You are viewing content from a past/completed QCon

Track: Software Supply Chain

Location: Ballroom BC

Day of week: Monday

CI/CD tools allow for the automation of build, test, and deploy processes. However, much of the information about the provenance of the code and third-party dependencies is lost as software artifacts flow through the pipeline. Learn about approaches and tools for tracking provenance, securing, and maintaining observability of the entire software supply chain.

Track Host: Aysylu Greenberg

Senior Software Engineer @Google

Aysylu Greenberg is a Sr Software Engineer at Google working on infrastructure and the Eng Lead of the Grafeas and Kritis open source projects. In her spare time, she ponders the design of systems that deal with inaccuracies, enthusiastically reads CS research papers, and dances.

10:35am - 11:25am

The Common Pitfalls of Cloud Native Software Supply Chains

Today modern cloud native infrastructure is composed of various CNCF projects to build, manage, and deploy containerised applications in an automated manner. These tools provide great flexibility, ease of use, and speed up development, but the ecosystem is developing at a blazing fast pace, which in turn causes various little mistakes in the products that could leave the supply chain up for grabs for a motivated adversary.

Daniel Shapira, Senior Security Researcher @PaloAltoNtwks

11:50am - 12:40pm

Securing Software From the Supply Side

In 2019, almost all software is built on open-source. From beginners’ hack projects, to mission-critical software built by huge enterprises, we’re all standing on the shoulders of giants. But this also means that we’re all inviting a huge crowd of people we’ll never even meet to contribute code into our codebases, and we’re only beginning to grapple with the implications of that and how to do it safely.  

At GitHub, we’re building towards a future where it’s easy for Open Source maintainers to keep their users safe and easy for Open Source consumers to understand and use third party code with confidence. In this talk, we’ll follow a vulnerable package from initial report of a vulnerability, through the process of resolution and publishing a new package, and finishing with updating your codebase to use the fixed version, with demos along the way. You’ll learn about the tools GitHub provides Open Source maintainers to improve the safety and security of the software supply chain at the source and how you can leverage their work to make your own codebase more secure.

Nickolas Means, Senior Engineering Manager @GitHub

1:40pm - 2:30pm

Shifting Left with Cloud Native CI/CD

Cloud native can be overwhelming: sometimes it feels like there are new tools, frameworks, operators and patterns announced every day! How do we keep up? And what happens when we get it wrong?  

Shifting left (testing as early as possible) with great CI/CD lets us experiment and catch mistakes early, so we can learn from them and become better engineers. It’s time for our CI/CD tools to get a cloud native upgrade and make all this extra complexity work for us!  

Tekton gives us the building blocks we need to add container based cloud native CI/CD to your software supply chain. In this talk you’ll learn what we should expect from our CI/CD in 2019, and how Tekton is helping bring that to as many tools as possible, such as Jenkins X and Prow. You’ll learn about Tekton itself and see a live demo that shows how cloud native CI/CD can help debug, surface and fix mistakes faster.

Christie Wilson, Software Engineer @Google

2:55pm - 3:45pm

Observability in the SSC: Seeing Into Your Build System

Waiting for a slow build can really kick you out of the groove. Finding flaky tests using data instead of instinct increases trust. You and your team have a collection of sophisticated tools available to understand the complex applications you have running in production. Using these same tools to gain insight into your CI/CD pipeline enables your team to improve processes with the same rigor as performance analysis in production.  

Honeycomb hit a time when our builds slowly got longer and longer until, without noticing it, everybody was super frustrated. We used the tools we had available to explore instrumentation in the CI environment and visualized the data we found as traces and queries over time. With that insight we dropped build times by 40% and gave ourselves the ability to track build times and asset sizes over time. This talk walks through that transformation and covers the techniques you can use to accomplish the same goals in your environments.

Ben Hartshorne, Engineer @honeycombio

4:10pm - 5:00pm

Software Supply Chain Open Space

Session details to follow.

5:25pm - 6:15pm

License Compliance for Your Container Supply Chain

Modern container images are an Open Source Software (OSS) legal compliance nightmare. In the simplest case of building a container using a Debian base OS, installing dependencies using the package manager, and adding a home grown app at the end, meeting legal compliance obligations is as simple as using Debian's own machinery to pull corresponding sources. However, container images are built and used in so many different ways, it becomes impossible to track the provenance of such images, let alone try to figure out what is in them.  

In this session, Nisha Kumar will talk about Tern, an open source tool for inspecting container images for OSS compliance. Nisha will provide examples of how enterprises can evaluate container images, Dockerfiles, and container supply chains using Tern, even for the impossible situations. Along the way, you will learn about the pitfalls of long advocated best practices for building and reusing container images for the software supply chain, and what you can do to correct these practices.

Nisha Kumar, Open Source Engineer @VMware

Last Year's Tracks

Monday, 11 November

Tuesday, 12 November

Wednesday, 13 November