WEBVTT 00:00.000 --> 00:09.200 Developing in order to build smooth operating machines between the space, and so we're still 00:09.200 --> 00:16.280 learning, and our journey with the Airflow Committee community has been really interesting. 00:16.280 --> 00:18.440 So this is just a refresher of the threat model. 00:18.440 --> 00:22.520 I'm not going to spend too much time on this today, it was been a days like that. 00:22.520 --> 00:27.880 If you are, have been living under a rock, this is a quick refresher that basically every 00:27.880 --> 00:34.760 18 months, there is an absolutely spectacular, major supply chain attack, and every 00:34.760 --> 00:39.760 day there are all kinds of other attacks happening. 00:39.760 --> 00:41.240 So it's just hard, right? 00:41.240 --> 00:44.520 We're still figuring it out. 00:44.520 --> 00:49.480 From the work that we did, one of the things that came out of this is that as a consumer 00:49.480 --> 00:52.640 of open source, which means everybody who is building something in open source unless 00:52.640 --> 00:55.960 it's the bottom of the stack library, right? 00:55.960 --> 01:04.440 You have a responsibility and a need to look upstream and to make one of these choices. 01:04.440 --> 01:09.040 There's a different version of the last F. You have a choice. 01:09.040 --> 01:13.640 Either you're going to get involved and engage in fixing the things the problems upstream, 01:13.640 --> 01:16.960 you're going to fork it and copy the bits that you need and reduce the surface air of your 01:16.960 --> 01:21.520 risk, or you're going to stop using something. 01:21.520 --> 01:26.600 There is a fourth F, and that's about funding, that's what my project does. 01:26.600 --> 01:31.440 I can tell you from three years of experience and spending close to $10 million, this 01:31.440 --> 01:34.040 is much harder than it looks. 01:34.040 --> 01:38.680 In particular, in those smaller projects, it is all but impossible to just turn money into 01:38.680 --> 01:39.680 security. 01:39.680 --> 01:41.640 They're already working nights and weekends. 01:41.640 --> 01:44.880 You can't buy more nights and weekends at their time. 01:44.880 --> 01:46.400 You can't turn them into security experts. 01:46.400 --> 01:48.120 You can't hire another person in that org. 01:48.120 --> 01:49.400 It doesn't work that way. 01:49.480 --> 01:52.480 So there are real challenges to doing so. 01:52.480 --> 01:54.840 AlphaMega has a mission. 01:54.840 --> 01:59.320 Our goal is to go off and protect society by fixing this problem. 01:59.320 --> 02:01.920 We see it as a very long-standing mission. 02:01.920 --> 02:05.440 We are not funded to do all the security work or to fund all security work. 02:05.440 --> 02:11.280 The word catalyze is critical to how we do things. 02:11.280 --> 02:16.680 We do so by investing across four separate types of investment categories. 02:16.680 --> 02:23.680 The first turns out if you make it someone's job to worry about security, things get 02:23.680 --> 02:25.560 done. 02:25.560 --> 02:31.080 In particular, in the Python software foundation in Rust, in Eclipse, Ruby, I'm forgetting 02:31.080 --> 02:32.400 many. 02:32.400 --> 02:36.440 We've been able to hire the first security engineer in residence in those organizations. 02:36.440 --> 02:37.840 We pay for those roles. 02:37.840 --> 02:38.840 They hire them. 02:38.840 --> 02:39.840 They manage them. 02:39.840 --> 02:40.840 They set their goals and targets. 02:40.840 --> 02:45.360 We just say, have somebody whose job is to care about this and the impact has been astounding. 02:45.360 --> 02:49.000 The surprise impact is when we bring them into a room and have them talk to each other 02:49.000 --> 02:51.600 even more great things happen. 02:51.600 --> 02:54.280 The second category is around package repositories. 02:54.280 --> 02:58.040 These are among the most leveraged points of influence over the STLC software development 02:58.040 --> 03:00.480 lifecycle everywhere. 03:00.480 --> 03:05.560 Every developer, when faced with the problem of getting tab A and to slot B and Google's 03:05.560 --> 03:09.800 the problem, finds an out-of-date stack overflow article that says, do not use this and the 03:09.800 --> 03:13.400 fourth common in the bottom says, MPM install food worked for me and they're going to do 03:13.400 --> 03:14.400 it. 03:14.400 --> 03:19.240 And unless you have checks, policies and gates in place, you're going to end up with food 03:19.240 --> 03:24.960 and it's entire transitive dependency graph till the end of time in your project. 03:24.960 --> 03:32.000 Category C is about audits and I can't say this often enough when we invest by putting an audit 03:32.000 --> 03:36.800 into a project and helping them audit their processes, their culture, their tooling, their 03:36.800 --> 03:41.880 code, we learn an awful lot about that organization's readiness to actually become focused 03:41.880 --> 03:42.880 on security. 03:42.960 --> 03:45.920 And so we tend to start with that because how they respond tells us a lot about whether 03:45.920 --> 03:47.960 they're ready to do more or not. 03:47.960 --> 03:51.640 And then finally, deeply acknowledging this is a new space and none of us know what the 03:51.640 --> 03:52.800 hell we're doing. 03:52.800 --> 03:57.040 We keep trying things and see how we can screw things up probably and where it goes. 03:57.040 --> 04:01.760 Making mistakes, trying new things is a key part of what we do. 04:01.760 --> 04:02.760 This is just some numbers. 04:02.760 --> 04:03.760 I'll skip over it. 04:03.760 --> 04:07.280 We spend a lot of money. 04:07.280 --> 04:11.880 This particular journey, I think, is worth wasting a little bit of time on because of how 04:11.880 --> 04:12.880 awesome it is. 04:12.880 --> 04:15.880 Is this supposed to move in some way, as we click it first? 04:15.880 --> 04:16.880 Right. 04:16.880 --> 04:20.640 So that engineering Python I talked about, Seth Larson, was hired by the Python Software 04:20.640 --> 04:21.640 Foundation. 04:21.640 --> 04:25.520 He was a longstanding member of the community, had an interest in security, we able 04:25.520 --> 04:31.720 to fund his role and he did amazing work and continues to do amazing work and is really 04:31.720 --> 04:35.240 a leader across all of these organizations. 04:35.240 --> 04:38.400 I think that's not because I know him and I talk about him, but he and I did a talk 04:38.400 --> 04:43.560 at Python and because that talk, Eric came up with the talk, this was a great talk. 04:43.560 --> 04:48.120 I want you to do the same talk at the Apache Airflow Conference, Summit and I'm like, 04:48.120 --> 04:50.280 I'm not doing the same talk again and we got to do something new. 04:50.280 --> 04:51.280 What are we going to do? 04:51.280 --> 04:55.240 He's like, have I got an idea for you? 04:55.240 --> 05:00.640 We had been doing things with Muno are already around scaled approach towards vulnerability 05:00.640 --> 05:05.680 discovery and we did it by scanning things and then the team came back and said, look, 05:05.680 --> 05:06.680 we scanned. 05:06.760 --> 05:10.120 Things we found, this many percentage of vulnerabilities, we fixed this many, that many 05:10.120 --> 05:15.000 were accepted and it was like rowing a boat out to the Pacific garbage patch, coming 05:15.000 --> 05:16.920 back with a pile of plastic. 05:16.920 --> 05:20.040 Yes, the garbage patch is smaller. 05:20.040 --> 05:23.040 I can't do anything useful with that information. 05:23.040 --> 05:27.360 And so we've been switching to this mindset of like, can we find a section of the beach that 05:27.360 --> 05:31.960 is well defined and I ask, you know, Eric, do you have a section of the beaches? 05:31.960 --> 05:33.200 Well, I have the exact list. 05:33.200 --> 05:37.480 I have 719 that numbers they've asked in my brain these days, dependencies and I know 05:37.480 --> 05:39.000 the exact list and I have these tools. 05:39.000 --> 05:43.160 I'm like, we're going to do something together. 05:43.160 --> 05:46.160 And so that is what happened and so Eric is now going to do all the interesting stuff. 05:46.160 --> 05:49.720 I just talked about the setup, but it is very interesting about how we got here. 05:49.720 --> 05:50.720 It's about people. 05:50.720 --> 05:55.400 It is always about people and change happens when you find the right people and do things 05:55.400 --> 05:56.400 together. 05:56.400 --> 05:57.400 Now you get the microphone. 05:57.400 --> 05:58.400 Can you get this? 05:58.400 --> 06:00.400 That's under the picture. 06:00.400 --> 06:05.400 Yeah, so that's the beach that we are going to clean together and we are already doing 06:05.400 --> 06:06.400 that. 06:06.400 --> 06:08.400 Okay. 06:08.400 --> 06:12.400 So yes, let's talk about air flow security. 06:12.400 --> 06:15.040 That's what it all started. 06:15.040 --> 06:18.480 So air flow is already very, very active in its security. 06:18.480 --> 06:22.400 And there are some people here who can confirm that because for example, I work with 06:22.400 --> 06:27.920 Arno who is our Apache software foundation security response engineer and we've built the 06:27.920 --> 06:33.600 security team together and we work on it and it's actually super active and works very well. 06:33.600 --> 06:36.080 But our flow itself is a very active and big project. 06:36.080 --> 06:42.160 So we have like 150 active pull requests in a week, which we're attached, or 76 active 06:42.160 --> 06:44.480 issues which we're opened. 06:44.480 --> 06:50.720 We have 102 commits merged every week or 124 commits merged on all branches within 06:50.720 --> 06:52.720 like just around the week. 06:52.720 --> 06:54.720 We have a lot of people working on it. 06:54.720 --> 07:00.160 We have an up very big number of users for this 14,000 is just the GitHub. 07:00.160 --> 07:05.600 But we have a lot of pretty much everyone who is processing data, uses air flow air flow 07:05.600 --> 07:09.000 is an or data orchestrator in case you didn't know. 07:09.000 --> 07:13.480 We have 3,200 almost contributors that's the start from today. 07:13.480 --> 07:20.640 I always update this slide before talking because it keeps on going and very, very, very fast. 07:20.640 --> 07:23.440 Something happened and this is the active air flow in security. 07:23.440 --> 07:27.040 If you look at the history of air flow here is like a timeline and you can see like those 07:27.040 --> 07:29.040 are commits and versions of air flow. 07:29.040 --> 07:34.320 But at the top, these are the vulnerabilities that were discovered in air flow and you would 07:34.320 --> 07:39.680 see that at some point of time they start, of course the vulnerabilities were going down 07:39.680 --> 07:44.400 because this is like the how many open vulnerabilities in the history were. 07:44.400 --> 07:50.080 But at some point of time they started to go down faster because we had invested in our 07:50.080 --> 07:53.760 security ourselves in the security of air flow as a project. 07:53.760 --> 07:56.080 So what we've done, we have a dedicated security team. 07:56.080 --> 07:58.800 I go very quickly because this was just a base. 07:58.800 --> 08:04.080 We have created and documented the whole detail process how we are dealing with the security. 08:04.080 --> 08:09.440 We introduced the security model describing our researchers and users how the security works in 08:09.440 --> 08:10.880 air flow. 08:10.880 --> 08:16.400 We prepared canned responses to issues because of course we are flat with a number of issues, 08:16.400 --> 08:22.400 but that's another story that we've heard recently generated by different kinds of people 08:22.400 --> 08:25.920 and we are responding to them in the same way and we know how to. 08:25.920 --> 08:28.720 We've disabled some inherently insecure features. 08:28.720 --> 08:31.200 We hardened our CI workflows quite recently. 08:31.200 --> 08:33.280 I removed a pull request target by the way. 08:33.280 --> 08:37.360 If you're using pull request target in your GitHub workflows, stop doing that immediately. 08:37.360 --> 08:40.400 It's super insecure with it. 08:40.400 --> 08:46.160 And we introduced a reproducible builds which shows us that actually even 08:46.160 --> 08:51.120 the release manager didn't tamper with the air flow builds when they were prepared. 08:51.120 --> 08:56.000 Sometimes somethings that happened with XE or XE that depends. 08:57.760 --> 08:59.040 So we've done all of that. 08:59.040 --> 09:03.200 We have like 15 people in our security in more or less five is productive. 09:04.240 --> 09:07.360 62 commuters, 32 PMC members, we're huge projects. 09:07.360 --> 09:09.360 More than 2,000 contributors. 09:09.360 --> 09:13.440 And the important thing is like we are big enough to attract funding. 09:13.520 --> 09:16.000 The fourth half that Michael mentioned. 09:17.280 --> 09:18.240 Yes, yes. 09:20.240 --> 09:20.800 Yes. 09:20.800 --> 09:22.400 It's hard to make it turn into people. 09:22.400 --> 09:24.240 People working on projects? 09:24.240 --> 09:24.800 Yes. 09:24.800 --> 09:25.760 It's what matters. 09:25.760 --> 09:29.600 Yes, and we have stakeholders who are supporting our work. 09:29.600 --> 09:32.160 Like I'm an individual contributor. 09:32.160 --> 09:38.560 I'm full-time, or I tend to say 150% time open source contributor. 09:39.200 --> 09:43.040 And I'm fully paid by Google, by Astronomer, 09:43.040 --> 09:47.600 and few other customers, or users of our flow, who just chose to pay need. 09:47.600 --> 09:53.440 Because they think it's great if I'm a contributor or a committer there, or PMC member. 09:55.040 --> 10:02.880 So we have a lot of sources of this money, people, energy, and focus. 10:02.880 --> 10:05.120 We also have like sovereign tech fund interested in us. 10:05.120 --> 10:08.080 So the part of the security improvements in the last year we've done. 10:08.080 --> 10:13.680 Or the 2023, even, were financed by the sovereign tech fund investments. 10:13.680 --> 10:17.040 And they paid for this reproducible bills, for example. 10:17.040 --> 10:22.320 And now we have our mega fund, but are we secure? 10:22.320 --> 10:24.240 Can we trade that we are secure? 10:24.240 --> 10:27.440 If you look at our dependency tree, the number is much smaller, 10:27.440 --> 10:29.600 because we've already removed some of those. 10:29.600 --> 10:33.360 And this is not full number, not 719. 10:33.360 --> 10:36.400 But right now, if you look at the dependency tree of airflow, 10:36.400 --> 10:41.360 if you look down, is 579, does the number of lines? 10:41.360 --> 10:44.240 Does the number of lines you cannot see, actually? 10:44.240 --> 10:46.160 Well, we have a lot of them. 10:46.160 --> 10:48.080 And we have, of course, security regulations. 10:48.080 --> 10:49.600 We have more less than two years. 10:49.600 --> 10:50.640 Everyone is impacted. 10:50.640 --> 10:51.760 Everyone needs to be involved. 10:51.760 --> 10:52.560 We know all of that. 10:52.560 --> 10:54.880 I don't want to be repeating that. 10:54.880 --> 10:57.200 So this is an F-bomb room. 10:57.200 --> 11:00.000 And I was thinking, why the hell did I submit? 11:00.000 --> 11:04.160 Well, why the hell did I submit talk to the F-bomb room? 11:04.160 --> 11:06.640 Because it's, I see, at the S-bomb room, 11:06.640 --> 11:10.080 most of the people are talking about the creating S-bombs, 11:10.080 --> 11:13.360 about attributes, about number of things. 11:13.360 --> 11:14.800 Nobody talks how to use them. 11:14.800 --> 11:18.480 Like, nobody actually says, like, how to make them useful, 11:18.480 --> 11:20.480 not only for regulators who required them, 11:20.480 --> 11:22.240 but how to use them, and we did. 11:22.240 --> 11:25.440 So experiments start, because we are in the fourth part 11:25.440 --> 11:26.720 of what Michael mentioned. 11:26.720 --> 11:28.640 Yeah, we have an experiment. 11:28.640 --> 11:32.160 So we are the experimental effort, which might not fail. 11:32.160 --> 11:35.040 Apache software foundation, PMC members of our flow, 11:35.040 --> 11:36.640 Python software foundation is involved. 11:36.640 --> 11:38.480 Our front agafand is involved. 11:38.480 --> 11:41.920 Some users are indirectly involved, because like Amazon, Google, 11:41.920 --> 11:44.400 they have thrown on their day of helping with that. 11:45.680 --> 11:47.760 We also have open refactory. 11:47.760 --> 11:50.480 And we are using CDXN for generating our S-bombs, 11:50.480 --> 11:52.640 which is great help, because from those S-bombs, 11:52.640 --> 11:56.880 we were actually able to draw very, very interesting conclusions. 11:56.880 --> 11:59.360 We use the, we have some security out this from S, 11:59.440 --> 12:01.920 as well, that we looked at. 12:01.920 --> 12:03.600 We have some external researchers. 12:04.560 --> 12:07.760 The idea that we have, we want to know our dependencies. 12:07.760 --> 12:11.680 We want to review and talk to all 700 of our dependencies. 12:11.680 --> 12:13.600 We will do that, I'm pretty sure of that. 12:14.640 --> 12:16.480 We are learning how to do that. 12:16.480 --> 12:19.680 We learn to how to automate that work of communicating 12:19.680 --> 12:21.760 or initializing the communication, 12:21.760 --> 12:24.560 because we believe that we should talk to the humans, 12:24.560 --> 12:25.520 to the maintainers there. 12:26.480 --> 12:30.640 And we think that it's like how we as a product look at them 12:30.640 --> 12:32.960 is important as we as a user. 12:32.960 --> 12:34.640 And we always remember the people. 12:34.640 --> 12:38.720 So the biggest part of it is not to automate, not to show numbers, 12:38.720 --> 12:40.800 not to show spreadsheets. 12:40.800 --> 12:44.400 This is very useful, and we do that as a starting point, 12:44.400 --> 12:47.760 then we talk to people, because this is where security starts. 12:47.760 --> 12:53.440 So we thought it's some kind of our analysis on those 700 dependencies. 12:53.440 --> 12:55.680 And we came up with like 16 of them. 12:55.680 --> 12:56.880 And that was all automated. 12:56.880 --> 12:59.680 The whole thing that I show you, this is automated step. 12:59.680 --> 13:04.240 So we have some all open PSF score cards and results. 13:04.240 --> 13:07.360 We had some like description of those results. 13:07.360 --> 13:10.720 And finally, from that, we did design our automation, 13:10.720 --> 13:13.760 how to use the S1 to generate actions that we can make 13:13.760 --> 13:15.440 based on that information. 13:15.440 --> 13:17.120 So we are not looking at numbers. 13:17.120 --> 13:20.480 We are looking like what we can do to help those dependencies. 13:21.040 --> 13:25.200 Then I'll pass to you, and you can continue. 13:25.200 --> 13:26.560 Yeah, I'll just thank you. 13:26.560 --> 13:29.200 Sure. So when you think of the three tenors, 13:29.200 --> 13:30.880 you remember, I'm very about you. 13:30.880 --> 13:33.600 You remember Placida domingo, and then there's a third guy. 13:33.600 --> 13:34.880 So I'll be the third guy. 13:34.880 --> 13:37.600 I'll just make two quick points. 13:38.640 --> 13:39.920 So I'll make two quick points. 13:39.920 --> 13:43.760 Number one is, when you look at 719 dependencies, 13:43.760 --> 13:47.520 what we are doing is we are looking at creating a capability 13:47.520 --> 13:52.880 to proactively go and scan into all of those 719 dependencies 13:52.880 --> 13:55.440 or a few hundred in your projects, 13:55.440 --> 13:59.040 find previously undetected security bugs in them, 13:59.040 --> 14:02.640 and then work with the maintainers as well as you 14:02.640 --> 14:05.440 in order to manage those dependencies. 14:05.440 --> 14:06.880 So think of that. 14:06.880 --> 14:09.840 This is beyond the signal that is provided 14:09.840 --> 14:12.000 by software composition analysis tools, 14:12.000 --> 14:15.040 which is only giving you known vulnerabilities. 14:15.120 --> 14:18.160 We are talking about previously undetected security bugs. 14:18.160 --> 14:21.520 So in this case, out of the 719 packages, 14:21.520 --> 14:23.920 we looked at that in about six weeks, 14:23.920 --> 14:28.000 and identified 14 new bugs, three of them, high severity, 14:28.000 --> 14:34.000 and they have been right now mitigated by airflow and by others. 14:34.000 --> 14:37.360 Point number two is, we all know that there's no love laws 14:37.360 --> 14:42.000 between the security researchers and the open source maintainers. 14:42.000 --> 14:46.960 And there's the drive by PRRs, there's AI slops, 14:46.960 --> 14:49.680 these are like, have become very familiar. 14:49.680 --> 14:52.080 So this is an actual story that I want to tell. 14:52.080 --> 14:54.800 So this is a vulnerability that we identified 14:54.800 --> 14:56.960 and we reported to the maintainers, 14:56.960 --> 14:58.560 and then nothing was happening. 14:58.560 --> 15:00.720 Then after a few days, Yerick, 15:00.720 --> 15:04.400 he posted that he is involved in the air flow project, 15:04.400 --> 15:10.560 and he was like, he's conduming that particular, 15:10.560 --> 15:14.400 and air flow is conduming that particular package, 15:14.400 --> 15:17.760 and it would be interesting for them if they have an eye on that. 15:17.760 --> 15:20.800 And then the response was, oh, I thought that this was an AI slopp, 15:20.800 --> 15:22.880 and it was just generated by an AI. 15:22.880 --> 15:24.480 We don't generate anything by AI. 15:24.480 --> 15:26.000 They're generated by computers, 15:26.000 --> 15:28.160 because we can't type everything, 15:28.160 --> 15:29.440 but they're not AI generated, 15:29.440 --> 15:31.840 but then people have perception of that. 15:31.840 --> 15:33.680 And then the story was very sweet, 15:33.680 --> 15:36.400 like then once it was explained to them, 15:36.400 --> 15:39.760 soon vulnerability was fixed. 15:39.760 --> 15:42.720 The point of the story is when you involve, 15:42.720 --> 15:44.160 security is a human problem. 15:44.160 --> 15:47.440 When you involve the downstream consumers 15:47.440 --> 15:52.320 into this conversation between the security researchers 15:52.320 --> 15:55.040 and the open source maintainers, 15:55.040 --> 15:57.920 then we'll have a much amicable conversation, 15:57.920 --> 16:01.600 and oftentimes many of these vulnerabilities would be fixed. 16:01.600 --> 16:02.400 Thank you. 16:02.400 --> 16:03.600 Okay. 16:03.600 --> 16:06.320 So let me quickly continue what the experiment has done. 16:06.880 --> 16:09.840 We identify 16 projects to start with, 16:09.840 --> 16:12.320 and we propose them to add security policies, 16:12.320 --> 16:14.720 follow up on secure workflows, 16:14.720 --> 16:16.640 propose an able-interested publishing, 16:16.640 --> 16:20.240 following up on unpubsed vulnerabilities they had, 16:20.240 --> 16:23.120 and we propose them to introduce mandatory code review. 16:23.120 --> 16:27.280 So those are the actions that we wanted to talk to them, 16:27.280 --> 16:29.440 but really, it was about the conversation. 16:29.440 --> 16:30.880 We really are about talking to them, 16:30.880 --> 16:33.680 security is important to us as our users, 16:33.680 --> 16:34.800 and they are responding. 16:35.760 --> 16:39.200 The responses were very, very different, 16:39.200 --> 16:41.680 so we had a bad, vast majority, 16:41.680 --> 16:44.160 if like, happy to get help. 16:44.160 --> 16:46.080 Actually, you know, I didn't put numbers here, 16:46.080 --> 16:50.560 but I have now more than half of the maintainers I talked to. 16:50.560 --> 16:53.760 They are either eager to get help, 16:53.760 --> 16:55.440 and they are looking forward to it, 16:55.440 --> 16:59.040 or they are almost as big security fixes me, 16:59.040 --> 17:02.320 which is pretty impossible or very difficult, actually. 17:02.640 --> 17:04.880 But they are very, very, very, very security fixed, 17:04.880 --> 17:06.000 few of them didn't response, 17:06.000 --> 17:07.200 but I didn't follow up yet. 17:07.200 --> 17:09.680 I didn't have bandwidth so far for that. 17:11.520 --> 17:15.920 Some of those developers could go away CRA is bad for me, 17:15.920 --> 17:17.200 and there was one coordinator, 17:17.200 --> 17:18.400 I don't know if you've heard about that, 17:18.400 --> 17:19.280 this is the story, 17:19.280 --> 17:21.200 so the guy which I contacted, 17:21.200 --> 17:24.400 who was following a layer communication of mine on the CRA, 17:24.400 --> 17:26.320 he said, I'm removing all my repositories, 17:26.320 --> 17:28.080 and I will remove it from pipeline. 17:28.080 --> 17:31.120 There is a very, very interesting case that you should look at, 17:31.440 --> 17:34.640 we are still discussing with him what's going to happen in March, 17:34.640 --> 17:36.640 because he still wants to remove, 17:36.640 --> 17:39.760 because he's scared about CRA, that's another story. 17:39.760 --> 17:41.200 You want to say about availability? 17:41.200 --> 17:42.800 Yeah, exactly. 17:42.800 --> 17:46.080 So, we hope it's not going to happen, 17:46.080 --> 17:49.280 but the fact that we started this conversation, 17:49.280 --> 17:50.640 triggered the whole thing, 17:50.640 --> 17:54.160 and if you haven't heard that of, you should look at that. 17:54.160 --> 17:55.840 So, longer-term targets, 17:55.840 --> 17:57.600 we want to do full automation and coverage 17:57.600 --> 18:00.640 of all our dependencies. 18:00.640 --> 18:04.240 We want to run some targeted outputs and projects 18:04.240 --> 18:07.200 in the projects that we'll be willing to do so after talking to them. 18:08.240 --> 18:10.240 All projects, regular incremental process, 18:10.240 --> 18:14.000 so we want to have it in the way that if we add new projects, 18:14.000 --> 18:15.360 we don't have to review all of them, 18:15.360 --> 18:17.680 we just get the new ones and then talk to them. 18:18.560 --> 18:21.440 And we want to spread the methodology and findings to others, 18:21.440 --> 18:23.200 so that others could do very similar thing. 18:24.400 --> 18:25.760 I don't want to contribute to PSF, 18:25.760 --> 18:28.800 maybe hopefully this will become a pipeline, 18:28.800 --> 18:32.160 kind of tool or feature or whatever comes out of that. 18:32.160 --> 18:35.280 Conversation with another project is Python based. 18:35.280 --> 18:37.040 You might try to review this, right? 18:37.040 --> 18:38.880 So, exactly. 18:38.880 --> 18:40.480 So, we are repeating that. 18:40.480 --> 18:43.120 So, what you can do, things that security is, 18:43.120 --> 18:45.600 if you are an open source maintainer, 18:45.600 --> 18:48.080 start similar efforts and do similar things, 18:48.080 --> 18:50.000 know your dependency, talk to your guys, 18:50.880 --> 18:52.400 talk to people that you work with, 18:52.400 --> 18:55.440 you use, so, know your dependencies. 18:55.920 --> 18:59.760 You might want to support similar security initiatives, 18:59.760 --> 19:02.000 like if people ask for help, 19:02.000 --> 19:03.760 like I helping security of others, 19:03.760 --> 19:04.960 don't hesitate just help. 19:06.240 --> 19:08.720 You can contribute security reports to us, 19:08.720 --> 19:11.360 any other maintainers they will also welcome that. 19:12.400 --> 19:15.360 And learnings, go, thank you. 19:18.400 --> 19:19.520 I haven't seen this slide in a long time, 19:19.520 --> 19:20.480 so I'm going to make up words. 19:22.480 --> 19:24.560 I think I've already said this a few times though, right? 19:24.560 --> 19:27.600 You as a consumer of projects, 19:27.600 --> 19:30.000 and as someone who's being consumed, right, 19:30.000 --> 19:35.120 are part of a human graph, a web of significant stickiness. 19:35.120 --> 19:36.800 It is hard to make you go away. 19:36.800 --> 19:38.080 It is hard to fix your problems. 19:38.080 --> 19:40.160 It's hard to you to fix other people's problems. 19:40.960 --> 19:43.120 If you don't have a relationship with the people 19:43.120 --> 19:45.600 consuming your software and the people you are consuming, 19:46.720 --> 19:49.760 you are a victim of whatever happens to you in that process. 19:49.760 --> 19:50.880 And it will happen, right? 19:50.880 --> 19:52.080 We see it every day. 19:52.080 --> 19:55.200 And so your project security matters to people, 19:55.200 --> 19:56.480 downstream of you. 19:56.480 --> 19:59.360 If you're working on this because you're pay two, 19:59.360 --> 20:00.160 then you should care. 20:00.160 --> 20:02.000 If you're working on two because you do it for the passionate 20:02.000 --> 20:04.240 and the love of the software, then you should care, right? 20:04.240 --> 20:07.920 We are no longer in a world where people can write software 20:07.920 --> 20:09.360 without worrying about these things. 20:10.080 --> 20:12.240 We don't expect everybody to be a security expert. 20:12.240 --> 20:13.840 That's not the goal, right? 20:13.840 --> 20:16.240 And I would be the first to acknowledge that there's a lot of work 20:16.240 --> 20:18.400 to be done to make this secure by default, 20:18.400 --> 20:19.760 easier and so forth. 20:19.840 --> 20:22.160 But it really does start with actually knowing 20:22.640 --> 20:24.640 that you are in this graph and playing attention to it. 20:27.120 --> 20:28.400 We have a few other small takeaways. 20:31.120 --> 20:33.040 I don't think I'm even going to speak to this slide, right? 20:34.240 --> 20:34.960 Human problem. 20:35.600 --> 20:37.280 The risk is growing exponentially. 20:38.960 --> 20:40.720 We have sustainability's part of this, 20:40.720 --> 20:42.960 and everybody has to have this be a priority. 20:42.960 --> 20:44.960 Okay, we'll take questions. 20:44.960 --> 20:46.160 Do we have time for questions? 20:46.160 --> 20:47.120 We actually allow it. 20:47.120 --> 20:48.400 Thank you for the awesome. 20:49.760 --> 20:50.720 Okay, let's start. 20:50.720 --> 20:52.000 I'm just going to arbitrarily go over here. 20:52.000 --> 20:52.320 Yeah. 20:52.320 --> 20:53.760 How do we get those projects? 20:53.760 --> 20:55.680 Can white be security? 20:56.240 --> 20:58.000 So the question was, how do we get our project scanned 20:58.000 --> 21:00.480 by the security sort of scanning processes that we have? 21:01.440 --> 21:02.480 It's a great question. 21:02.480 --> 21:06.560 And the answer is, look downstream into your dependence 21:07.440 --> 21:10.640 and find one of them that has engineering resources and money, 21:12.160 --> 21:13.760 unless you already have the resources and money 21:13.760 --> 21:15.120 to get that work done. 21:15.120 --> 21:17.920 Also, the rate of change in this space. 21:17.920 --> 21:19.680 I mean, their team has been doing amazing work. 21:19.680 --> 21:22.960 There's so much velocity happening in this space now, right? 21:24.240 --> 21:26.240 Go look at the things that are out there and figure it out. 21:26.240 --> 21:27.680 You know, and it doesn't have to be perfect. 21:27.680 --> 21:29.920 It just has to be more than you're doing right now, 21:29.920 --> 21:31.520 which tends to be very close to zero. 21:31.520 --> 21:32.400 Again, I don't know your project. 21:32.400 --> 21:33.120 I'm sure it's been great. 21:33.840 --> 21:34.880 There was a gentleman here, yeah. 21:34.880 --> 21:36.640 I'm just going to question, how do you expect 21:36.640 --> 21:39.600 of the tooling as well, especially the dependencies? 21:40.800 --> 21:42.560 So for now, we are just, 21:43.840 --> 21:45.680 are we using specific tooling for it up? 21:45.680 --> 21:47.520 There is a spreadsheet there. 21:47.600 --> 21:51.200 So we are for now developing as a part of our project, 21:51.200 --> 21:53.200 as a flow that that's part of breeze, 21:53.200 --> 21:55.040 which is a development, release management, 21:55.040 --> 21:57.440 and as bomb management tooling that I have. 21:57.440 --> 22:01.920 But the end goal is to be able to produce similar tooling 22:01.920 --> 22:02.800 for others to use. 22:02.800 --> 22:04.240 That's what we want to do. 22:04.240 --> 22:06.640 We want to improve that, iterate on that, 22:06.640 --> 22:07.840 and then when it's going to be ready, 22:07.840 --> 22:09.840 that when we are going to release it, 22:09.840 --> 22:12.880 but basically it takes a number of signals from other, 22:12.880 --> 22:15.120 from different places, like starting from as bomb, 22:15.200 --> 22:18.560 going through the OSPF scorecards, and so on, 22:18.560 --> 22:20.160 and so on, just putting it together, 22:20.160 --> 22:22.960 it's a glorified Python script at this moment. 22:22.960 --> 22:27.200 But yes, it will plan to make it kind of publicly available 22:27.200 --> 22:30.080 and reusable, but it's three times more expensive 22:30.080 --> 22:33.280 to make something reusable after you make it usable first for you. 22:33.280 --> 22:35.120 So it will take a little bit of time. 22:35.120 --> 22:36.000 I think we can. 22:36.000 --> 22:38.080 I also hope to have some case studies written, 22:38.080 --> 22:40.800 or work together to sort of talk about the methodologies as well. 22:40.800 --> 22:42.400 So a lot of this is not rocket science. 22:42.400 --> 22:43.440 You just have to do it. 22:43.760 --> 22:46.640 I'm getting that sense that we have a room for maybe one more question. 22:46.640 --> 22:49.120 Are there any more questions lurking in the back of the room? 22:49.120 --> 22:50.800 Going once, going twice. 22:50.800 --> 22:51.680 Thank you very much. 22:51.680 --> 22:53.280 It was a real pleasure to be with you guys today. 22:53.280 --> 22:54.480 Thank you very much. 22:54.480 --> 23:04.480 Thank you very much.