Secure Your Software Supply Chain Using Observability Webinar [On-demand Session]

Aug 10 2022/Events/18 min read
We’ve assembled a panel of experts from software, security, and data to talk about observability and what it means to your software supply chain security. Watch the 30-minute webinar on-demand.

Can't see the embedded YouTube video above? Click here.

Frequent software supply chain attacks are becoming the new normal for developers and security professionals everywhere. Even though it’s still relatively new, observability has continued to gain momentum as a way to identify software supply chain issues before they become a major disruption. Having access to the right data at the right time is necessary to make decisions about priorities.

We’ve assembled a panel of experts from software, security, and data to talk about observability and what it means to your software supply chain security. Watch this 30-minute webinar on-demand to explore:

  • An introduction to concept and 3 pillars of observability
  • Could observability prevent a supply chain attack? How?
  • How to generate audit data using Cloud SaaS tools
  • How to understand and use the data that is being generated
  • And more!

Claire Burn, Security Data Engineer, Elastic
Josh Bressers, VP of Security, Anchore
Tom Gibson, Senior Staff Engineer, Cloudsmith
Moderated by Ciara Carey, Developer Relations, Cloudsmith

(00:00) Yoday on our webinar we're going to be talking about securing your software supply chain using observability hot new topic so we've assembled our panel of experts from software security and data to talk about observability and what it means to your software supply chain so when we talk about your software supply chain we're talking about all the steps to go that go into building your software all your third-party dependencies your open source data and we and there's a huge amount of risk involved in your software supply chain

(00:31) even a small application can have thousands of dependencies securing your software supply chain means having visibility into your supply chain and how that software is built and this is where observability can come into play observability tools I sort of the next generation of monitoring tip tools driven by Automation and Remediation they can ask hidden questions about the unknown unknowns hidden in your data and what we want to know what can this do for your software supply chain hopefully it can help us secure it so

(01:09) today we want to hear from you we want to hear who you are where you're coming from what kind of work do you do do you work in SRE and devops and software development to let us know and if you have any questions that's pure gold so we want to hear all that if you're on our streaming platform it's really obvious what you do but if you're on Twitter tweet us if you're on Facebook YouTube LinkedIn comment in our stream so we're going to be conducting posts a few posts write this and so again for

(01:40) for Twitter tweets for the other platforms just comment in the Stream so our moderate today Hillary is going to be giving those questions back to me so we really want to hear it from you we're also going to be randomly drawing a few prizes there's two prize packs and two free lunches at the end of this webinar so stay till the end if you can and if you want to watch this on demand you can go to casewoods.

(02:05) com forward slash blog after this now so let's bring up our our three guests this is who we this is what it's all about so if you can come on stage that's fine don't be shy hey hey this is our crack team we have Claire Burn from the data World she's our data magic practitioner she's a software security she's a security data engineer from elastic working in Belfast which is also a community organizer and collaborator in the tech industry she's the founder of women Tech women Tech Bakers Belfast and the co-organizer

(02:51) of security besides Belfast then we have Tom Gibson our senior staff engineer from Cloudsmith if you hear his dog snoring in the background don't worry it's actually I think he's wearing his airpods today so I'm sad to see you and then last but not least we have Josh Bressers he's the VP of security from anchor he's also a blogger and a podcaster from open source security podcast and he's someone who's been talking about um your software supply chain before it was cool so

(03:26) thanks everybody for joining us we're really happy to have you guys today to tell us about what you think of observability and your software Supply I I actually can here [Laughter] so if anybody's wondering yes yes that is something snoring hopefully it's not like a gas story so it's so you know it's a circle so before we let's start with um getting some feedback from um our people listening we want to if you can participate in the poll and again if you're on Twitter you tweet if you're on LinkedIn if you're on

(04:07) YouTube or Facebook you just comment in the Stream so our first polling question is are you currently using observability or monitorial and if so how many because we did hear that people are using like a good few monitoring tools so um yes we'll we'll get that from you and we'll talk about that later so let's let's crack on with our with our first question so um I thought I'd put the first question to Claire so I want to know like what is observability and how is it like different to those traditional data

(04:42) monitoring tools yeah so um observability is more or less defined as being able to judge the state of the system based on its outputs um and again our actionable insights into the state of your tools like root cause analysis of issues and context into why your software is behaving like it is so for most observability use cases three types of data matter the most logs metrics and traces because these can provide a sort of holistic picture of your your organization's resources um so yeah as most of you already know

(05:18) like logs or files that record events um contextual information um and such as the time and event occurred and everything so they're an excellent source of visibility and metrics are like quantifiable measurements that reflect the health and performance of your applications and infrastructure and so for example CPU or members resources um and traces are like is is data that tracks an application request as it flows through the various parts of an application so like for example uh recording how long it takes each application component

(05:52) to process or request and pass the result to next next component yeah and Tom like software Developers traditionally use these kind of two like they're already using observability tools I'm sure we are in Cloud Smith and they're kind of more used for like checking if you're available and sort of performance issues is that is that right it's like that's what's the the main yeah I think it's certainly an element of it like certainly our own internal use case as is the case with

(06:21) many many other organizations we we rely heavily on observability platforms to help indicate to us the health of the service um and use it almost as a pointer as a point of reference when it comes to diagnosing issues trying to understand the performance of the applications and you know some of the points that Claire touched on and mentioned about the pillars and triuses being one of them that's probably our bread and butter aside from the log side of things and and all that you know they they the influence our our approach to trying to

(06:50) understand how things are going heavily um and we heavily try and instrument all parts of the service and leverage distributaries and across the board where we can um it makes makes a big difference yeah like and if you're currently like tailing logs to get this information very sad um like is it hard to get started like you have to change your data to when you're when it's being consumed by these tools or do you have to tag everything what you have to do um so I'll take that one um so in general you'll want to you'll

(07:33) want to send your logs to your observability tool but um in general it will perform the heavy lifting for you it can like Aggregate and filter and organize your gloves or whatever um based on a schema that you define so for example in elastic there's elastic common schema um which you can you can like orchestrate yourself oh cool so you can set up your own schema like if you don't need to change how you're currently logging stuff like yeah cool okay uh so now um what about in oh we have some results back so about

(08:07) how many tools are you actually using for observability so most people are using an observability on one or two so that's that's pretty good but some people are using over five observability shows that seems like a lot that's a lot of stuff too many toots we can't look down at anybody but yeah so um so moving on so what what problems are security teams using observability tools for like even like the wider security problem maybe Josh you can kind of help us out there sorry Josh I'm just wondering no worries

(08:53) I mean so that's that's a great question I think this is where you can kind of look at some of the work elastic has done so kind of full disclosure I I was previously at elastic before coming to Anchor so I've got to see it yeah for everything they're doing it's it's a fantastic company and product but when we think about observability there's often this kind of focus on logs and logs are super important I'm not going to say they're not and obviously if you look at the history of nearly every

(09:23) modern observability tool it has its roots in logging but we also realized some time ago that we can start ingesting all this extra data you can bring in observability data you can bring in things like data from your sim your security security incident event monitor I forget what some stands for it's been it's been a long day but there's things like your firewall details you've got bits and pieces from network monitoring tools from from your antivirus from like a million places anywhere you can get the data from you

(09:54) can now start bringing this in and adjusting it and I think this is where this particular webinar really piqued my interest because Cloud Smith brings up the the supply chain and observability and I'm like this is a perfect fit because when we think about our software and our supply chain it's just part of the data that because the data it all comes together and tells a story right and your software supply chain is part of that story that to date I would say has not been getting the attention in this way that I think it should be and

(10:24) so I'm very excited to see where this can go and like what when we talk about the software supply chain what are the elements in it and why is it why is it so risky why why is it difficult to find out what components there in your software it seems like we should know that well I mean okay it is easy to say that but I don't think that is necessarily how this has worked out over time if we look at I'll pick on log for J right because that's all we all remember log for J like it was yesterday and we have

(10:54) this incident and then everyone says how can we how do we know we're logged for James why didn't we know this before and that's very easy to kind of pick on and say we should have known this but the reality is I mean it's just part of maturing every organization I mean there was a time we didn't have logs from all of our computers right all of the servers in the server room no one knows whatever does sshn and log file it's fine I was just configured I you know like it's like you have an instant then

(11:21) you look back you're like oh we didn't have that turned on exactly exactly that and that doesn't cut it anymore right and that's fine that is just how all of this works together and so I think from the supply chain perspective it is relatively new and we have a lot of learning to do and I just think putting all these pieces together is is the next step where don't say why weren't we doing this because what well we just weren't so who cares like how do we start I think is the better question to start asking

(11:52) yeah and so uh Tom what kind of data should we start federating in order to answer some of these questions yeah that's a good question there's there's a lot there's a lot of work in this space right I think um what Joshua said is very much the case it's a it's a novel area you know um prompted heavily by you know incidents of such as log for J such as as well the numerable things right but we're starting to to try and take a an understanding of what goes into a piece of software and and what that actually

(12:29) means for us um so today you know there's there's a variety of ways we can do that that some of our audience will have heard that's our Mass bomb I'm sure Josh knows it inside and out but that's um you know s bomb is a is a really you know it's a good starting point for some of this stuff because it like like to to take it back a little bit we're talking about a bill of materials for software so essentially you know the manufacturing industry and I've used this on several webinars and I saw

(12:56) apologies for anyone else that's seen this but you know the manufacturing industry has has used uh bills of materials for a very long time you know yet there has to be an awareness and an understanding um of what goes in to build a product um uh manufacture of a mobile device for example they they understand it's made up of a of a display of some sort components that make up the main board a speaker that kind of thing and they'll Source those components from external and some of them still build in-house

(13:23) software is no different in that respect um we're looking at pieces of software that can be sourced from the public domain by great contributors out there as well as other organized positions and the wise that's amazing it also brings an element of I wouldn't necessarily say distrust but certainly deserving of a bit more scrutiny um and log4J is a very good example of that you know it's heavily used across the board in a variety of different projects and I think to get that sort of information

(13:52) into your observability pipeline bombs are a really good place to start you've got information in there containing things like the third party dependencies um you know those those are usually referred using identifiers such as Pearl or swedes or something along those lines um but you know there's a variety of other other approaches as well and generally kind of starting at the source is probably like they talk about Chef left security right you've heard it many many times many of us have but it's true

(14:21) in the sense that you know the the the later something is done about things that the more damage that it tends to to the the bigger whack that it tends to create so given given more observability into this stuff from the outset is no bad thing and you know we can such information vulnerabilities for example about about third party dependencies the number of third-party dependencies this is all information that tends to be produced by these future reports and they make great candidates for injecting into observability and you're treating

(14:51) like anything else that goes into those platforms we can model slo's or sorry slis about those we can track things on alerts and alarms we can do license compliance checking all this kind of useful stuff that's very useful for security teams but I think in general we're starting to see an approach that security doesn't just rest with security teams we're starting to see it that it's becoming a practice across both security data and Engineering teams as well and disciplines and I think that's important

(15:17) to continue practice yeah actually Josh coming from the security space do you find that like your security teams are working closer with your developers or is it like oh we set the policies we just handed to the developers is there more um is there more communication there now I think there is I think we've seen a definite shift over the last probably 10 to 20 years of it used to be very much the security team was over here the developers over here Dolan likes each other and so we're going to avoid one

(15:50) another as much as possible and and that's definitely not what I see anymore but I think more importantly even is when you look at some of the kind of smaller and and new startup-y type organizations that might have only a dozen people you're seeing the developers kind of doing a lot of this leg work where they're they're you know running the vulnerability scans themselves or using github's dependabot for example they're they're the ones doing the work and I think what I what the vision I have is that we make a lot

(16:21) of this tooling so easy and so good that you don't need a security team like doing all the work the security team is there to Define policy and help with problems but fundamentally you're going to see the developers actually kind of picking this up and I mean I'd even kick this over to elastic is this is exactly what you're seeing with with just the amazing product that'll last you search is morphed into is it used to be very much like you had one group doing all the Care and Feeding but now all the I

(16:45) mean Claire can certainly comment on this now you're seeing the individual business units and groups actually doing the data analysis and adjusting the data which is amazing it's so and actually Claire's title is like data security Engineers so you're sort of a hybrid role yourself yeah it's funny because um you you said that we have guests here from the data the security and the engineering world I'm all free um yeah I'm dealing with security data and dealing with the architecture of that

(17:21) data I'm dealing with like software engineering problems on a daily basis um and that kind of reflects that's what an individual basis it reflects where the organization of elastic is going because we have both security and observability tools in the one product line and it's really cool because security like monitoring security means monitoring your data nowadays because there's just so much data everywhere absolutely and actually let's start our next poll as soon as we're we've kind of

(17:52) touched on vulnerabilities I don't know my trusty sidekick there Hillary in the background ah there you see that's it's magic so our next poll is on are you happy with your workflow for finding vulnerabilities in your software supply chain so it's a touchy topic um so if you're on Twitter tweet us what you think if you're on LinkedIn YouTube Facebook comment in the Stream or if you're on our platform you just you just click our poll so um yeah we'll talk about that later so um um have for for the software supply

(18:33) chain what kind of questions do you think that we'll be able to ask and observe I'm like I see an observability deal I kind of think it's like Alexa be like am I vulnerable Alex I don't know if that that's my dream so uh but Clara can you imagine like say you get all this data in this new vulnerability pops up are these kind of these questions that you can ask your vulnerability tool that were not necessarily thought of as you're generating the data um so yes absolutely um so I can only talk about what I know

(19:14) which is elastic so I promise I'm not like just just advertising things is open Telemetry anyway so you kind of it's it's more generic anyway yeah yeah exactly but um one cool thing is that um you can ingest security data but then like have have that all correlated um within the observability product so like it can tell you like it can pinpoint Glenn exactly a vulnerability like was introduced into your into your security into your supply chain um it can tell you like if that vulnerability was exploited and it can

(19:50) tell you like who exploited it um if you have your your logging and observability set up right um but it's just it's really cool and I really love the book I really love where observability Tools in general are going on this front because I think it's presenting a unified way of like just collating all your data to provide a defense basically yeah and do you find in elastic that you're moving away from the sort of what is it the visualize not not moving away from visualization but uh these dashboards is it more about

(20:28) like remediation and automation I suppose something actionable rather than displaying on a dashboard and have someone monitor that how like is is that where you see the future to be or uh yes absolutely um so for example in elastic security you can open cases um and like Chris where vulnerability is happening like I said when you know like uh Vlog like data as you find it so you can basically set up a security remediation case like as you as you find it you know um and it means that analysts don't have to you know stare at dashboards all day and

(21:12) you know get alerts and everything um so that kind of automation is really really useful um just and helps to provide a layered a layer defense model I guess yes yeah so and uh Josh do you think like in the future using these options observability tools that would actually be able to like prevent a supply chain attack so supply chain attack is something that um uh it's an attack on your supply chain so maybe it's malware in your dependency or it's a vulnerability that's exploitable uh so um do you think that

(21:47) using these tools having this visibility having these sort of like uh machine learning tools could they prevent an attack or is it all about detection and uh fixing it as quickly as possible so I would answer your question with uh it depends which is of course the favorite answer to all questions so I don't see a lot of observability tools directly stopping an attack in the regards you might think of where an attacker is actually like coming in and doing a thing and then you have a tool paying attention because prevention in

(22:22) that regard is actually very very difficult to do I'm not going to say it's impossible but it is incredibly hard but I would say from the concept of preventing a bad thing I would think of it more as when you have tools that are paying attention to what's going on you can for example say okay I see this vulnerability just appeared in my product before I shipped it now I can use that knowledge to prevent a vulnerability from entering my supply chain essentially and then I mean you could is that stopping it I mean we

(22:53) could argue that probably for hours but there's I think that aspect of it and then there's also the angle of for example you might have a developer who includes a dependency that then pulls in hundreds of other dependencies beneath it and so you can look at your tools and say whoa why did did we just pick up 700 dependencies yesterday something weird is going on and that's another example where obviously as you add more dependencies in your supply chain you're increasing your risk and so it's not

(23:21) about necessarily like prevention as much as understanding risk and once you understand your risk now you can start to control your risk and so I think that's probably a better way to think of it do you think people are going to start making decisions like I'm going to try to cut down the number of dependencies I have in my product is that like something people are gonna do definitely I I think everyone I know as soon as they start generating s-bombs and they look at the data the first thing they say is where did all this stuff come

(23:53) from every single person and then obviously but again once you have data you can start asking intelligent questions and solving problems which is why data is Magic and it's amazing so oh we have some of the results of the poll so the question was are you happy with your workflow for finding vulnerabilities in your software supply chain and most people said yes so bully to you yeah we must have a security focused audience or proud of you yeah so that's great and um so it's like it's like five minutes to go I thought that

(24:26) time absolutely flew by. Thank you to our guests today we I like loved chatting to you I could talk to you all day long um really appreciate you to come in for all your insights and everything and I'd just like to say thanks to everybody for for listening about observability I hope you had an idea about how you can use

(25:46) observability to secure your supply chain and um learn new things about your supply chain that maybe you didn't know that you had to ask when you collected all this data so thanks so much and thanks for everybody for for coming in listen to us so next month we're talking about um oh we're if we're talking to new clients from Red Hat so uh stay tuned but um thanks again so this is a proper goodbye now so bye everybody talk to you later!
Get our next blog straight to your inbox