You are viewing content from a past/completed QCon -

Track: Software Supply Chain

Location: Ballroom BC

Day of week:

CI/CD tools allow for the automation of build, test, and deploy processes. However, much of the information about the provenance of the code and third-party dependencies is lost as software artifacts flow through the pipeline. Learn about approaches and tools for tracking provenance, securing, and maintaining observability of the entire software supply chain.

Track Host: Aysylu Greenberg

Senior Software Engineer @Google

Aysylu Greenberg is a Sr Software Engineer at Google working on infrastructure and the Eng Lead of the Grafeas and Kritis open source projects. In her spare time, she ponders the design of systems that deal with inaccuracies, enthusiastically reads CS research papers, and dances.

10:35am - 11:25am

The Common Pitfalls of Cloud Native Software Supply Chains

Today modern cloud native infrastructure is composed of various CNCF projects to build, manage, and deploy containerised applications in an automated manner. These tools provide great flexibility, ease of use, and speed up development, but the ecosystem is developing at a blazing fast pace, which in turn causes various little mistakes in the products that could leave the supply chain up for grabs for a motivated adversary.

Daniel Shapira, Senior Security Researcher @PaloAltoNtwks

11:50am - 12:40pm

Securing Software From the Supply Side

In 2019, almost all software is built on open-source. From beginners’ hack projects, to mission-critical software built by huge enterprises, we’re all standing on the shoulders of giants. But this also means that we’re all inviting a huge crowd of people we’ll never even meet to contribute code into our codebases, and we’re only beginning to grapple with the implications of that and how to do it safely.  

At GitHub, we’re building towards a future where it’s easy for Open Source maintainers to keep their users safe and easy for Open Source consumers to understand and use third party code with confidence. In this talk, we’ll follow a vulnerable package from initial report of a vulnerability, through the process of resolution and publishing a new package, and finishing with updating your codebase to use the fixed version, with demos along the way. You’ll learn about the tools GitHub provides Open Source maintainers to improve the safety and security of the software supply chain at the source and how you can leverage their work to make your own codebase more secure.

Nickolas Means, Senior Engineering Manager @GitHub

1:40pm - 2:30pm

Shifting Left with Cloud Native CI/CD

Cloud native can be overwhelming: sometimes it feels like there are new tools, frameworks, operators and patterns announced every day! How do we keep up? And what happens when we get it wrong?  

Shifting left (testing as early as possible) with great CI/CD lets us experiment and catch mistakes early, so we can learn from them and become better engineers. It’s time for our CI/CD tools to get a cloud native upgrade and make all this extra complexity work for us!  

Tekton gives us the building blocks we need to add container based cloud native CI/CD to your software supply chain. In this talk you’ll learn what we should expect from our CI/CD in 2019, and how Tekton is helping bring that to as many tools as possible, such as Jenkins X and Prow. You’ll learn about Tekton itself and see a live demo that shows how cloud native CI/CD can help debug, surface and fix mistakes faster.

Christie Wilson, Software Engineer @Google

2:55pm - 3:45pm

Observability in the SSC: Seeing Into Your Build System

Waiting for a slow build can really kick you out of the groove. Finding flaky tests using data instead of instinct increases trust. You and your team have a collection of sophisticated tools available to understand the complex applications you have running in production. Using these same tools to gain insight into your CI/CD pipeline enables your team to improve processes with the same rigor as performance analysis in production.  

Honeycomb hit a time when our builds slowly got longer and longer until, without noticing it, everybody was super frustrated. We used the tools we had available to explore instrumentation in the CI environment and visualized the data we found as traces and queries over time. With that insight we dropped build times by 40% and gave ourselves the ability to track build times and asset sizes over time. This talk walks through that transformation and covers the techniques you can use to accomplish the same goals in your environments.

Ben Hartshorne, Engineer @honeycombio

4:10pm - 5:00pm

Software Supply Chain Open Space

Session details to follow.

5:25pm - 6:15pm

License Compliance for Your Container Supply Chain

Modern container images are an Open Source Software (OSS) legal compliance nightmare. In the simplest case of building a container using a Debian base OS, installing dependencies using the package manager, and adding a home grown app at the end, meeting legal compliance obligations is as simple as using Debian's own machinery to pull corresponding sources. However, container images are built and used in so many different ways, it becomes impossible to track the provenance of such images, let alone try to figure out what is in them.  

In this session, Nisha Kumar will talk about Tern, an open source tool for inspecting container images for OSS compliance. Nisha will provide examples of how enterprises can evaluate container images, Dockerfiles, and container supply chains using Tern, even for the impossible situations. Along the way, you will learn about the pitfalls of long advocated best practices for building and reusing container images for the software supply chain, and what you can do to correct these practices.

Nisha Kumar, Open Source Engineer @VMware

Last Year's Tracks

  • Monday, 16 November

  • Inclusion & Diversity in Tech

    The road map to an inclusive and diverse tech organization. *Diversity & Inclusion defined as the inclusion of all individuals in an within tech, regardless of gender, religion, ethnicity, race, age, sexual orientation, and physical or mental fitness.

  • Architectures You've Always Wondered About

    How do they do it? In QCon's marquee Architectures track, we learn what it takes to operate at large scale from well-known names in our industry. You will take away hard-earned architectural lessons on scalability, reliability, throughput, and performance.

  • Architecting for Confidence: Building Resilient Systems

    Your system will fail. Build systems with the confidence to know when they do and you won’t.

  • Remotely Productive: Remote Teams & Software

    More and more companies are moving to remote work. How do you build, work on, and lead teams remotely?

  • Operating Microservices

    Building and operating distributed systems is hard, and microservices are no different. Learn strategies for not just building a service but operating them at scale.

  • Distributed Systems for Developers

    Computer science in practice. An applied track that fuses together the human side of computer science with the technical choices that are made along the way

  • Tuesday, 17 November

  • The Future of APIs

    Web-based API continue to evolve. The track provides the what, how, and why of future APIs, including GraphQL, Backend for Frontend, gRPC, & ReST

  • Resurgence of Functional Programming

    What was once a paradigm shift in how we thought of programming languages is now main stream in nearly all modern languages. Hear how software shops are infusing concepts like pure functions and immutablity into their architectures and design choices.

  • Social Responsibility: Implications of Building Modern Software

    Software has an ever increasing impact on individuals and society. Understanding these implications helps build software that works for all users

  • Non-Technical Skills for Technical Folks

    To be an effective engineer, requires more than great coding skills. Learn the subtle arts of the tech lead, including empathy, communication, and organization.

  • Clientside: From WASM to Browser Applications

    Dive into some of the technologies that can be leveraged to ultimately deliver a more impactful interaction between the user and client.

  • Languages of Infra

    More than just Infrastructure as a Service, today we have libraries, languages, and platforms that help us define our infra. Languages of Infra explore languages and libraries being used today to build modern cloud native architectures.

  • Wednesday, 18 November

  • Mechanical Sympathy: The Software/Hardware Divide

    Understanding the Hardware Makes You a Better Developer

  • Paths to Production: Deployment Pipelines as a Competitive Advantage

    Deployment pipelines allow us to push to production at ever increasing volume. Paths to production looks at how some of software's most well known shops continuous deliver code.

  • Java, The Platform

    Mobile, Micro, Modular: The platform continues to evolve and change. Discover how the platform continues to drive us forward.

  • Security for Engineers

    How to build secure, yet usable, systems from the engineer's perspective.

  • Modern Data Engineering

    The innovations necessary to build towards a fully automated decentralized data warehouse.

  • Machine Learning for the Software Engineer

    AI and machine learning are more approachable than ever. Discover how ML, deep learning, and other modern approaches are being used in practice by Software Engineers.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.