even
threat
intelligence,
so
a
lot
of
different
areas
I
like
to
diversify.
So
this
is
my
newest
endeavor
and
I'm
very
excited
to
be
here
and
talk
with
you
guys
today.
B
Sweet
before
we
bring
in
kirsten
newcomer
who's
going
to
talk
everything
supply
chain
security,
as
our
once
we
could
say
formal
expert.
I
think
at
red
hat
we're
just
going
to
give
you
a
couple
of
general
news
updates
kim
you
want
to
kick
it
off
with
some
acs
news.
C
Yeah
sure
so
we
just
recently
launched
acs,
3.71
and
so
we'll
drop
the
release
notes
in
the
chat.
So
you
can
look
at
it,
but
there
are
some
key
takeaways
I
would
say
there
is.
We
have
a
really
new,
really
slick
dashboard
that
will
help
you
increase,
increase
efficiency,
and
then
we
also
have
two
default
policies
to
help
you
improve
your
security
posture
as
a
whole,
so
be
sure
to
look
into
that
a
little
bit
more.
C
B
Yeah
and
for
those
who
are
new
to
the
acs
acronym,
that's
red
hat
advanced
cluster
security
that
is
stack
rock,
so
stack
rocks,
was
acquired
in
early
2021
at
the.
I
think
it
was
like
january
7th
or
something
like
that,
but
it
was
bright
and
early
in
the
new
year
and
so
that
that
turned
into
red
hat,
advanced
cluster
security,
and
luckily
we
were
able
to
keep
the
stack
rock's
name
alive
and
that's
open
source
stackrock.
B
So
if
you
want
to
test
that
out
for
free,
definitely
come
and
join
us,
you
can
go
to
stackrocks.io
for
more
information
and
again
we
have
that
new
brand
new
dashboard.
I
think
it's
awesome
and
super
sleek
I'd
love
to
hear
from
you
and
your
thoughts
if
you
get
to
deploying
it
from
the
open
source
kubernetes
world
kubecon
is
fast
approaching.
That's
kubecon
north
america.
In
detroit.
I
believe
it
is
in
the
last
couple
weeks.
I
forget
the
exact
dates:
20th,
I
believe,
to
the
25th
or
21st
to
the
26th
six
store
con.
B
So
one
of
the
new
events
that's
popped
up.
Six
zorkon
is
looking
for
cfps.
So
if
you
are
in
the
supply
chain,
security
ecosystem-
and
you
look
to
submit
a
talk,
I
will
drop
the
cfp
in
the
chat
for
you
and
you
can
check
it
out
always
nice
to
see
some
of
these
day.
Zero
events
as
well
and
see
some
familiar
faces
so
worth
checking
out
and
any
last
updates
kim
before
we
bring
kirsten
on
for
our
discussion.
C
B
Thank
you.
I'm
getting
corrected
actually
kirsten
the
date
expert
and
supply
chain
security,
expert,
kubecon
october
24th
to
28th
in
detroit.
So
I
look
forward
to
seeing
some
familiar
faces
there
without
further
ado.
Let's
bring
on
the
red
hat
supply
chain
security
expert,
kirsten.
B
A
B
A
Sure
so,
red
hat
for
about
six
years
now,
six
and
a
half.
So
my
role
at
the
moment
is:
I
lead
the
product
security,
product
management
team
for
all
things:
security
across
openshift
and
openstack.
A
That
includes
red
hat,
advanced
cluster
security
so
and
acs
like
acm,
supports
not
just
openshift
but
eks,
gke
and
aks
as
well,
so
multi-cluster
security,
pane
of
glass
across
all
those
solutions,
so
I've
been
working
with
kubernetes
and
security
for
for
a
while,
now,
prior
to
coming
to
red
hat,
I
was
at
blackduck
software
before
they
were
acquired
by
synopsis
and
I've
been
doing
product
management
for
more
years
than
I
usually
care
to
admit.
At
this
point.
B
Awesome,
I'm
just
gonna
kick
off
the
first
question
because
you
know
I
joined
stack,
rocks
in
2019
2020
and
I
remember
getting
on
these
cube.
Security
calls
for
the
cncf
and
seeing
luke
heinz
drop
in
and
start
talking
about
six
store,
and
I
remember
he
gave
this
first
demo.
It
was
45
minutes
and
people
were
kind
of
scratching
their
heads
like
what
what's
the
vision
here.
What's
going
on
in
the
last
two
years
that
the
supply
chain
conversation
has
really
just
blown
up
partially,
maybe
government
partially
environment
related.
B
But
you
know
with
all
those
ripples
we
were
just
hoping
you
could
give
us
your
thoughts
on.
You
know
what
does
supply
chain
security
encompass.
Are
there
any
frameworks?
I
know
it's
a
big
open-ended
question,
but
just
wanted
to
get
your
thoughts.
Definitely.
A
A
But
you're
absolutely
right:
there
is
a
ton
going
on
around
supply
chain
security
these
days,
both
from
frameworks
from
the
frameworks
angle
from
the
tooling
angle.
As
you
say,
you
know,
luke
and
red
hat
have
been
thinking
about.
How
can
we
make
it
easier
for
our
customers
to
do
certain
elements
of
supply
chain
security
for
a
while?
A
That's
why
we
invested
in
sigstor,
we'll
maybe
talk
as
we
go
a
little
bit
more
about
sigstor's
role
in
that,
but
really
things
were
really
hot
after
the
solarwinds
attack,
which
would
have
been
gosh
in
2019,
I
think,
but
and
and
so
kind
of
used
to
be
that
when
we
talk
about
supply
chain
security,
people
were
thinking
about.
How
do
I
analyze
the
security
of
the
artifacts
that
I'm
producing
through
my
supply
chain
right?
Do
I
do
vault?
When
do
I
do
vulnerability
analysis?
A
How
early
what
kind
of
static
security
code
analysis
do
I
want
to
be
doing
and
how
frequently,
and
now
that
you
know
once
the
solar
winds
have
hack
happened,
that
really
shifted.
It's
not
that
we
stopped
caring
about
those
things,
but
the
security
of
the
supply
chain
itself
has
become
a
key
focus
right.
A
The
solarwinds
hack
involved
somebody
actually
being
able
to
hack
delivery
of
a
patch
from
from
solar
winds,
and
one
of
the
things
that
I
saw
in
maybe
in
in
2021
was
a
really
great
talk
by
the
folks
from
solarwinds
at
what
they
have
done
to
improve
the
security
of
their
supply
chain
and
they
are
leveraging
tools
like
sig
store,
like
techton
chains,
which
we'll
maybe
talk
about
a
little
bit
more
in
terms
of
frameworks,
lots
of
things
happening
in
that
space
as
well.
A
So
you
know,
there's
been
an
executive
order
in
the
states.
That's
executive
order,
14028
that
follows
a
previous
executive
order.
You
know
on
supply
chains,
there's
been
a
new
salsa.dev
project,
that's
driving
standardization
of
how
do
you?
What
are
the
the
key
things
you
need
to
do
to
secure
that
supply
chain
itself.
A
There
are
things
coming
from
nist
nist,
800,
2218,
nist,
also
800-161,
and
the
cncf
released
a
white
paper
on
software
supply
chain,
best
practices,
so
again
lots
and
lots
happening
and
we
can
dive
into
the
details
a
little
bit
more
as
we
go
or
I
know,
you're
also
planning
to
have
me
id
join
in
a
future
session.
Emmy
is
one
of
red
hat's
representatives
to
the
open
ssf,
which
is
helping
to
drive
the
salsa.
This
also
stands,
for
you
know,
I'm
sorry,
I'm
gonna
have
to
go.
A
B
Yeah
in
terms
of
frameworks,
because
we
we
kind
of
got
there-
salsa
was
originally
brought
up
by
google.
Am
I
correct
in
that.
A
I
honestly
don't
know
who
started
that
yeah.
B
But
it
seems
to
be
adapted
because
supply
chain
just
encompasses
so
much
that
salsa
really
broke
it
down
into
doesn't
really
matter
what
level
you
want,
you're
going
to
have
these
specific
components
at
every
stage,
right
you're
going
to
have
your
dependencies,
your
code
that
you're
adding
you're
going
to
have
to
build
it
at
a
specific
time.
This
also
really
adds
that
framework
correct.
A
Yeah,
I
think,
what's
really
nice
about
what
salsa
has
done
is.
Is
that
they've?
Really,
you
know
kind
of
the
the
elements
of
software
supply
chains
chains
are
multiple
and
they're
varied,
depending
on
the
kind
of
code
that
you're
building
so
but
there
is
some
commonality
across
those
right.
You
generally
need
a
source
code
control
system.
You
need
a
build
tool.
You
need
something
that
is
going
to
store
your
build
artifacts
that
might
be
a
binary
repository
that
might
be
a
container
registry.
A
You
need
these
days
more
and
more
organizations
are
using
automation
to
do
their
deployment
as
well.
So
you
need
your
security
testing.
You
need
tools
that
do
your
integration.
Testing
there's
just
like
this
whole
universe
of
things.
To
think
about,
and
what's
nice
about,
salsa
is
that
they
really
have
broken
down
all
of
they've
kind
of
listed,
all
those
elements
and
added
categories
of
security
for
each
of
them
and
they've
gotten
pretty
granular
right.
A
So
there
are
four
categories
for
source
code:
there's
gosh
one,
two,
three,
four,
five,
six
seven
eight
categories
for
builds
provenance
has
become
a
big
thing.
Provenance
is
something
that
honestly,
when
I
worked
at
blackduck
providence
was
a
big
deal
for
open
source,
license
compliance,
but
it's
a
subset
of
our
industry
that
focuses
on
open
source,
license
compliance
and
so
kind
of.
A
A
Thing
is
you
can
start
with
salsa
level
four,
although
it's
not
it's
not
the
only
thing
to
think
about
right.
There
are
security
principles
that
I
know
are
applied
in
salsa.
That
also,
you
know
we
kind
of
take
for
granted
in
our
production
environments
that
you
can
apply
to
your
supply
chain
security.
A
So
one
of
the
first
things
you
might
want
to
do
is
start
auditing.
The
activity
in
your
supply
chain,
most
of
the
tools
that
we're
using,
maybe
not
all
of
them,
but
many
of
them
produce
log
files
and
collecting
those
log
files
for
forensics
is
is
a
is
a
place
to
start
right
so
auditing
that
activity,
one
of
the
things
that
salsa
does
emphasize
in
the
build
space
is
ensuring
that
you
have
a
scripted
build
and
that's
kind
of
the
next
place.
I
was
going
to
go
right.
A
A
I
think
provenance
is
another
interesting
area
to
talk
about,
but
but
let
me
see
where
else
you
two
wanted
to
go
before
we
do
that.
C
I
think
what
I
was
curious
about
is
we
we
talk
a
lot
about,
you
know
implementing
these
best
practices
and
there
are
a
lot
of
times
evolving
with
our
industry
because
it
moves
so
quickly.
But
when
you
have
a
large
organization,
what
do
you
think
are
some,
I
guess
ways
to
have
the
the
least
amount
of
disruption
to
the
business
when
you're
trying
to
implement
a
good
supply
chain
security
policy.
A
Yeah
so
so
I
mean,
I
think,
that's
why,
when
you
look
at
salsa
level
one
or
some
of
the
things
I
just
talked
about
auditing
collecting
log
files
right
that
minimizes
the
impact,
however,
getting
to
something
like
salsa
level,
four
and
and
by
the
way
provenance
is
in
salsa
level
one
and
and
that's
something
that
not
everyone
is
used
to
doing
think
of
provenance
as
being
tied
to
the
the
concept
of
software
bill
of
materials
right.
Where
did
my
code
come
from?
A
A
Thinking
about
s-bombs
has
been
going
on,
for
you
know
many
years
and
standards
in
that
space
such
as
spdx
started
being
developed
as
early
as
2010,
if
not
earlier,
so
there's
a
lot
available,
but
the
reality
is
that
that
kind
of
as
the
world
as
this
evolves
and
as
you
start
to
increase
your
maturity
level
for
supply
chain
security,
you
probably
need
to
also
start
looking
at
your
tool
chain
at
your
tools.
Right.
Do
you
want
to
evaluate
are:
are
those
tools
that
you've
been
using
lord
knows
sometimes
for
10
20
years?
A
Are
those
the
right
tools
to
meet
these
new
sets
of
requirements,
and
most
of
us
in
this
industry
are
going
to
have
to
address
the
requirements
that
are
in
the
executive
order
and
things
that
are
feeding
some
of
these
new
standards?
If
you
sell
to
the
government
work
with
the
us
government,
you
have
to
address
these.
A
software
build
materials
is
part
of
that.
So
you
want
to
be.
You
may
need
to
add
some
new
tools.
A
A
So
I
think
organizations
are
used
to
expecting
from
companies
like
red
hat,
that
the
code
we
produce
and
ship
for
consumption
by
our
end
users
is
signed
right.
So
I
can
attest
to
the
validity
of
what
I
pull
down
from
red
hat
by
verifying
the
signature
that
red
hat
provides
for
the
content
we
ship,
but
adding
signatures
for
custom
code.
That
organizations
are
producing
through
their
own
supply
chain
is
not
so
simple
right.
A
It's
been
easy
to
kind
of
add
that
signature
at
the
end,
when
you've
got
that
final
set
of
code
that
you're
shipping
out
the
door.
But
this
is
you
know
the
the
goal
of
seek
store
has
been
make
it
easier
to
add
signatures
and
more
than
one
signature
to
content
as
it
moves
through
the
supply
chain
and
traditional
signing
tools.
Just
you
know,
weren't
that
well
developed
for
or
designed
for
working
and
being
integrated
into
a
ci
cd
pipeline.
A
B
And
I
think
the
integration
and
the
automation
is
the
key
point
there
right,
because
you
don't
want
the
developer,
you
don't
want
the
operator
going
and
signing
all
these
things.
You
want
it
so
that
whenever
something
gets
accepted
into
the
main
branch,
it
goes
through
that
self
that
attestation
process
and
that,
if
we're
ever
expanding
or
making
any
changes,
we
can
verify
that
the
original
build
is
correct.
Right.
A
Absolutely,
and
and
one
of
the
additional
things
with
sigstor
right
and
they're
elements
of
sig
store
that
you
can
adopt
independently
of
each
other
but
recore
the
signature.
Transparency
log
is
key
for
what
you
just
described
mike
right,
so
that
I
can
have
a
series
of
signatures
and
I
can
trace
those
signatures.
A
You
know,
even
if
it's
for
the
same
artifact
say
somebody
download
something
from
red
hat.
They
verify
the
red
hat
signature,
but
now
they
want
to
add
their
signature
to
say
this
is
approved
for
use
for
production
use
in
my
organization
and
that
something
like
recore
gives
you
a
transparency
log
where
you
can
track
that
chain
of
signatures.
A
You
know
this
is
one
of
the
reasons
we
saw.
The
the
kubernetes
community
adopt
sigstor
for
signing
the
artifacts
coming
out
of
the
different
cncf
kubernetes
projects,
so
really
great
to
see
that
kind
of
adoption,
and
I
think
that
will
help
other
organizations
look
at.
How
could
we
do
that
right?
If
there's
a
model
in
the
open
source
community
that
they
can
follow.
C
Things
like
that,
like
with
six
tour,
I'm
curious,
is
sort
of
that
being
that
best
practice.
You
know,
I
think
we
talk
a
lot
about
devops
and
sort
of
this
movement
to
devsecops,
right
and
and
involving
that
idea
of
you
know,
signing
things
and
verifying
things
and
zero
trust
networking
and
all
these
different
things
you
want
to
be
able
to
apply,
and
I'm
curious.
How
do
you
see
supply
chain
security
as
it
moves
towards
that
maturity
model?
You
were
discussing
of
devsecops.
A
Well,
I
I
think
one
of
the
challenges
with
the
devsecops
phrase
honestly,
is
that
we
don't
have
a
common
understanding
in
our
industry
of
what
is
meant
by
devsecops
right.
If
you
talk
to
the
folks
who
really
initiated
the
devops
movement,
in
particular
they'll
say,
security
checks
were
always
intended
to
be
part
of
the
devops
process,
but
I
also
think
that
at
that
point
in
time-
and
even
you
know
right
now-
I
think
people
think
of
devsecops
as
looking
at
the
security
of
the
code
that
is
moving
through
the
pipeline.
A
A
How
do
you
feed
security
information
discovered
in
the
dev
process,
into
ops,
to
inform
your
security
policies
at
deploy
time
and
at
runtime
and
that
closed
loop
is
a
big
challenge,
but
that's
only
one
piece
of
supply
chain
security
and
that's
the
piece
that
has
been
less
that's
that's
kind
of
well
the
closed
loop
piece.
A
I
would
say
that
we're
still
as
a
as
a
as
an
industry,
working
on
closing
that
loop
solutions,
like
stack,
rocks,
help
with
that,
but
again
kind
of
the
newer
emphasis
is
on
securing
the
tool
chain
itself,
and
so
in
that
case,
actually
let
me
let
me
separate
those
two
things
so
sigstor
helps
with
that.
First
devsecops
flavor
right.
I
can
sign
content
as
it
moves
through
the
pipeline.
A
A
Now
I
want
to
look
at
attestation
of
the
steps
in
my
tool
chain,
and
this
is
where
a
combination,
if
you're
doing
kubernetes
native
tool
chains
or
you
know,
or
pipelines,
using
something
like
tecton
with
tecton
chains,
which
has
an
integration
with
sigstor
for
signing
my
pipeline
tasks.
That's
like
that's
kind
of
the
next
step
up
right
so
talking
about
attestation,
not
just
in
my
content
but
of
the
tasks
themselves,
and
in
fact
this
is
something
that
that
the
solar
winds
organization
has
done.
B
Awesome
yeah.
They
sorry.
C
B
We
got
a
lot.
I
was
actually
hoping
that
you,
you
could
break
down
sort
of
the
sig
store
project,
it's
different
components,
hopefully,
and
because
I
know
there's
a
couple
of
moving
parts.
I
sometimes
get
confused
with
all
of
the
the
different
projects,
so
you
mind
sort
of
just
outlining
the
use
case
and
how
each
tool
is
used.
A
Yep
sure
so
again,
this
is
all
about
making
it
easy
to
sign.
Artifacts
different
types
of
artifacts
in
a
cicd
pipeline,
in
particular,
focused
on
cloud
native
containerized
solutions.
So
some
of
the
elements
again
signing
and
verification
and
provenance
checks
are
important.
So
there
is
a
kind
of
the
the
three
main
parts
are
cosine,
which
the
code
stands
for
container
signing
right,
making
it
easier
to
do
signing
of
of
containers,
oci
compliant
containers
right
and
making
those
signatures,
sort
of
invisible
infrastructure.
A
key
part
right.
A
Those
signatures
need
to
travel
with
that
image
itself,
recore,
which
I
already
mentioned
right:
a
transparency
and
time
stamping
service.
It
allows
you
to
kind
of
it
stores,
signed
metadata
in
a
ledger
that
can
be
searched,
but
can't
be
tampered
with
and
then
fulcio,
which
is
one
of
my
favorite
parts
of
it.
But
I
think
it's
going
to
take
longer
for
this
to
be
adopted
right.
It's
a
free
route,
certification
authority,
so
cosign
can
be
backed
by
a
corporate
ca.
A
It
can
be
backed
by
fulcio.
If
you
want
to
use
this
free,
cert
authority
sort
of
like
you
know
lux
if
you're
familiar
with
lux
and
then
also
you
know
the
cosign,
can
you
can
you
can
do
an
open,
idc
based
key
list
signing,
which
is
another
cool
thing?
And
I
guess
that's
that's
a
part
that
I
think
is
going
to
take
probably
more
time
as
well.
But
imagine
you're
working
in
a
pipeline
you've
got
to
log
into
github
to
authenticate
yourself
to
work
with
your
source
code.
Maybe
that's
an
oidc
based
login
right.
A
You've
got
that
on
top
of
oauth.
So
now
I
can
use
that
data
to
do
my
off
to
do
to
to
sign
the
content
that
I'm
generating,
while
I'm
working
in
that
environment
yeah.
That
really
simplifies
the
process
right.
I
don't
have
to
reach
out
to
an
external
corporate
ca,
so.
B
A
Yeah,
I
think
you,
I
think
you
meant
recore
but
yep.
So
recore
in
fact,
like
the
the
kubernetes
community
is,
you
know,
will
will
have
and
linux
foundation
is
sponsoring
an
open,
a
public,
recore
signature,
transparency,
log.
B
A
B
The
enforcement
of
some
of
this.
What
do
you
sort
of
see
happening.
A
A
A
A
Not
you
know
big
companies
like
red
hat
they're
signing
what
they
ship,
but
a
lot
of
organizations
aren't
using
internal
sigs
or
ver
for
for-
and
you
know,
when
they're
deploying
their
custom
content
into
their
environment,
some
are
but
but
a
lot.
They
want
to,
but
they
haven't
gotten
there
yet
and
again,
I
think
solutions
like
six
store
are
gonna
help
with
that.
A
But
then
the
next
step
is
making
sure
that
that
helm
chart
hasn't
been
tampered
with,
making
sure
that
your
deployment
yaml
hasn't
been
tampered
with
right
and
so
adding
signatures
to
those
and
being
able
to
verify
those
signatures
on
admission.
Also,
managing
everything
is
code
is,
is
a
key
principle
in
this
world
right.
So
a
solution
like
tekton
helps
me
now
manage
my
pipeline
as
code.
I
can
sign
my
pipeline
tasks,
but
then
also
I
can
do
configuration
as
code
for
my
cluster.
A
B
B
A
I
could
certainly
imagine
that
that
folks
would
like
it
would
like
to
get
to
a
place
where
it's
all
one
and
it's
and
it's
simpler
to
manage.
I
I
don't
know,
I'm
not
sure
what
my
prediction
is.
A
May
see
anything
in
there
and,
though
again
I
think,
as
you
say
right,
one
of
the
things
that
that
I
do
think
we're
hearing
in
the
kubernetes
world
right
is:
is
that
kubernetes?
It's
a
wonderful
application,
orchestration
platform
and
it's
challenging
right.
What
are
the
tools
that
can
help
developers
focus
on
writing
the
code
that
drives
business
value
and
you
know
not
have
to
spend
quite
so
much
time
on
all
the
piece
parts
that
enable
the
kubernetes
orchestration
right.
So
can
we
provide
more
automation
as
a
community
in
that
space,
to
simplify
that?
A
I
think
you
know.
We've
been
seeing
emphasis
on
on
the
build
environment
as
well.
So
it's
going
to
be
interesting
to
to
sort
of
see
how
that
all
evolves
right,
we've
already
gone
through
the
helm
versus
operators
thing
and
and
landed
on.
It's
not
versus
there
are
cases
where
helm
charts
are
your
best
thing
and
other
scenarios
where
operators
are
are
the
best
thing
for
the
situation
for
the
application.
B
It
sort
of
bleeds
in
the
next
question.
I
think
I
might
be
stealing
this
one
from
kim,
but
you
know
with
there's
sort
of
being
some
variability
in
how
this
is
going
to
be
applied.
Things
like
salsa,
which
are
frameworks.
Then
you
have
technologies
like
sigstor
you're,
probably
going
to
see
other
technologies
that
pull
from
that
open
source
and
create
something.
That's
maybe
like
a
startup,
that's
they're,
going
to
sell
to
larger
customers,
so
with
all
of
those
moving
parts.
A
Yeah,
so
so,
today,
security
and
regulatory
compliance
is
very
focused
on
platforms
and
then
the
applications
themselves,
and
so
we're
seeing
more
automation
for
compliance
happening
kind
of
talk
about
that
at
red
hat
is
compliance
as
code.
We
actually
have
a
github
repo
that
is
not
used
just
by
red
hat,
but
by
other
large
organizations
as
well,
where
you
can
write
code
that
helps
to
audit
for
compliance
of
a
platform.
A
You
can
use
something
like
the
openscap
scanner
on
a
container
image
itself
to
see
if
it
is
hardened
appropriately
for
pci,
dss
or
other
things,
and
so
you
know,
I
think,
as
organizations
just
you
know
kind
of
move
ahead
in
this
supply
chain
maturity
model,
they're,
probably
going
to
be
looking
for
proof,
points
auditability.
A
A
S-Bombs,
probably
also
a
a
major
thing.
The
the
cool
thing
about
s-bombs,
though,
is
software-build
materials.
Right
they've
been
around
tools
to
do
that
have
been
around
for
a
while
it
just
they
just
were
used
by
a
subset
of
the
industry,
and
now
I
think
the
use
cases
for
for
those
who
have
brought
it
but
yeah
it.
You
know,
and
the
more
you're
automated
the
easier
it
is
to
audit.
B
Well
for
kim-
and
I
I
think
we're
pretty
much
almost
out
of
questions,
but
I
did
have
sort
of
a
too
long
didn't
watch
question
I
want
to
throw
at
you
for
let's
say,
security,
101
people
you're
looking
to
get
started
in
supply
chain
security.
Do
you
have
any
specific
resources
or
documentation
or
call
outs?
Where
hey
I
want
to
get
started.
Where
should
I
go
anything
that
comes
to
your
mind,.
A
I
so
I
think
that
again,
if
you're
in
I,
I
would
say
that
the
salsa.dev
webpage
has
a
great
overview
and
plus
it
breaks
it
into
levels
which
makes
it
easier
for
you
to
kind
of
move
up
in
terms
of
increasing
the
level
of
security
or
maturity
that
you're
adding.
A
You
know
lots
of
additional
information
and
content,
and
that
might
be
a
place
where
kind
of.
Maybe
you
start
by
reading
the
white
paper,
and
then
you
go
check
out
salsa
for
a
more
concrete
set
of
things
that
you
might
apply
right,
that
that
general
guidance
that
context
provided
by
the
white
paper
and
then
man.
How
do
I
go
about
doing
those
things
check
out?
Salsa
for
for
kind
of
the
step-by-step
approach.
B
Awesome,
well,
it
looks
like
the
thunderstorm
might
have
gotten
kim,
but
before
we
go
before
I
let
you
go,
is
there
any
place
that
any
of
your
followers
can
contact?
You
any
talks
that
you're
giving,
because
I
know.
A
A
Yeah,
certainly
there
are
videos
on
youtube.
I
am
not
going
to
be
at
kubecon
north
america
this
year,
but
I
was
at
kubecon
eu
talking
about
cloud
native
security,
not
supply
chain
security
specifically,
but
there
are
a
range
of
of
recordings
with
me
on
youtube.
Y'all
are
welcome
to
do
there
being
in
the
security
space.
Sorry
I
don't
do
twitter,
you
know
so
actually
that's
really
more.
A
personal
preference.
A
But
but
yeah
so
great
to
talk
with
you
all
today.
B
B
Awesome
yeah,
so
the
the
next
show
it's
going
to
be
september,
20th,
so
the
third
tuesday
of
every
month
at
this
time,
two
to
2
p.m.
Eastern,
that's!
When
we're
going
to
be
doing
the
show,
if
you're
looking
for
a
security
topic,
you
can
find
me
in
the
cncf
slack
email
me
at
m:
foster
red
hat,
but
we're
always
looking
for
security
topics
other
than
that
monthly
show,
and
we
look
to
see
you
back
here
next
month,
kim
anything
that
you
want
to
say
before
we
go.
C
B
Thank
you
so
much
kirsten
thanks
for
watching
and
hope.
Everybody
has
a
great
rest
of
their
day.
Take.