Page de couverture de Episode 20: Taking Open Source Supply Chain Security Seriously with Dan Lorenc

Episode 20: Taking Open Source Supply Chain Security Seriously with Dan Lorenc

Episode 20: Taking Open Source Supply Chain Security Seriously with Dan Lorenc

Écouter gratuitement

Voir les détails du balado

À propos de cet audio

 Sponsored by Reblaze, creators of Curiefense Panelists Justin Dorfman | Richard Littauer Guest Dan Lorenc Software Engineering Lead, Google Show Notes Hello and welcome to Committing to Cloud Native Podcast! It’s the podcast by Reblaze where we talk about the confluence of Cloud Native and Open Source. Today, we are very excited to have as our guest, Dan Lorenc, who is a Staff Software Engineer and the lead for Google’s Open Source Security Team. Also, he founded projects like Minikube, Skaffold, TektonCD, and Sigstore. Dan will take us back to how he got into open source, Google, Cloud, and how he ended up being a lead for Google’s Open Source Security Team. We learn more about one of the bigger attacks that happened when Codecov Bash Unloader got compromised, what SGET is, what Google is doing to stop dependency nightmares, zombie dependencies, vectors, and why people should not sign Git Commits. Dan has written several blog posts and he talks more about some of them, and he shares some tips on the easiest way to get your security up if you are using cloud providers for working on open source projects. Download this episode now to find out much more from Dan! [00:01:53 (https://podcast.curiefense.io/20?t=113)] Dan tells us how he got into open source, Google, Cloud, and how he ended up being a lead for the Open Source Security Team. He tells us about his first open source project called Minikube. [00:05:07 (https://podcast.curiefense.io/20?t=307)] Justin brings up the safer curl URL pipe to bash which has been a topic on Hacker News. We learn more about the attack that happened earlier this year when Codecov bash installer got compromised and Dan explains more about that. Dan goes in-depth about what SGET is. [00:11:04 (https://podcast.curiefense.io/20?t=664)] Richard asks Dan if he thinks it’s important that people sign their Git commits and he talks about a blog post he wrote a couple of weeks ago about this. [00:12:40 (https://podcast.curiefense.io/20?t=724)] Dan explains how we can deal with security with stuff in the cloud and he tells us one of the biggest concerns he has right now. [00:15:12 (https://podcast.curiefense.io/20?t=912)] Find out more about the security leads across Google, and he tells us about an amazing paper that he recommends reading called “Reflections on Trusting Trust” by Ken Thompson. [00:17:23 (https://podcast.curiefense.io/20?t=1043)] Some people at the PSF got a $300,000 grant for supply chain security and Justin asks Dan if he had a role in that. Also, Justin mentions the reports going to Congress and the powerful XKCD graphic. [00:19:57 (https://podcast.curiefense.io/20?t=1197)] Learn what Google is doing to stop dependency nightmares, zombie dependencies, and vectors hitting that area. Also, Richard wonders if you can know as a cloud user what the dependencies actually are that you’re able to be exploited by. [00:26:54 (https://podcast.curiefense.io/20?t=1614)] Richard wonders how Dan stays sane, and how does he decide what to work on next. Also, Dan wrote a blog post called, “Procrastination Driven Development” and he describes how this all works in his brain. [00:31:07 (https://podcast.curiefense.io/20?t=1867)] One thing Justin wants to know is what repository or what package manager keeps Dan up at night. He wonders if there are any out there that need attention, or are they getting the attention that they need. [00:33:30 (https://podcast.curiefense.io/20?t=2010)] Find out where you can follow Dan on the internet and also some great tips to get your security up if you are using cloud providers at the moment for working on open source projects. Links Curiefense (https://www.curiefense.io/) Curiefense Twitter (https://twitter.com/curiefense?lang=en) Curiefense Blog (https://www.curiefense.io/blog) Cloud Native Community Groups-Curifense (https://community.cncf.io/curiefense/) community@curiefense.io (mailto:community@curiefense.io) Reblaze (https://www.reblaze.com/) Justin Dorfman Twitter (https://twitter.com/jdorfman?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) jdorfman@curiefense.io (mailto:jdorfman@curiefense.io) podcast@curiefense.io (mailto:podcast@curiefense.io) Richard Littauer Twitter (https://twitter.com/richlitt?lang=en) Tzury Bar Yochay Twitter (https://twitter.com/tzury?lang=en) Dan Lorenc Twitter (https://twitter.com/lorenc_dan) Dan Lorenc Website (https://dlorenc.medium.com/) “Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack” By Ryan Naraine (Security Week) (https://www.securityweek.com/codecov-bash-uploader-dev-tool-compromised-supply-chain-hack) SGET (https://sget.org/) “Should You Sign Git Commits?” By Dan Lorenc (https://dlorenc.medium.com/should-you-sign-git-commits-f068b07e1b1f) “Reflections on Trusting Trust” By Ken Thompson (https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf) “Securing Open Source Software at the Source” By Ashwin Ramaswami (https:/...

Ce que les auditeurs disent de Episode 20: Taking Open Source Supply Chain Security Seriously with Dan Lorenc

Moyenne des évaluations de clients

Évaluations – Cliquez sur les onglets pour changer la source des évaluations.

Évaluations sur Audible.ca

Évaluations sur Amazon.ca
Il n'y a pas encore de critiques pour ce titre.