SlideShare a Scribd company logo

Software Supply Chains for DevOps @ InfoQ Live 2021

Aysylu Greenberg
Aysylu Greenberg

Several recent high-profile security incidents were due to compromised software supply chains. Software Supply Chain is a collective term used to describe the stages of software lifecycle from source to deployment through CI/CD pipelines, and all the static and dynamic analyses in between. In the world of microservices and cloud computing, trust in your company’s supply chain is critical, as most of the tooling and dependencies are from open source and vendor projects. When the code hits production, it’s essential to have enough observability to detect and investigate the problem and get to the root cause and mitigation as quickly as possible. With software supply chain attacks, not only is the newly deployed code under suspicion, but also all the tooling used to produce it becomes a potential attack vector, so an efficient and effective way to verify the integrity of the supply chain is paramount. This talk will discuss what information needs to be collected to allow DevOps to inspect and verify the integrity of the supply chain, the challenges of having the right level of detail to reduce mean-time-to-detection and mean-time-to-understanding, some of the existing solutions and open problems in this space.

Technology
1 of 67
Download to read offline
Software Supply Chains for DevOps Aysylu Greenberg July 20, 2021
Speaker introduction ● Sr Software Engineer @ Google ● Tech Lead of GCP Container Analysis and Container Scanning team ● Maintainer of Grafeas and Kritis OSS projects ● Track Host of the inaugural Software Supply Chain track @ QCon SF 2019 ● @aysylu22 Aysylu Greenberg
What do these 3 have in common? EventStream
Proprietary + Confidential
Modern Challenges in Software Supply Chains
Modern Challenges in Software Supply Chains https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html
Proprietary + Confidential Software Supply Chains = SSC
Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
Software Supply Chains Source code Test OSS & proprietary libs Build Deploy to Production Deploy to Staging Incident Monitor workloads Patch Management
Software Supply Chains Source code Test OSS & proprietary libs Build Deploy to Production Deploy to Staging Monitor workloads CI pipeline Incident Patch Management
Software Supply Chains Source code Test OSS & proprietary libs Build Deploy to Production Deploy to Staging Monitor workloads CD pipeline Incident Patch Management
Software Supply Chains Source code Test OSS & proprietary libs Build Deploy to Production Deploy to Staging Monitor workloads Observability tools Incident Patch Management
Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
Source to Prod CI/CD pipelines Build & Deploy Build process Automated test, scan, analysis Deploy checks Production
Incident CI/CD pipelines Automated test, scan, analysis Deploy checks Production Build & Deploy Build process
Incident: O11y to the Rescue CI/CD pipelines Automated test, scan, analysis Deploy checks Production Build & Deploy Build process
Incident: from Prod to Source CI/CD pipelines Automated test, scan, analysis Deploy checks Production Build & Deploy ? ? ? ? Build process
Incident: from Prod to Source CI/CD pipelines Automated test, scan, analysis Deploy checks Production Build & Deploy ? ? ? ? ? Build process
Incident: from Prod to Source Universal Artifact Metadata Automated test, scan, analysis Deploy checks Production Build & Deploy ? ? ? ? ? Build process
Incident: from Prod to Source Universal Artifact Metadata Automated test, scan, analysis Deploy checks Production Build & Deploy ? ? ? ? ? Build process
What level of detail should we collect?
Collect everything! You never know when you’ll need that info and fine granularity helps to avoid o11y gaps. What level of detail should we collect?
Am I going to get overwhelmed with information?
The right signal to noise ratio is important. Example: report all vulnerabilities on an image. False positives? Am I going to get overwhelmed with information?
The right signal to noise ratio is important. Example: report all vulnerabilities on an image. False positives? Compliance (e.g. FedRAMP) requires detailed information about software supply chain. Am I going to get overwhelmed with information?
How to efficiently query for these details?
How to efficiently query for these details? Need vertical and horizontal querying.
Horizontal query? Across all artifacts with a specific property. "Find all images that are built from a particular Github commit that is known to have introduced a security problem."
Vertical query? Metadata across SDLC for a specific artifact. "Find all source, build, test, vulnerabilities, and deployments metadata for a container image."
Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
Software Supply Chains Solutions Universal Artifact Metadata Automated test, scan, analysis Deploy checks Production Build & Deploy Build process
Software Supply Chains Solutions Automated test, scan, analysis Deploy checks Production Build & Deploy Build process Universal Artifact Metadata
github.com/grafeas/grafeas grafeas.io API to audit and govern your software supply chain Artifact metadata API: Grafeas
Container Analysis API on GCP
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, })
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon)
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri( )] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0]
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), })
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } … // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime(). AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
Software Supply Chains Solutions Automated test, scan, analysis Deploy checks Production Build & Deploy �� Build process Universal Artifact Metadata
Deploy-time Policy Enforcer for Kubernetes applications Deploy Policy Checks: Kritis github.com/grafeas/kritis
github.com/grafeas/voucher Voucher creates attestations for Binary Authorization Deploy Policy Checks: Kritis & Voucher �� github.com/grafeas/kritis
Deploy Policy Checks: Binary Authorization on GCP
Software Supply Chains Solutions Automated test, scan, analysis Deploy checks Production Build & Deploy �� Build process Universal Artifact Metadata
spdx.dev Open standard for communicating software bill of material information, including components, licenses, copyrights, and security references Software Bill of Materials
Software Supply Chains Solutions Automated test, scan, analysis Deploy checks Production Build & Deploy �� Build process Universal Artifact Metadata
in-toto.io A framework to secure the integrity of software supply chains Integrity of Supply Chain
Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
Proprietary + Confidential Secure builds and supply chain 01 04 03 Some Open Problems (not a complete list) 05 Supply chain integrity Data quality in vulnerability scanning Security and integrity in OSS 02 Compliance
Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
Proprietary + Confidential Takeaways Software supply chains = SDLC in Cloud 01
Proprietary + Confidential Takeaways Software supply chains = SDLC in Cloud 01 02 SSC metadata needed to help DevOps
Proprietary + Confidential Takeaways Software supply chains = SDLC in Cloud 01 02 03 SSC metadata needed to help DevOps Existing solutions (Grafeas, SBOM, Kritis, in-toto), challenges & open problems
Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps

Recommended

MesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
MesosCon Asia Keynote: Replacing a Jet Engine Mid-flightMesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
MesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
Aysylu Greenberg
 
Binary Authorization in Kubernetes
Binary Authorization in KubernetesBinary Authorization in Kubernetes
Binary Authorization in Kubernetes
Aysylu Greenberg
 
Software Supply Chain Observability with Grafeas and Kritis
Software Supply Chain Observability with Grafeas and KritisSoftware Supply Chain Observability with Grafeas and Kritis
Software Supply Chain Observability with Grafeas and Kritis
Aysylu Greenberg
 
Software Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and KritisSoftware Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and Kritis
Aysylu Greenberg
 
Software Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and KritisSoftware Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and Kritis
Aysylu Greenberg
 
An oss api layer for your cassandra
An oss api layer for your cassandraAn oss api layer for your cassandra
An oss api layer for your cassandra
Cédrick Lunven
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Weaveworks
 
Delivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOpsDelivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOps
Weaveworks
 

Recommended

MesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
MesosCon Asia Keynote: Replacing a Jet Engine Mid-flightMesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
MesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
Aysylu Greenberg
 
Binary Authorization in Kubernetes
Binary Authorization in KubernetesBinary Authorization in Kubernetes
Binary Authorization in Kubernetes
Aysylu Greenberg
 
Software Supply Chain Observability with Grafeas and Kritis
Software Supply Chain Observability with Grafeas and KritisSoftware Supply Chain Observability with Grafeas and Kritis
Software Supply Chain Observability with Grafeas and Kritis
Aysylu Greenberg
 
Software Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and KritisSoftware Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and Kritis
Aysylu Greenberg
 
Software Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and KritisSoftware Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and Kritis
Aysylu Greenberg
 
An oss api layer for your cassandra
An oss api layer for your cassandraAn oss api layer for your cassandra
An oss api layer for your cassandra
Cédrick Lunven
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Weaveworks
 
Delivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOpsDelivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOps
Weaveworks
 
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Roberto Pérez Alcolea
 
E bpf and profilers
E bpf and profilersE bpf and profilers
E bpf and profilers
LibbySchulze
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Weaveworks
 
Kubecon seattle 2018 workshop slides
Kubecon seattle 2018 workshop slidesKubecon seattle 2018 workshop slides
Kubecon seattle 2018 workshop slides
Weaveworks
 
Workshop Azure DevOps Repos
Workshop Azure DevOps ReposWorkshop Azure DevOps Repos
Workshop Azure DevOps Repos
Norberto Enomoto
 
Is your kubernetes negative or positive
Is your kubernetes negative or positive Is your kubernetes negative or positive
Is your kubernetes negative or positive
LibbySchulze
 
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Labs
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
Sonatype
 
Observe and command your fleets across any kubernetes with weave git ops
Observe and command your fleets across any kubernetes with weave git opsObserve and command your fleets across any kubernetes with weave git ops
Observe and command your fleets across any kubernetes with weave git ops
Weaveworks
 
Building a Distributed Build System at Google Scale
Building a Distributed Build System at Google ScaleBuilding a Distributed Build System at Google Scale
Building a Distributed Build System at Google Scale
Aysylu Greenberg
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
Weaveworks
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
Enterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & ZoweEnterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & Zowe
DevOps.com
 
Devopsdays.pl 2015 krzysztof_debski (2)
Devopsdays.pl 2015 krzysztof_debski (2)Devopsdays.pl 2015 krzysztof_debski (2)
Devopsdays.pl 2015 krzysztof_debski (2)
Krzysztof Debski
 
What's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at CiscoWhat's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at Cisco
Adrian Cockcroft
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
SIGHUP
 
Openshift argo cd_v1_2
Openshift argo cd_v1_2Openshift argo cd_v1_2
Openshift argo cd_v1_2
RastinKenarsari
 
Containers and Kubernetes without limits
Containers and Kubernetes without limitsContainers and Kubernetes without limits
Containers and Kubernetes without limits
Antje Barth
 
Agile android
Agile androidAgile android
Agile android
Godfrey Nolan
 
Azure Academyadi: Introduction to GitHub and AzureDevOps
Azure Academyadi: Introduction to GitHub and AzureDevOpsAzure Academyadi: Introduction to GitHub and AzureDevOps
Azure Academyadi: Introduction to GitHub and AzureDevOps
Lorenzo Barbieri
 
Everything-as-code – Polyglotte Entwicklung in der Praxis
Everything-as-code – Polyglotte Entwicklung in der PraxisEverything-as-code – Polyglotte Entwicklung in der Praxis
Everything-as-code – Polyglotte Entwicklung in der Praxis
QAware GmbH
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 

More Related Content

What's hot

Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Roberto Pérez Alcolea
 
Kubecon seattle 2018 workshop slides
Kubecon seattle 2018 workshop slidesKubecon seattle 2018 workshop slides
Kubecon seattle 2018 workshop slides
Weaveworks
 
Observe and command your fleets across any kubernetes with weave git ops
Observe and command your fleets across any kubernetes with weave git opsObserve and command your fleets across any kubernetes with weave git ops
Observe and command your fleets across any kubernetes with weave git ops
Weaveworks
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
Weaveworks
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 

What's hot (20)

Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
 
E bpf and profilers
E bpf and profilersE bpf and profilers
E bpf and profilers
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
 
Kubecon seattle 2018 workshop slides
Kubecon seattle 2018 workshop slidesKubecon seattle 2018 workshop slides
Kubecon seattle 2018 workshop slides
 
Workshop Azure DevOps Repos
Workshop Azure DevOps ReposWorkshop Azure DevOps Repos
Workshop Azure DevOps Repos
 
Is your kubernetes negative or positive
Is your kubernetes negative or positive Is your kubernetes negative or positive
Is your kubernetes negative or positive
 
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
 
Observe and command your fleets across any kubernetes with weave git ops
Observe and command your fleets across any kubernetes with weave git opsObserve and command your fleets across any kubernetes with weave git ops
Observe and command your fleets across any kubernetes with weave git ops
 
Building a Distributed Build System at Google Scale
Building a Distributed Build System at Google ScaleBuilding a Distributed Build System at Google Scale
Building a Distributed Build System at Google Scale
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
 
Enterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & ZoweEnterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & Zowe
 
Devopsdays.pl 2015 krzysztof_debski (2)
Devopsdays.pl 2015 krzysztof_debski (2)Devopsdays.pl 2015 krzysztof_debski (2)
Devopsdays.pl 2015 krzysztof_debski (2)
 
What's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at CiscoWhat's Missing? Microservices Meetup at Cisco
What's Missing? Microservices Meetup at Cisco
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
 
Openshift argo cd_v1_2
Openshift argo cd_v1_2Openshift argo cd_v1_2
Openshift argo cd_v1_2
 
Containers and Kubernetes without limits
Containers and Kubernetes without limitsContainers and Kubernetes without limits
Containers and Kubernetes without limits
 
Agile android
Agile androidAgile android
Agile android
 
Azure Academyadi: Introduction to GitHub and AzureDevOps
Azure Academyadi: Introduction to GitHub and AzureDevOpsAzure Academyadi: Introduction to GitHub and AzureDevOps
Azure Academyadi: Introduction to GitHub and AzureDevOps
 

Similar to Software Supply Chains for DevOps @ InfoQ Live 2021

Everything-as-code – Polyglotte Entwicklung in der Praxis
Everything-as-code – Polyglotte Entwicklung in der PraxisEverything-as-code – Polyglotte Entwicklung in der Praxis
Everything-as-code – Polyglotte Entwicklung in der Praxis
QAware GmbH
 
Comment développer une application mobile en 8 semaines - Meetup PAUG 24-01-2023
Comment développer une application mobile en 8 semaines - Meetup PAUG 24-01-2023Comment développer une application mobile en 8 semaines - Meetup PAUG 24-01-2023
Comment développer une application mobile en 8 semaines - Meetup PAUG 24-01-2023
Nicolas HAAN
 
An Architecture for Agile Machine Learning in Real-Time Applications
An Architecture for Agile Machine Learning in Real-Time ApplicationsAn Architecture for Agile Machine Learning in Real-Time Applications
An Architecture for Agile Machine Learning in Real-Time Applications
Johann Schleier-Smith
 
Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試
Secview
 
Everything as a Code / Александр Тарасов (Одноклассники)
Everything as a Code / Александр Тарасов (Одноклассники)Everything as a Code / Александр Тарасов (Одноклассники)
Everything as a Code / Александр Тарасов (Одноклассники)
Ontico
 
Everything as a code
Everything as a codeEverything as a code
Everything as a code
Aleksandr Tarasov
 
Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s
QAware GmbH
 
Docker and containers - For Boston Docker Meetup Workshop in March 2015
Docker and containers - For Boston Docker Meetup Workshop in March 2015Docker and containers - For Boston Docker Meetup Workshop in March 2015
Docker and containers - For Boston Docker Meetup Workshop in March 2015
Jonas Rosland
 

Similar to Software Supply Chains for DevOps @ InfoQ Live 2021 (20)

Everything-as-code – Polyglotte Entwicklung in der Praxis
Everything-as-code – Polyglotte Entwicklung in der PraxisEverything-as-code – Polyglotte Entwicklung in der Praxis
Everything-as-code – Polyglotte Entwicklung in der Praxis
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
 
ACM BPM and elasticsearch AMIS25
ACM BPM and elasticsearch AMIS25ACM BPM and elasticsearch AMIS25
ACM BPM and elasticsearch AMIS25
 
Building A Distributed Build System at Google Scale (StrangeLoop 2016)
Building A Distributed Build System at Google Scale (StrangeLoop 2016)Building A Distributed Build System at Google Scale (StrangeLoop 2016)
Building A Distributed Build System at Google Scale (StrangeLoop 2016)
 
Comment développer une application mobile en 8 semaines - Meetup PAUG 24-01-2023
Comment développer une application mobile en 8 semaines - Meetup PAUG 24-01-2023Comment développer une application mobile en 8 semaines - Meetup PAUG 24-01-2023
Comment développer une application mobile en 8 semaines - Meetup PAUG 24-01-2023
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on Spark
 
An Architecture for Agile Machine Learning in Real-Time Applications
An Architecture for Agile Machine Learning in Real-Time ApplicationsAn Architecture for Agile Machine Learning in Real-Time Applications
An Architecture for Agile Machine Learning in Real-Time Applications
 
Optimizely Agent: Scaling Resilient Feature Delivery
Optimizely Agent: Scaling Resilient Feature DeliveryOptimizely Agent: Scaling Resilient Feature Delivery
Optimizely Agent: Scaling Resilient Feature Delivery
 
Operating a High Velocity Large Organization with Spring Cloud Microservices
Operating a High Velocity Large Organization with Spring Cloud MicroservicesOperating a High Velocity Large Organization with Spring Cloud Microservices
Operating a High Velocity Large Organization with Spring Cloud Microservices
 
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
 
使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster 使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster
 
Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試
 
Developing SharePoint Framework Solutions for the Enterprise (SPC 2019)
Developing SharePoint Framework Solutions for the Enterprise (SPC 2019)Developing SharePoint Framework Solutions for the Enterprise (SPC 2019)
Developing SharePoint Framework Solutions for the Enterprise (SPC 2019)
 
Everything as a Code / Александр Тарасов (Одноклассники)
Everything as a Code / Александр Тарасов (Одноклассники)Everything as a Code / Александр Тарасов (Одноклассники)
Everything as a Code / Александр Тарасов (Одноклассники)
 
Everything as a code
Everything as a codeEverything as a code
Everything as a code
 
AWS Webcast - Build Agile Applications in AWS Cloud for Government
AWS Webcast - Build Agile Applications in AWS Cloud for GovernmentAWS Webcast - Build Agile Applications in AWS Cloud for Government
AWS Webcast - Build Agile Applications in AWS Cloud for Government
 
Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s
 
Docker and Containers overview - Docker Workshop
Docker and Containers overview - Docker WorkshopDocker and Containers overview - Docker Workshop
Docker and Containers overview - Docker Workshop
 
Docker and containers - For Boston Docker Meetup Workshop in March 2015
Docker and containers - For Boston Docker Meetup Workshop in March 2015Docker and containers - For Boston Docker Meetup Workshop in March 2015
Docker and containers - For Boston Docker Meetup Workshop in March 2015
 
All Day DevOps 2016 Fabian - Defending Thyself with Blue Green
All Day DevOps 2016 Fabian - Defending Thyself with Blue GreenAll Day DevOps 2016 Fabian - Defending Thyself with Blue Green
All Day DevOps 2016 Fabian - Defending Thyself with Blue Green
 

More from Aysylu Greenberg

Probabilistic Accuracy Bounds @ Papers We Love SF
Probabilistic Accuracy Bounds @ Papers We Love SFProbabilistic Accuracy Bounds @ Papers We Love SF
Probabilistic Accuracy Bounds @ Papers We Love SF
Aysylu Greenberg
 
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
Aysylu Greenberg
 
PWL: One VM to Rule Them All
PWL: One VM to Rule Them AllPWL: One VM to Rule Them All
PWL: One VM to Rule Them All
Aysylu Greenberg
 

More from Aysylu Greenberg (18)

Zero Downtime Migrations at Scale
Zero Downtime Migrations at ScaleZero Downtime Migrations at Scale
Zero Downtime Migrations at Scale
 
Zero Downtime Migration
Zero Downtime MigrationZero Downtime Migration
Zero Downtime Migration
 
PWL Denver: Copysets
PWL Denver: CopysetsPWL Denver: Copysets
PWL Denver: Copysets
 
Distributed systems in practice, in theory (ScaleConf Colombia)
Distributed systems in practice, in theory (ScaleConf Colombia)Distributed systems in practice, in theory (ScaleConf Colombia)
Distributed systems in practice, in theory (ScaleConf Colombia)
 
Distributed systems in practice, in theory (JAX London)
Distributed systems in practice, in theory (JAX London)Distributed systems in practice, in theory (JAX London)
Distributed systems in practice, in theory (JAX London)
 
QCon NYC: Distributed systems in practice, in theory
QCon NYC: Distributed systems in practice, in theoryQCon NYC: Distributed systems in practice, in theory
QCon NYC: Distributed systems in practice, in theory
 
(+ Loom (years 2))
(+ Loom (years 2))(+ Loom (years 2))
(+ Loom (years 2))
 
Distributed systems in practice, in theory
Distributed systems in practice, in theoryDistributed systems in practice, in theory
Distributed systems in practice, in theory
 
Probabilistic Accuracy Bounds @ Papers We Love SF
Probabilistic Accuracy Bounds @ Papers We Love SFProbabilistic Accuracy Bounds @ Papers We Love SF
Probabilistic Accuracy Bounds @ Papers We Love SF
 
Benchmarking (JAXLondon 2015)
Benchmarking (JAXLondon 2015)Benchmarking (JAXLondon 2015)
Benchmarking (JAXLondon 2015)
 
Loom & Functional Graphs in Clojure @ LambdaConf 2015
Loom & Functional Graphs in Clojure @ LambdaConf 2015Loom & Functional Graphs in Clojure @ LambdaConf 2015
Loom & Functional Graphs in Clojure @ LambdaConf 2015
 
Benchmarking (DevNexus 2015)
Benchmarking (DevNexus 2015)Benchmarking (DevNexus 2015)
Benchmarking (DevNexus 2015)
 
Benchmarking (RICON 2014)
Benchmarking (RICON 2014)Benchmarking (RICON 2014)
Benchmarking (RICON 2014)
 
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
 
PWL: One VM to Rule Them All
PWL: One VM to Rule Them AllPWL: One VM to Rule Them All
PWL: One VM to Rule Them All
 
Loom at Clojure/West
Loom at Clojure/WestLoom at Clojure/West
Loom at Clojure/West
 
Clojure class
Clojure classClojure class
Clojure class
 
Loom and Graphs in Clojure
Loom and Graphs in ClojureLoom and Graphs in Clojure
Loom and Graphs in Clojure
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 

Software Supply Chains for DevOps @ InfoQ Live 2021

  • 1. Software Supply Chains for DevOps Aysylu Greenberg July 20, 2021
  • 2. Speaker introduction ● Sr Software Engineer @ Google ● Tech Lead of GCP Container Analysis and Container Scanning team ● Maintainer of Grafeas and Kritis OSS projects ● Track Host of the inaugural Software Supply Chain track @ QCon SF 2019 ● @aysylu22 Aysylu Greenberg
  • 3. What do these 3 have in common? EventStream
  • 5. Modern Challenges in Software Supply Chains
  • 6. Modern Challenges in Software Supply Chains https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html
  • 8. Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
  • 9. Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
  • 10. Software Supply Chains Source code Test OSS & proprietary libs Build Deploy to Production Deploy to Staging Incident Monitor workloads Patch Management
  • 11. Software Supply Chains Source code Test OSS & proprietary libs Build Deploy to Production Deploy to Staging Monitor workloads CI pipeline Incident Patch Management
  • 12. Software Supply Chains Source code Test OSS & proprietary libs Build Deploy to Production Deploy to Staging Monitor workloads CD pipeline Incident Patch Management
  • 13. Software Supply Chains Source code Test OSS & proprietary libs Build Deploy to Production Deploy to Staging Monitor workloads Observability tools Incident Patch Management
  • 14. Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
  • 15. Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
  • 16. Source to Prod CI/CD pipelines Build & Deploy Build process Automated test, scan, analysis Deploy checks Production
  • 17. Incident CI/CD pipelines Automated test, scan, analysis Deploy checks Production Build & Deploy Build process
  • 18. Incident: O11y to the Rescue CI/CD pipelines Automated test, scan, analysis Deploy checks Production Build & Deploy Build process
  • 19. Incident: from Prod to Source CI/CD pipelines Automated test, scan, analysis Deploy checks Production Build & Deploy ? ? ? ? Build process
  • 20. Incident: from Prod to Source CI/CD pipelines Automated test, scan, analysis Deploy checks Production Build & Deploy ? ? ? ? ? Build process
  • 21. Incident: from Prod to Source Universal Artifact Metadata Automated test, scan, analysis Deploy checks Production Build & Deploy ? ? ? ? ? Build process
  • 22. Incident: from Prod to Source Universal Artifact Metadata Automated test, scan, analysis Deploy checks Production Build & Deploy ? ? ? ? ? Build process
  • 23. What level of detail should we collect?
  • 24. Collect everything! You never know when you’ll need that info and fine granularity helps to avoid o11y gaps. What level of detail should we collect?
  • 25. Am I going to get overwhelmed with information?
  • 26. The right signal to noise ratio is important. Example: report all vulnerabilities on an image. False positives? Am I going to get overwhelmed with information?
  • 27.
  • 28. The right signal to noise ratio is important. Example: report all vulnerabilities on an image. False positives? Compliance (e.g. FedRAMP) requires detailed information about software supply chain. Am I going to get overwhelmed with information?
  • 29. How to efficiently query for these details?
  • 30. How to efficiently query for these details? Need vertical and horizontal querying.
  • 31. Horizontal query? Across all artifacts with a specific property. "Find all images that are built from a particular Github commit that is known to have introduced a security problem."
  • 32. Vertical query? Metadata across SDLC for a specific artifact. "Find all source, build, test, vulnerabilities, and deployments metadata for a container image."
  • 33. Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
  • 34. Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
  • 35. Software Supply Chains Solutions Universal Artifact Metadata Automated test, scan, analysis Deploy checks Production Build & Deploy Build process
  • 36. Software Supply Chains Solutions Automated test, scan, analysis Deploy checks Production Build & Deploy Build process Universal Artifact Metadata
  • 37. github.com/grafeas/grafeas grafeas.io API to audit and govern your software supply chain Artifact metadata API: Grafeas
  • 39. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
  • 40. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
  • 41. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, })
  • 42. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
  • 43. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon)
  • 44. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
  • 45. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri( )] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0]
  • 46. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
  • 47. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
  • 48. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
  • 49. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), })
  • 50. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } for _, img := range runningImgs { buildResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: fmt.Sprintf(`kind="BUILD_DETAILS" AND resourceUrl=%q`, img), }) // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime().AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
  • 51. Proprietary + Confidential Proprietary + Confidential Find all workloads that exceed build horizon occResp, _ := client.ListOccurrences(ctx, &gpb.ListOccurrencesRequest{ Parent: fmt.Sprintf("projects/%s", *projectID), Filter: `kind = "DEPLOYABLE"`, }) for _, occ := range occResp.GetOccurrences() { if occ.GetDeployment().GetUndeployTime() == nil { // The workload is still running. runningImgs[occ.GetResourceUri()] = true } } … // assume each build generates a unique container image URI build := buildResp.GetOccurrences()[0] if time.Now().Sub(build.GetCreateTime(). AsTime()) > *buildHorizon { log.Infof("Workload running image %s is exceeding build horizon policy of %q.", img, *buildHorizon) } }
  • 52. Software Supply Chains Solutions Automated test, scan, analysis Deploy checks Production Build & Deploy �� Build process Universal Artifact Metadata
  • 53. Deploy-time Policy Enforcer for Kubernetes applications Deploy Policy Checks: Kritis github.com/grafeas/kritis
  • 54. github.com/grafeas/voucher Voucher creates attestations for Binary Authorization Deploy Policy Checks: Kritis & Voucher �� github.com/grafeas/kritis
  • 55. Deploy Policy Checks: Binary Authorization on GCP
  • 56. Software Supply Chains Solutions Automated test, scan, analysis Deploy checks Production Build & Deploy �� Build process Universal Artifact Metadata
  • 57. spdx.dev Open standard for communicating software bill of material information, including components, licenses, copyrights, and security references Software Bill of Materials
  • 58. Software Supply Chains Solutions Automated test, scan, analysis Deploy checks Production Build & Deploy �� Build process Universal Artifact Metadata
  • 59. in-toto.io A framework to secure the integrity of software supply chains Integrity of Supply Chain
  • 60. Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
  • 61. Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
  • 62. Proprietary + Confidential Secure builds and supply chain 01 04 03 Some Open Problems (not a complete list) 05 Supply chain integrity Data quality in vulnerability scanning Security and integrity in OSS 02 Compliance
  • 63. Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps
  • 64. Proprietary + Confidential Takeaways Software supply chains = SDLC in Cloud 01
  • 65. Proprietary + Confidential Takeaways Software supply chains = SDLC in Cloud 01 02 SSC metadata needed to help DevOps
  • 66. Proprietary + Confidential Takeaways Software supply chains = SDLC in Cloud 01 02 03 SSC metadata needed to help DevOps Existing solutions (Grafeas, SBOM, Kritis, in-toto), challenges & open problems
  • 67. Proprietary + Confidential Today Q & A Software Supply Chains Open problems Existing Solutions SSC for DevOps