All Things Open, profile picture
Uploaded byAll Things Open
37 views

Supply Chain Robots, Electric Sheep, and SLSA

Presented at All Things Open 2025 Presented by Brett Smith - SAS Institute, Inc. Title: Supply Chain Robots, Electric Sheep, and SLSA Abstract: A talk about creating automation, shifting left, attack vectors, attestations, verification, zero-trust, and SLSA. In the talk I cover creating automation, shifting left, attack vectors, attestations, verification, zero-trust, and how the SLSA spec helps implement solutions for each. The main take away is that security needs to be applied everywhere in the pipeline. The talk should lead to a greater discussion around the challenges of securing the supply chain, supporting EO 14028 and ISO27001, and improving the security posture of your pipelines. Attendee Takeaways Answers for the following questions: - Why do we need supply chain automation? - What are common attack vectors in a supply chain? - What techniques can we use to help secure the supply chain? - What are the security benefits of supply chain automation and shift left? - What specifications and tools can we use to help secure the supply chain? Find more info about All Things Open: On the web: https://www.allthingsopen.org/ Twitter: https://twitter.com/AllThingsOpen LinkedIn: https://www.linkedin.com/company/all-things-open/ Instagram: https://www.instagram.com/allthingsopen/ Facebook: https://www.facebook.com/AllThingsOpen Mastodon: https://mastodon.social/@allthingsopen Threads: https://www.threads.net/@allthingsopen Bluesky: https://bsky.app/profile/allthingsopen.bsky.social YouTube: https://www.youtube.com/@allthingsopen 2025 conference: https://2025.allthingsopen.org/

Embed presentation

Download to read offline
Platform Engineering: Herding the Electric Sheep Brett Smith <bc.smith@sas.com> 20250020
Platform Engineering
Internal Developer Platform
DevOps
Also DevOps
Platform Engineering
Internal Developer Platform
IDP How does it benefit the developers?
IDP How does it benefit the security team?
IDP How does it benefit the platform team?
IDP How does it benefit the enterprise?
Shift Left - Automate Right
SBOM Software Bill of Materials
SLSA Source Track Build Track Track/Level Requirements Focus Build L0 (none) (n/a) Build L1 Provenance showing how the package was built Mistakes, documentation Build L2 Signed provenance, generated by a hosted build platform Tampering after the build Build L3 Hardened build platform Tampering during the build Track/Level Requirements Focus Source L1 Use a version control system First steps towards operational maturity Source L2 History and controls for protected branches & tags Preserve history and ensure the process has been followed Source L3 Signed provenance Tampering by the source control system Source L4 Code review Tampering by project contributors
Policy as Code (PaC) Security is codified, automated, open, and accessible to all stakeholders Key Features: ● Codification ● Automation ● Integration ● Consistency Benefits: ● Improved Security ● Enhanced Compliance ● Increased Efficiency ● Reduced Errors ● Greater Agility ● Improved Collaboration
Shift-Down Security
Shift-Down Security
The Platform Services
The Platform
● Agentic AI ● MCP Servers ● RAGs What is next? Pipeline visibility: "What's the status of my deployment unit?" Policy compliance: "Has it run all required checks to ship?" Security validation: "Did security scans run and what were results?" Test verification: "Are all tests complete and passing?" Promotion readiness: "Can we move to the next stage?"
Where to start? ● Assess existing tools and services across teams ● Identify patterns and consolidation opportunities ● Visualize findings for a clear landscape overview ● Design platform around main use cases first ● Address uncommon scenarios later ● Use core solutions to drive broader adoption ● Collaborate on unique needs for potential platform improvements ● Prioritize the main 80% - 10% - 10%, and handle exceptions
Potential Pitfalls ● Outliers ● Exceptions ● Team Exceptions ● Vendor Lock in: Avoid dependency on a single vendor or specialized tech ● Cloud-agnostic strategies enable flexibility and easier upgrades ● One Offs: Emphasize industry standards over custom solutions
Ask yourself: ● How many electric sheep do you produce? ● How many developers do you have? ● How many teams? Do you have: ● A complex software development process? ● A lot of different tools and services to integrate? ● Extensive compliance and security requirements? Is Platform Engineering Right for You?
AMA
I am Smitty and I am afraid of robots Brett Smith GitHub <https://github.com/xbcsmith>
Supply Chain Robots, Electric Sheep, and SLSA

More Related Content

PDF
Whitepaper_ State of Platform Engineering Report.pdf
byjuancarlos747007
 
PDF
Six Signs You Need Platform Engineering
byWeaveworks
 
PDF
Migliorare la Developer Experience in un mondo Cloud Native
byCommit University
 
PDF
250109 Platform Engineering Overview.pdf
byThomas Perelle
 
PDF
Transforming Infrastructure Through Platform Engineering
bySeasiaInfotech2
 
PDF
Accelerating Innovation with Platform Engineering: The Mphasis Approach
bybasilmph
 
PDF
Crafting the Ultimate Toolkit for API Platform Teams: What You Are Missing
byNordic APIs
 
PPTX
Platform Engineering The Key to Scalable and Reliable Software Solutions (1)....
byAnilJanardhanan1
 
Whitepaper_ State of Platform Engineering Report.pdf
byjuancarlos747007
 
Six Signs You Need Platform Engineering
byWeaveworks
 
Migliorare la Developer Experience in un mondo Cloud Native
byCommit University
 
250109 Platform Engineering Overview.pdf
byThomas Perelle
 
Transforming Infrastructure Through Platform Engineering
bySeasiaInfotech2
 
Accelerating Innovation with Platform Engineering: The Mphasis Approach
bybasilmph
 
Crafting the Ultimate Toolkit for API Platform Teams: What You Are Missing
byNordic APIs
 
Platform Engineering The Key to Scalable and Reliable Software Solutions (1)....
byAnilJanardhanan1
 

Similar to Supply Chain Robots, Electric Sheep, and SLSA

PDF
2024-05-30_meetup_devops_aix-marseille.pdf
byFrederic Leger
 
PPTX
Platform Engineering The Key to Scalable and Reliable Software Solutions.pptx
byAnilJanardhanan1
 
PDF
Sprinkle your Devops platform with product thinking
byJavier Turégano Molina
 
PPTX
How to Build a Platform Team
byVMware Tanzu
 
PDF
Improving Developer Experience using Advanced Platform Engineering Techniques...
bycfaa0001
 
PDF
Beyond Engineering: The Future of Platforms @ CraftConf, May 2023
byManuel Pais
 
PDF
What Is Platform as a Product - Clues from Team Topologies @ AXA, Sep 2021
byManuel Pais
 
PDF
Platform Engineering is Hard, and We are Doing it Wrong
byDan Grøndahl Glavind
 
PDF
"Platform Engineering in practice — Why and How to start", Serg Hospodarets
byFwdays
 
PDF
Platform Engineering is not replacing DevOps.pdf
byindustrytechoutlook9
 
PPTX
Platform Engineering is not replacing DevOps.pptx
byindustrytechoutlook9
 
PPTX
Platform Engineering is not replacing DevOps.pptx
byindustrytechoutlook9
 
PDF
Platform Engineering
byOpsta
 
PDF
Connected Devices, Connected Code, and Connected Teams: The Challenges of IoT...
byTechWell
 
PPTX
Paving the path towards platform engineering using a comprehensive reference...
byKees C. Bakker
 
PDF
How Far Can You Go with Agile for Embedded Software?
byTechWell
 
PDF
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
byDevOps.com
 
PDF
What is platform as a product? Clues from Team Topologies - Puppetize 2020 - ...
byMatthew Skelton
 
PDF
From monolith to multi-services, how a platform engineering approach transfor...
byArnaud Héritier
 
PDF
Forging a New Path to Equitable Justice – Platform Engineering for State Gove...
byChris Wahl
 
2024-05-30_meetup_devops_aix-marseille.pdf
byFrederic Leger
 
Platform Engineering The Key to Scalable and Reliable Software Solutions.pptx
byAnilJanardhanan1
 
Sprinkle your Devops platform with product thinking
byJavier Turégano Molina
 
How to Build a Platform Team
byVMware Tanzu
 
Improving Developer Experience using Advanced Platform Engineering Techniques...
bycfaa0001
 
Beyond Engineering: The Future of Platforms @ CraftConf, May 2023
byManuel Pais
 
What Is Platform as a Product - Clues from Team Topologies @ AXA, Sep 2021
byManuel Pais
 
Platform Engineering is Hard, and We are Doing it Wrong
byDan Grøndahl Glavind
 
"Platform Engineering in practice — Why and How to start", Serg Hospodarets
byFwdays
 
Platform Engineering is not replacing DevOps.pdf
byindustrytechoutlook9
 
Platform Engineering is not replacing DevOps.pptx
byindustrytechoutlook9
 
Platform Engineering is not replacing DevOps.pptx
byindustrytechoutlook9
 
Platform Engineering
byOpsta
 
Connected Devices, Connected Code, and Connected Teams: The Challenges of IoT...
byTechWell
 
Paving the path towards platform engineering using a comprehensive reference...
byKees C. Bakker
 
How Far Can You Go with Agile for Embedded Software?
byTechWell
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
byDevOps.com
 
What is platform as a product? Clues from Team Topologies - Puppetize 2020 - ...
byMatthew Skelton
 
From monolith to multi-services, how a platform engineering approach transfor...
byArnaud Héritier
 
Forging a New Path to Equitable Justice – Platform Engineering for State Gove...
byChris Wahl
 

More from All Things Open

PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PDF
Rolling out Enterprise AI: Tools, Insights, and Team Empowerment
byAll Things Open
 
PPTX
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
PDF
Unconventional Backgrounds: The Secret Sauce of Diversity
byAll Things Open
 
PDF
With AIs Wide Open… - All Things Open 2025
byAll Things Open
 
PDF
Incorporating AI Into Your SDLC: Leveraging AI tooling across the phases of y...
byAll Things Open
 
PDF
Keynote: X-rAI Specs, Submarines and Juice
byAll Things Open
 
PDF
Authoring a GNOME Shell Extension: A Developer's Journey as an Open-Source Pr...
byAll Things Open
 
PDF
AI-Driven DevOps: How LLMs and Agents Are Changing Software Delivery
byAll Things Open
 
PDF
Developing Kubernetes Integrations for the On-Premises Cloud
byAll Things Open
 
PPTX
What If the Quietest Person is the Smartest in the Room?
byAll Things Open
 
PDF
ERG as a Bridge: Driving Inclusion in Open Source
byAll Things Open
 
PDF
The Missing Link to Inclusion and Performance
byAll Things Open
 
PDF
Linux Command-line Tips and Tricks - ATO 2025
byAll Things Open
 
PDF
Everything You Need to Know About Running LLMs Locally
byAll Things Open
 
PDF
Agentic AI, Interoperability, and Automation: Lessons from the Past, Visions ...
byAll Things Open
 
PDF
Tech Hiring Is Not Dead - You Just Actually Have To Try
byAll Things Open
 
PDF
Agentic AI for Developers and Data Scientists Build an AI Agent in 10 Lines o...
byAll Things Open
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
Rolling out Enterprise AI: Tools, Insights, and Team Empowerment
byAll Things Open
 
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
Unconventional Backgrounds: The Secret Sauce of Diversity
byAll Things Open
 
With AIs Wide Open… - All Things Open 2025
byAll Things Open
 
Incorporating AI Into Your SDLC: Leveraging AI tooling across the phases of y...
byAll Things Open
 
Keynote: X-rAI Specs, Submarines and Juice
byAll Things Open
 
Authoring a GNOME Shell Extension: A Developer's Journey as an Open-Source Pr...
byAll Things Open
 
AI-Driven DevOps: How LLMs and Agents Are Changing Software Delivery
byAll Things Open
 
Developing Kubernetes Integrations for the On-Premises Cloud
byAll Things Open
 
What If the Quietest Person is the Smartest in the Room?
byAll Things Open
 
ERG as a Bridge: Driving Inclusion in Open Source
byAll Things Open
 
The Missing Link to Inclusion and Performance
byAll Things Open
 
Linux Command-line Tips and Tricks - ATO 2025
byAll Things Open
 
Everything You Need to Know About Running LLMs Locally
byAll Things Open
 
Agentic AI, Interoperability, and Automation: Lessons from the Past, Visions ...
byAll Things Open
 
Tech Hiring Is Not Dead - You Just Actually Have To Try
byAll Things Open
 
Agentic AI for Developers and Data Scientists Build an AI Agent in 10 Lines o...
byAll Things Open
 

Recently uploaded

PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Workflow and decision Automation with Flowable
bychakib ch
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 

Supply Chain Robots, Electric Sheep, and SLSA

  • 1.
    Platform Engineering: Herding theElectric Sheep Brett Smith <bc.smith@sas.com> 20250020
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
    IDP How does itbenefit the developers?
  • 9.
    IDP How does itbenefit the security team?
  • 10.
    IDP How does itbenefit the platform team?
  • 11.
    IDP How does itbenefit the enterprise?
  • 12.
    Shift Left -Automate Right
  • 13.
  • 14.
    SLSA Source Track BuildTrack Track/Level Requirements Focus Build L0 (none) (n/a) Build L1 Provenance showing how the package was built Mistakes, documentation Build L2 Signed provenance, generated by a hosted build platform Tampering after the build Build L3 Hardened build platform Tampering during the build Track/Level Requirements Focus Source L1 Use a version control system First steps towards operational maturity Source L2 History and controls for protected branches & tags Preserve history and ensure the process has been followed Source L3 Signed provenance Tampering by the source control system Source L4 Code review Tampering by project contributors
  • 15.
    Policy as Code(PaC) Security is codified, automated, open, and accessible to all stakeholders Key Features: ● Codification ● Automation ● Integration ● Consistency Benefits: ● Improved Security ● Enhanced Compliance ● Increased Efficiency ● Reduced Errors ● Greater Agility ● Improved Collaboration
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
    ● Agentic AI ●MCP Servers ● RAGs What is next? Pipeline visibility: "What's the status of my deployment unit?" Policy compliance: "Has it run all required checks to ship?" Security validation: "Did security scans run and what were results?" Test verification: "Are all tests complete and passing?" Promotion readiness: "Can we move to the next stage?"
  • 21.
    Where to start? ●Assess existing tools and services across teams ● Identify patterns and consolidation opportunities ● Visualize findings for a clear landscape overview ● Design platform around main use cases first ● Address uncommon scenarios later ● Use core solutions to drive broader adoption ● Collaborate on unique needs for potential platform improvements ● Prioritize the main 80% - 10% - 10%, and handle exceptions
  • 22.
    Potential Pitfalls ● Outliers ●Exceptions ● Team Exceptions ● Vendor Lock in: Avoid dependency on a single vendor or specialized tech ● Cloud-agnostic strategies enable flexibility and easier upgrades ● One Offs: Emphasize industry standards over custom solutions
  • 23.
    Ask yourself: ● Howmany electric sheep do you produce? ● How many developers do you have? ● How many teams? Do you have: ● A complex software development process? ● A lot of different tools and services to integrate? ● Extensive compliance and security requirements? Is Platform Engineering Right for You?
  • 24.
  • 25.
    I am Smittyand I am afraid of robots Brett Smith GitHub <https://github.com/xbcsmith>