SBOMs Impact on Enterprise DevOps? @ DevOps and Drinks Meetup

November 12, 2021

< 1

SBOMs Impact on Enterprise DevOps?
When the White House’s cybersecurity executive order from May 2021 was issued, the Software Bill of Materials (aka SBOMs), graduated from being a “nice to have” to a “must-have” when developing and deploying secure software from the cloud. In a nutshell, SBOMs provide visibility into which components make up a piece of software and detail how it was put together, so it’s easy to determine if it contains security and compliance issues.

View Slides Here

Speakers

Bill Manning

Bill is a Senior Solutions Engineer with JFrog. He is also a mentor with TechStars (Nike Incubator), Matter, and NestGSV. He has successfully exited 3 companies and took one public in Australia. He also currently helping various startups as an advisor. In his spare time, he likes to travel with his wife and two boys. He also plays guitar, lives for the beach and rides skateboards.

Video Transcript

all right hey everybody welcome to
devops and drinks i am super super super
psyched to welcome jfrog and bill
manning uh talking about some very very
interesting and important topics in the
world of devops so
just so you guys know this is powered by
a verity uh the
recruiting company to go to
especially for devops so
on that note no more shameless plugs
bill the floor is yours sir
excellent thank you so much everybody uh
let me share my screen uh come on share
there we go so um you know what are we
gonna talk about today right so
basically what it comes down to is you
know we’ve all heard this term about
software build materials in spot um you
know and what you know what does that
mean for a lot of corporate environments
i’ve been talking about this as an
active subject for actually for a while
now and it wasn’t until about may that
it became a thing that everybody
suddenly became aware of and we’ll talk
a little bit about that too
um
i will definitely be taking some
questions as we go um bill i’m one of
the solution architects here at jfrog
i’ve been with the company for way too
long now um
but you know the thing is is that
my job is to work on their customer base
to also push forward uh stuff like best
practices and other things that we do
and you know just to let you know i mean
we’re you know like governance mormons
members of like the cloud native
foundation and a lot of other things so
um you know i did my hands in a lot of
different aspects uh ari who’s on the
call here too is one of my uh my
co-workers that i work with and now he
can attest that my hands are all over
the place in the company um but today
you know what we’re gonna do is we’re
gonna talk about things uh like you know
such as uh you know one binary’s attack
i make the joke about that but we’re
gonna talk about that because actually
that was one of the catalysts for
software build materials becoming
actually more of an actual government
regulated and mandated thing um we’re
going to talk about what the s bomb is
we’re going to talk about you know what
you can do to do it you know i’m going
to try to avoid as much plugging a jfrog
as possible but at the same time you
know of course i work for jfrog and we
have solutions around this and we’re
going to talk also a little bit about
shift left and and some other things
that you can do to kind of ensure
software supply chain security and then
at the same time just remember you know
whenever i talk to communities and stuff
i’m like yes we have a solution as jfrog
uh but at the same time this is a really
you know these are these attacks and the
reason for the s bomb is really a
community thing right we’re all in this
together you know hey you know software
vulnerabilities and things like that
really affect us all generally
but let’s kick off with things right you
know we read the headlines all the time
like you know this is one from november
2nd there was a a third party transitive
dependency so if you’re not a you know a
you know an engineer uh we should
probably talk about that in a few
minutes but the idea is is that we see
these headlines all the time right you
know and a lot of organizations are are
hearing every day that things that
they’re utilizing um every day is
causing problems you know as developers
uh you know i come from a developer
background and even in devops and
devsecops and stuff like that the thing
is there’s you know we’ve had a level of
trust for so long um that we’ve you know
did we just use things right you’re you
have to you have a project you’re giving
uh projects to work on uh you dissect
the project you start to build it uh you
use libraries to do your job and and the
thing is is there’s always been this
kind of level of trust that we’ve had
and the thing is is as we find out
though
our supply chain which powers every
piece of software out there you know 650
percent increase in support software
supply chain attacks
and this is terrible this is a terrible
statistic to know um the thing is is
that
that means that you know we went from
being happy developers
with some sort of level of trust issues
to massive trust issues going forward
are the things that i’m utilizing really
you know are going to protect me you
know yes they get my job done they allow
me to do the work that i do but the
thing is is that now i have to sit there
and go yeah how am i am i am i
compromising my company um there’s a
level of risk that comes in now and that
risk is increasing all the time and this
is problematic and the thing is is that
this was actually a huge thing that’s
been going on for a long time this
actually is nothing new
and and it it just the thing is is like
you know it started even way back in the
days uh you know the first saw you know
basically the first kind of like attacks
that happened in the early 80s with
hacking and now it’s actually just
gotten more more you know
inherently significant to a lot of other
uh ways and means that companies are
doing this and you know the level of
complexity and actually in some cases i
look at some of these things that are
going on right now and i look at the
level of attacks that are going on and
the elegance in which they’re doing it
is incredible and the big thing though
is is that there was one event and all
these kind of software supply chain
attacks that really kicked off the need
for this software bill of materials and
solar winds was the it was the fire that
lit everybody’s ass on fire right this
is the thing that happened and the one
and the best part about this though is
it actually was a good and a bad thing
bad in the fact this can cause billions
of dollars of companies to remediate
over time good in the thing in the fact
that it actually caused awareness on a
subject that people have been screaming
about forever that finally you know what
i got to raise attention right 18 000
customers were affected with it by the
orion product and really what happened
with it by the way just so you know it
was it was a really sophisticated attack
and you know all software depends has
dependencies right 85 to 95 of your
software is dependencies and the thing
is is that this came in as a third-party
indirect resource it means there was a
library that was called by a library
that was used caused by another
librarian it was buried deep inside it
was in this massive kind of constraint
and then the best part about it was and
i will say the best part like i said i
kind of respect the way in which they
did this attack was they put in a timer
right so it wasn’t immediately it wasn’t
like you took it you deployed it and
then suddenly something happened um they
actually took the time and effort to say
when the software
got pushed out to 18 000 customers by
the way including and this is the reason
why the fire went under everybody’s butt
was like the department of justice uh
the dod um you know the federal reserve
bank i mean these are all companies that
use solarwinds and suddenly 14 days
after the update was installed it just
said hey i’m going to open everything to
everyone um like i said it was a very
highly coordinated sophisticated attack
that was done and it really drove the
awareness
and you know to understand some of these
pieces i’m going to kind of go through
some rudimentary basics because this
leads up to the reason why software
supply chain is so important and when
you talk to your customers or you
internally externally whatever
understanding you know why was why is
software supply chain attacks you know
the way they are so on the right hand
side we have zeros iridium right this is
like things that are the normal stuff
that you see right these are like uh
you know ddos attacks and things like
that you would normally see and why is
software supply chain attacks different
right it’s low effort uh it doesn’t take
a lot of technical skill tech really um
it’s really easy to spread right because
it’s all done the way it’s done and then
also the problem is though that there’s
suddenly this abuse of trust
relationship right the one thing this a
lot of these supply chain attacks do is
is they break the ability for developers
to develop and and by having more
constraints put upon them simply because
this is an awareness a lot of companies
are like throw the baby out with the
bath water right they don’t take the
time and effort to kind of sit back and
say all right these are sophisticated
attacks but you know there has to be
ways to defend ourselves and there has
to be a way to have accountability
but the razor thing though is is that
attackers just simply blend right that’s
the thing is is that these attackers
simply inherently bring themselves into
the communities around the technologies
they’re looking to attack and nobody
even knows they’re there right they
create back doors they create malicious
code they inject it in they say hey i’m
going to improve the function of a
library and they do that they say
suddenly there’s an extra transitive
dependency brought in and that one could
be the attack but it’s amazing because
simply they blend you don’t even know
they’re there they actually a lot of
them like some of the people who did
some of the bigger attacks they’re
actually heavily contributed members of
certain development societies and
suddenly you know behind the scenes they
go during this charts it couldn’t be me
i’ve been teaching you guys all along
you know these kind of things
but the way the attacks occur is is that
if i’m a developer and i’m writing my
code i inherently have these transitive
dependencies that i need to you know to
build you know i pick the transitive
dependencies that i use those forms and
functions and things that make my job
easier to do to produce the software i
produce and the thing is though is if i
have something
that is potentially nefarious inside
suddenly it’s part of the the program
that i’m offering and when i give it to
my customer i’m actually you know
unbeknownst to them
giving it to them right that you know
it’s basically part of the software
delivery now this doesn’t just make it
bad for the customer this makes it bad
for your organization suddenly there’s a
trust relationship issue right the trust
is a big thing but in some cases this
might be a direct dependency attack like
you don’t even know it’s there but it’s
the direct dependence you use but the
more dangerous aspect is those indirect
dependencies right the dependencies that
your dependencies depend on because that
actually goes ahead and actually
continues that same model that same
effect that you’re doing because 85 to
90 of your code is someone else’s when
somebody builds software they depend on
that 99 of that right is actually open
source and then 75 percent of that has
always one high voltage one vulnerable
component that’s part of this and it
might not be a direct call that you do
you know and then 49 of the code
basically at least one high
vulnerability aspect of the code that
they’re building and the fact is is that
99 90 of those are also
out of date you know the thing is is
that
there’s products out there that are
either you know like these components
that you use that are abandoned they
haven’t been updated in years um and
people still rely on them and you know
it’s dangerous right and that’s the
thing and solar winds really exemplify
you know these kind of things because
the thing is is that actually 74 of
those binaries of out of all that huge
mess can simply be alleviated and fixed
with simple remediation like simply
updating a version understanding that
you know version that you’re using
you’ve been using for a while or you
bring in a library you might have some
sort of level of of you know issue when
it comes to uh you know security
vulnerabilities or things like that and
if just by having a simple fix you can
actually even just start increasing your
your you know you’re basically your
security output making sure that when
you’re building stuff that you know and
this goes by the way for devsecops in
general right and understanding you know
how the software is composed and all
that really is the reason why s-bomb
came about because when software attacks
it comes in many different forms whether
it’s you know things like dependency
type of you know typo squatting um this
is a big one we see all the time we
actually helped find
a python library that was there and you
know really what it came down to was
just a typo dependency attack somebody
fat fingered something and suddenly they
bring in a malicious version over
another
um dependency confusion this is a huge
one you know we work we know we have a
large customer maybe over 7 000
customers right we have 70 of the
fortune 100 companies that are out there
you know we’re used by the gov a lot of
government organizations we’re actually
part of platform one which is us
government’s regulated um you know
basically um you know approved software
tools we’re at iron bank which is the
you know the regimented version of
docker you know basically the docker hub
that’s used for all government agencies
but we also have all these customers
that we work with and we’re helping them
constantly over all the time
and try to alleviate the number of
breaches that they have and dependency
confusion is a huge one this is one we
see a lot with a lot of the customers we
work with
and the idea here is it’s just that it
just goes in it just tricks the the
coder into doing what they’re doing i
mean if you look here you can see like
paypal right all these paypal ones are
fake by the way but somebody did a
search and said how does paypal handle
this i did a quick search and these are
the ones that came back and these are
not true these are actually fake ones
that actually contain malicious code
inside but i said if i was if i didn’t
know any better i saw oh look this is
actually a paypal analytics portion well
that’s great i’ll go use it well i’d be
deadly wrong
so understanding this
is just understanding what you need to
do and the thing is though is
understanding how your software is made
up is the reason why accountability is
paramount now in devsecops and really
what it came down to was you know back
in may the the byte administration sat
down and actually said we need to
improve our cybersecurity footprint and
they put together this you know this
mandate that went out and one of the
biggest ones was enhancing software
supply chain security and the major
portion here is being able to provide a
software bill of materials to anybody
who either directly or you know
indirectly you know was your software or
uses it but also to to have the ability
for them to download a basically a list
of how your software was actually built
you know what does it contain
and so luckily about a week ago actually
this passed in in the house right so
it’s making its way to becoming an
actual thing now the reason why i’m
bringing this up is is because when you
are working with the government this is
also going to bleed into everything
around the private sector we already see
this with the aeronautics industry
customers we have we see this with the
med tech and fit tech companies we have
because they actually are saying you
know what this actually is a good thing
us having a record of all this is really
something that we need to do and in the
future if i wanted to do any work with
say the government or other agencies
that say hey you know what we’ve adopted
uh this thing that if we purchase
software from you we really need to make
sure we have that software building
materials uh so this way we know what’s
in there and i’ll just mystify some of
the the things that a lot of people ask
all the time around this
but the idea of it actually spurned from
its work with the of all people the fda
right so this actually started um a
couple of years ago and then when this
all happened the administration actually
latched on to this and said this is a
good idea and why did the fda do that
right because the fda did the same thing
with ingredients when you actually have
any sort of food right what is in it you
know you need to know the ingredients
that are in there you need to know you
know does it contain things that could
potentially hurt me
and the thing is is that what the
national telecommunication information
administration and the fda got together
for certain medical devices it’s funny
as a couple about a year and a half ago
i gave a talk on this uh call of code
could kill right and it was a really
grim free grim presentation but i showed
all the ways in which software bugs and
potentially malicious code cause people
to die right and uh you know like i was
like here’s a plane crash and here’s a
you know here’s some people whose
ventilators got shut off right you know
these are things that are happening so
the fda stepped in in 2018 and said hey
we need to know what goes into medical
devices
we need to know every aspect of this and
they started building out the regulation
behind it and that regulation got
adopted into what we call now the
software build materials around
improving the nation’s cyber security it
was really an amazing it was something
that was actually needed and i’m really
surprised back then that it took to 2018
for people to realize this right that
this was a thing
and
you know the thing is it was a way for
the med companies to inform the
purchases of that of what was going into
the software that was operating the
stuff that they were utilizing to
basically keep people alive right
and so when you look at software remote
materials and and this aspect behind it
is it’s a list of ingredients of the
software right this includes the
libraries it includes all the open
source properties you know free and paid
um you know anything like that you can
also and this is where like for jfrog we
know what we do is we actually have the
ability just so you know the adopted
format right now in the us government is
spdx but there’s also the other format
of this called cyclone dx and you can
export this information starting our
probably next month with us as a format
so we’ve actually had the software build
materials including things like
environmental variables and you know
tooling and settings and and things like
that you know what makes up that
software in our product for over i think
almost eight years now but being able to
have all that information is really what
the software build materials is
you know it’s for the people who produce
software right so they they take it’s
good catalog that you can have
internally and i’ll talk about that in a
few minutes it’s also for the people
that you deal with as an organization
you know the thing is they might they
can ask you now they can say hey you
know what this is great software but we
want you know for our legal purposes uh
you know we’re trying to you know you
know make sure for liability reasons and
things like that we need to know how
your software is made you know as we
purchase it because we need to have this
on record and then the other part of it
is for people who operate software i
download software as an organization and
i use it um you know the thing is is
that what if a new zero day
vulnerability comes about i want to know
about it and we’ll talk about that too
so this way as a implementer of software
an operator of software if i read the
news and hacker news that suddenly you
know xyz company had a compromise system
and somebody goes hey we’re using that
um you know it would be nice to have the
ability to say oh read the report what
is in it and then say are we do we have
that in ours right it cuts you know
things like root cause analysis problems
and uh being able to decipher whether or
not you’ve infected uh your you know
your customer or your internal customers
and potentially you know expose them
this way and this is just a way for you
to kind of have accountability
so the thing is though with the the
benefits of the s bomb is is you know
like identifying you know the pieces and
also knowing having known
vulnerabilities right understanding
licensing right how much licensing do i
have that’s part of the bill of
materials too you know did i purchase
four of these did i purchase five you
know does this does this actually you
know constitute the service that i’m
doing um you know it looks you know it
satisfies both security and licensing
requirements for most organizations and
as i stated the adoption of this
methodology is going up constantly so
this is just being preemptive saying
you know what government first and then
of course private sector comes later
because it’s actually a good idea and
then also too it’s a way for companies
even before they purchase their software
to look at it and look for any potential
inherent risks does it use something
that we’ve actually blacklisted as a
technology um does this you know it does
this potentially give us exposure you
know and understanding all that and then
in the long term it actually also lowers
operation costs because the thing is is
you’re not digging right you don’t have
to go and start digging
you know if you’re if you purchase from
a vendor you should have it already or
that you don’t have it you can request
it um so it cuts down on the amount of
time that you might have uh internally
you know having you like you know maybe
going doing a postmortem or even before
you put it in place understanding you
know like i said are am i potentially
risking my organization which could also
hurt my reputation both externally but
also financially because let’s face it
nobody wants to be a headline you know
no company wants to be like hey you know
what hey look we got a headline you know
no there’s no such thing as bad press
but you know all that customer leaked
information that’s okay we’ll recover
from it um right and uh you know so this
is just ways to start combating that so
once again going back to our our
scenario i showed before you know when
we were discussing you know
understanding you know is there
potential threats and when i do you know
this is a big thing you know
understanding these third-party transit
dependencies and i don’t want to do that
well let’s look at this again
so when i look at this now i can
actually go ahead and when i when i pull
those libraries in and i have the
software build materials i can take all
that information and put in my software
build materials and give it to the
customer now i also know that if
something changed between versions i can
give them new software build materials
and they can say oh this component
changed from this version to the next
but also they can look ahead and say oh
by the way there was something nefarious
that happened i actually we actually you
know we read the news and now we went in
and we checked for software build
materials and there’s something wrong
there but that’s only for a single
instance right that’s just understanding
how the software is made but what if i
look at software build materials and i
go well you know what these are all the
versions that we ran and actually that
version of that component has actually
been in the last three releases and the
latest version doesn’t have that so it’s
also understanding blast radius i always
talk about blast radius when you
discover something and the way you do
your software and and suddenly you go oh
my god how far did this go back and i’ll
just show you a real world example just
quickly is that like you know with our
product one of the things that we we do
when we show this this is the prodigy
portion where i can show you like a real
world example um but at the same time
like let me go in and like say i i
suddenly find a package like babel right
so this is like a standard mpm library
that i’m utilizing
and i go in and i look and i say oh my
god 6.23 we’ve used this in every
version of our user interface since we
started the product well let me see well
how far back does this go
well oh my you know well here’s all the
builds that have ever referenced
actually this library you know and
software build materials allows you to
have this level of kind of depth where
you can go ahead like when we produce it
we provide information that they
requested you can request that
information and say here’s every version
of something that was there you know
this was actually this has been deployed
everywhere this is bad
right how do we remediate this
so understanding that and this also
carries over into more complex things
like even like docker runtimes right you
know virtualization is a thing and even
you can even produce things around ver
you know software build materials even
around things like containers it doesn’t
have to be an executable it doesn’t have
to be
you know some companies just produce
libraries that are used in other
people’s products right or you know
maybe you have a web service you know
understanding not only the application
that’s running but understanding the
runtime that powers it understanding the
os below that you know this these are
things that companies are going to come
to expect i mean this even comes down to
even things like i said like web
services where you might even have a
helm chart and with a helm chart like
this you can actually go ahead and say
isolate out of this health chart from
those i can even have build materials
there to say hey you know what this pod
running this image inside of this web
service contains the actual
vulnerability that when we’re doing this
is actively running in our environment
right now everybody scream run and panic
because we have to go take care of this
but at least you have an isolated
information you know where to start
right you have you have the basic x on
the map where you need to start to get
to the end point where you need to
actually finish instead of saying
everybody panic let’s go look it’s going
to take us two to four you know two or
three days to find this
this helps reduce that right so the
thing is is that the faster you can
respond is one thing but the faster you
can respond with more intelligent
information
is better right so when you know you
know you’re not going to go into a
battle without knowing that you know
knowing the field there’s a reason why
these people send scout you know you
know an army sends scouts first and get
the lay of the land and try to do that
right in this case you have a map you
have a place to start and go in and
start creating your root cause analysis
while still having accountability and
the byproduct of this is is that when
you do fix these issues you can assure
your customers both internally and
externally by the way that you’ve
addressed this issue by producing a new
software bill of materials you can say
look we addressed the issue just to show
you here’s the proof right you know in
this case you have a digital asset that
can represent the value that you provide
by saying we address this issue and that
going forward this you know hopefully
this won’t be a thing
so i mean most of us when we’re working
in these kind of things you know we
understand that this is this is normal
life so you know cutting down on the
actual amount of leg work you have to do
by having the proper set of information
to do the job that you do is essential
and the thing is is that when we start
talking about the life of a binary and
you know i it’s funny i was like i
always feel like i have to have like a
david attenborough voice whenever i talk
about this kind of stuff because the
thing is though is it’s like
understanding the journey of the way
software is built right it’s it’s a
living breathing entity no matter what
people think it’s not just some
stagnance you know set of things you do
it’s a constantly evolving and changing
thing you know from the moment that the
developer brings in something to the
time it gets compiled and deployed
whether it’s to a customer or to a
service or or whatever you know the
thing is it’s alive and then you know so
when you look at this you know like we
do things with like partners like you
know some of the companies work with
like 23andme right we help them find a
an injection problem uh we actually just
became a you know a cve authority um and
i’m super excited about this the fact
that we cannot we have a research team
that could actually now produce cves to
let other companies know and developers
know hey you’re doing something bad with
some you know something good with
something bad basically i always like
that’s more along the lines of it but
you know on you know you know empowering
people like the developers right
we all hear the term shift left the idea
is if you want the maximum roi on all
the stuff which if directly affects the
software build materials you need to go
start at the developer right this is
this is this is the front line defense
against everything that you’re doing
giving your developers the ability to go
in and look at the libraries in a way
that is is is more of a diagnostic and
something actionable right so not just
telling them they’re doing something bad
but also telling them that by the way if
you go from this and you upgrade to
another version you’ll be able to fix
this potential threat you know being
able to go ahead and diagnose all the
things that are going on directly
influences the way the software build
the materials is done because this like
i said
trust is something that is you know in
some cases is uh basically you know it’s
hard to gain but it’s easy to lose right
and regaining trust is doubly hard but
if you can have the awareness if you can
have you know cleaner builds if you can
have more effective ways to have
accountability in the way you do
software produce the software bill of
materials to assure your customers that
you know what’s in your software you
know how it was built here’s all the
information and then be able to say to
them as you have issues or issues come
about you’re addressing them like how
far does the you know how deep does the
rabbit hole go um you know understanding
you know yes we know that things have
been affected over time and what’s the
blast radius of it
you know being able to trace and and act
more effectively and be able to go ahead
and actually address those issues as
they come in real time or as close to
real time as possible and we have ways
for our stuff to do like this is like
kind of the wps you know our kind of
stuff but you know the thing is though
it’s continuous this is something that’s
just not you implement and and it just
happens once this is a continuous thing
that should be part of every part of
your development cycle because by having
this accountability it reduces liability
it increases trust because suddenly
you’re providing information to your
customers that you’re opening you’re
exposing um you know we here’s the
information just so you’re aware we’re
not afraid to tell you what stuff we
used now this is the thing these are
you’ll see in a minute you know like
make sure you have approval processes
you know make sure you have some sort of
accountability as part of this these are
the things that we offer i’m gonna
because i’m running out of time and i’m
sorry um but um i want to show is i want
to talk about misconceptions and we get
the subjections all the time and i i so
you know won’t this give a road map to
attackers i got asked this question
actually
and i said no
no because it’s just like the k box
ingredients right i might show you what
pro what i use to make it right i might
show you the ingredients you have no
idea what i used you didn’t you have no
idea how i mixed it together you have no
idea what i had the oven set for right
um it doesn’t you know there’s no source
code involved in this right doesn’t
expose source code at all all it’s
saying is is that we build something we
utilize these pieces to do it we
actually used this sort of level of
environment and we also per you know we
have some relative information to
provide you to say it was built on this
day this time and this is what it has
and it may contain nuts right i mean you
know that’s you know it might have came
some food allergy substances whatever we
give you know and this is just the thing
is that it doesn’t expose your
intellectual property again you know
just because you have a chocolate cake i
i actually gave a whole webinar on this
and i got bored so i decided the entire
webinar was based on cake uh instead i’m
like you know i can give you a chocolate
cake and you can eat it and say that’s
delicious and i can say here here’s my
ingredients and i’m like well i need
your recipe i’ll be like i’m gonna give
you my recipe you just eat the cake
right but these are the stuff i use you
figure it out yourself i’m not exposing
any intellectual property because to be
honest anybody can download your
software and technically reverse
engineer what you do and do something
which they do all the time um
but you know without your secret sauce
without knowing you know that you know
part of it you you have a bottle of
grandma’s essential oils that you put in
you’re not even sure what that is into
your cake and it makes this taste
wonderful um you know you might just say
grandma’s stuff and and that’s all you
have to say you’re not exposing how you
did it you’re just the thing is software
build materials is just a liability
accountability kind of thing that you
need to do it gives companies assurance
that they say hey by the way we know
what’s in there if we read an article
that something is bad we actually can go
review it say that we know it’s in there
that you can contact them and say we’re
addressing it send them a new version
and say look guys we fixed it right you
don’t have to actually go in and try to
explain how you fix it you just say look
that vulnerability that was stated on
there that you read about because some
cio was you know sit in the bathroom on
his iphone reading gets a notification
that says you know everything python is
bad and then suddenly he goes oh my god
you know we have to do go do something
this get you know this thing you go look
we’re not using that anymore this has
been addressed but you know what hey
guys just so you understand go check
your environment because the past four
version of it did contain this and we
recommend you upgrade now you have some
validity behind it you have the chance
to actually stand your ground and say
look you know what you can trust us
again we went and we went and fixed it
it’s a way to also reduce some of the
trust that you lose once something like
this happens it’s inevitable the
headline comes out immediately if
somebody suspects that your software is
part of this they are going to lose
trust in you immediately because you use
something bad without understanding that
maybe it happened that day
right you know you might have been using
it for four years but suddenly it’s a
new zero day and you know but to to
someone else that they read and they go
well you know what this software is
terrible it actually has stuff in it
that is broken what are we doing
and so when you look at this this is
going to be needed to work with the us
government right it provides a fast list
right you know free and open source
software you know i always love the
analogy i’m like you know free isn’t
speech not as in beer um you know and
then
it’s the whole idea of you know how what
when it was made audibility traceability
you know understanding your components
software compliance and security it
makes lawyers happy um you know you know
what you have to make sure it makes
accountants happening because they make
sure that their bottom line isn’t
affected it gives you know it’s nice
warm fuzzy you know s-bomb blanket that
can you know you can wrap around your
customers to say it’s going to be okay
and then at the same time the idea is is
that you know
it’s easy to implement in some respects
but there is some work people need to do
like i mean here’s my jfrog pitch we
handle this this thing called build info
we know like i can show you just really
quick you know like for me whenever i do
a build and if you’re using our product
you know to produce this like how do i
know what’s in my software and i’ll just
show you here’s an example of like a
software build i do for npm and you know
it’s a tar gz right but you know here’s
all 611 transitive dependencies that
made it up right you know here’s the
environmental information on how i built
it you know here’s the x-ray data on you
know do i have any level of security
threats with the software i’m doing
right these are kind of things so here’s
the license files that i’ve had as part
of this right these are all the things
that make up a software build of
materials
so from the prodigy pitch side this is
what we do you know jfrog itself just so
you guys know we call ourselves the
universal binary repository manager yes
it’s a mouthful what do we do we manage
those transit dependencies we have our
x-ray product to say hey by the way
things that you’re doing are nefarious
you know that you know if i bring up my
you know like my ide here it is right
here right i can go ahead but i have
remediation that i can do um you know if
i go ahead and you know i’m i’m you know
working in a command line you know i
have the ability to go in and directly
access you know any of the i think i
don’t think i have it open right now um
but you know oh i do um you know the
thing is like here’s an example of of a
project i’m working on i can go scan
those dependencies i have to make sure
i’m not injecting something potentially
threatening
right and this the thing is is like you
know we’re trying to combat this we’re
trying to leave the charge on on this
and like i said we have a majority a
huge amount of customers uh that utilize
us for this and now the bonus by using
us is the fact that they can go in and
they’ll be able to export software build
materials and in addition to this oops
in addition i’m just going to show you
quickly um
is the fact i’m going to you know you
guys can just go use our free tier and
play around with this all you want um
i’ll put it in the chat for you guys uh
but in the meantime while i’m doing that
uh any questions i did throw a lot at
you um but because uh you know i was
trying to be conscious of how much time
i actually had and and guys by the way
thank you so much for having me i really
appreciate it um you know it’s uh
definitely uh a good thing and i hope uh
i hope i taught you something today
wow this is great this is a lot of
information that you banged out thank
you very very much
no worries at all here i’ll just do this
ready and then thank you
does anybody have any questions for bill
um
there’s a lot of information here so if
i fire away at him this is this is great
i thought i only had 30 minutes like i
was like you know like crush it down as
much as i can
any questions at all or do we have a shy
group today
don’t be shy
shy group
all right all right oh
and i hear my name how are you that’s
that’s that’s how it goes ari works with
jfrog as well you had some swag to give
up
i do i do so we have uh so the good news
is it looks like because of the numbers
today we are going everyone’s going to
be eligible for this let me just share
my screen everyone gets a thing everyone
gets a thing yeah
you get a thing you get a thing you get
a thing let’s see let me just share my
screen really quick um and
so
basically here’s a qr code and i’ll drop
the i’ll drop a link in as well if you
can see it but basically uh you get uh
we’re gonna give out our annual t-shirt
which is gonna be discontinued very
shortly because we’re gonna get a new
annual t-shirt
um and a copy of our of a liquid
software um book so it’s combo we’ll
send out um the the bitly we have is
jfront
slash devops drinks
and uh yeah it’s yours it’s yours to
have we’ll mail it out to you
free of charge and uh hope hope you
enjoy both i actually joined jfrog
because of their t-shirts um i’m
surprised they offered when i found out
they were gonna pay me money too that
was a bonus um but uh yeah okay but uh
this this year is the our annual uh
uh our annual t-shirt is gonna be
discontinued so uh we get we have we
have a lot of fun with those so yeah for
everybody here this is uh this is for
you and i’ll drop the link
here
somebody actually asked a question hey
lance just so you know we cover over 30
package types
so natively out of the box um i put the
link in for the free tier um
and
play around with it all you want um you
know i’m on twitter too reach out if you
want um and i’m looking for my invite
alec and uh in january so i can make it
back home come see you guys maybe uh
come come the world trade
yep the next one’s in person uh we’re
actually meeting as real humans to drink
together uh it will be fun uh so if
you’re in new york come on down um bill
get down here we got a lot to talk about
yeah um by the way and uh you know uh
you have my i think uh i’m part of the
email through maybe aria has send you
get my information ping me let’s uh
let’s chitchat dude seriously that’s
that’s pretty rough
guys everyone thank you so much for
joining us thanks for spending your
lunch with us and
we’re not doing
in december so enjoy the rest of your
year and we’re coming back strong in
january hopefully we’ll do some more
with the good folks at jfrog build that
was awesome thank you so much for
putting that together ari thanks for
watching yes
great
be safe be wonderful we will everyone
cheers have a great day everybody take
care
rock on
bye