WEBVTT

00:00.000 --> 00:20.960
You know, actually, hey, I'm Mike, I'm doing a lot of stuff with S-bombs over the past

00:20.960 --> 00:21.960
few years.

00:21.960 --> 00:26.760
I'm going to talk a little bit about what do we do with all these S-bombs?

00:26.760 --> 00:32.480
So, again, I have a couple of demos, but it appears that something has gone very wrong.

00:32.480 --> 00:38.680
So, if it comes back in a couple of seconds, I'll show some of that off real quickly,

00:38.680 --> 00:42.720
but if it isn't, then it is what it is.

00:42.720 --> 00:46.600
And if folks are interested, they can hit me up outside the room at some point and I'll show

00:46.600 --> 00:49.320
off some of the demos there.

00:49.320 --> 01:03.520
All right, take away is here, one S-bombs is good, more S-bombs are better, why is this?

01:03.520 --> 01:09.120
Well, hold on one second, let's see, is it coming up?

01:09.120 --> 01:10.120
No.

01:10.120 --> 01:12.120
All right, it doesn't seem to want to.

01:12.120 --> 01:13.120
Yeah.

01:13.120 --> 01:28.120
All right, I will just talk to Mike Slides here in a second.

01:28.120 --> 01:36.120
Well, it's actually interactive, which is up the challenge, but I will deal with it.

01:36.120 --> 02:04.560
So, once I can hear, I'll go quickly.

02:04.560 --> 02:11.560
Yeah.

02:11.560 --> 02:12.560
All right.

02:12.560 --> 02:17.560
So, I'll just talk to Mike Slides and folks are interested in who are on the front row,

02:17.560 --> 02:18.560
they can see this.

02:18.560 --> 02:25.560
Otherwise, I apologize to you.

02:25.560 --> 02:28.560
So, with one S-bombs, what can I do?

02:29.560 --> 02:35.560
Identify vulnerabilities, I can identify license issues, I can do all sorts of things like that.

02:35.560 --> 02:40.560
If I have more S-bombs, I can do that across time and space.

02:40.560 --> 02:45.560
I can do that across time and space here.

02:45.560 --> 02:50.560
So, S-bombs are generally a snapshot in time.

02:50.560 --> 02:57.560
They're sort of a static thing, usually done at build time, usually done.

02:57.560 --> 03:03.560
So, like that, this makes them sort of perfect for changes between versions of software.

03:03.560 --> 03:07.560
We can look at what's actually happening as I release a new piece of software.

03:07.560 --> 03:12.560
What have licenses change, have dependencies change, have any of those things or things?

03:12.560 --> 03:14.560
Change.

03:14.560 --> 03:18.560
And they also make it good for understanding commonalities across my environments.

03:18.560 --> 03:25.560
So, if I have 100 pieces of software and is there like a log for shell in five of them,

03:25.560 --> 03:29.560
ten of them, all of them, if you're actually looking at all your S-bombs,

03:29.560 --> 03:33.560
you can actually start to tell, be able to start to answer those questions.

03:33.560 --> 03:35.560
And so, where to start?

03:35.560 --> 03:40.560
Start with simple existing tools, do not over-complicate it.

03:40.560 --> 03:45.560
One of the things that we found as being a huge issue for a really, really, really long time was

03:45.560 --> 03:50.560
people would over-complicate things, trying to use all sorts of custom tools on day one.

03:50.560 --> 03:52.560
They have a handful of S-bombs.

03:52.560 --> 03:55.560
They want to use a bunch of complicated tools.

03:55.560 --> 03:57.560
Don't over-complicate it.

03:57.560 --> 03:59.560
So, right, you have a handful of S-bombs.

03:59.560 --> 04:03.560
Use JQ, diff, shell scripting, whatever.

04:03.560 --> 04:07.560
You know, both the S-bombs nowadays are coming in JSON format.

04:07.560 --> 04:09.560
And that sort of thing.

04:09.560 --> 04:13.560
You know, if you have a few more S-bombs, let's say, 50, 100.

04:13.560 --> 04:15.560
Jump, DB, right.

04:15.560 --> 04:20.560
You don't need to spin up a whole database, sequel database and start to ingest them all that way.

04:20.560 --> 04:26.560
You can start right now, duct DB, and throw them in there.

04:26.560 --> 04:28.560
And then if you have lots of S-bombs, yes, okay.

04:28.560 --> 04:32.560
Start to look at tools like dependency track, tools like guac.

04:32.560 --> 04:34.560
But don't start that on day one.

04:34.560 --> 04:36.560
You're going to find yourself super frustrated.

04:36.560 --> 04:39.560
When you're like, hey, I need to spin up all this infrastructure.

04:39.560 --> 04:40.560
I have five S-bombs.

04:40.560 --> 04:45.560
I don't want to spin up a whole bunch of infrastructure to kind of figure all this stuff out.

04:45.560 --> 04:49.560
You could just start simple there.

04:49.560 --> 04:55.560
So the case study that I was a bit contrived is I have a little open source project called WTF,

04:55.560 --> 04:57.560
or the Whiskey Tasting Foundation.

04:57.560 --> 04:58.560
It's just an MPM project.

04:58.560 --> 05:04.560
It has a couple of different versions in there, but it's using MPM S-bombs.

05:04.560 --> 05:12.560
And I know for folks can't see this, but pretty much it is a, you know, you can essentially just

05:12.560 --> 05:22.560
jq.packages.external refs, two S-bombs, and you know, pipe them, you know, create files,

05:22.560 --> 05:24.560
and then just dip them.

05:24.560 --> 05:28.560
And, you know, that's really about it.

05:28.560 --> 05:30.560
And again, I apologize.

05:30.560 --> 05:41.560
I can't show that off to everybody.

05:41.560 --> 05:46.560
And you can also do the same thing with, you know, not just dipping S-bombs.

05:46.560 --> 05:52.560
But hey, if folks are familiar with OSV, the tools like that, right?

05:52.560 --> 05:59.560
I can run OSV scanner against those two tools.

05:59.560 --> 06:08.560
And just to, I know that this is most folks probably cannot see this, and I apologize.

06:08.560 --> 06:13.560
But as you can see here, there's differences between the two versions of software.

06:13.560 --> 06:16.560
We updated a bunch of pieces of those software, right?

06:16.560 --> 06:26.560
So you were using version in this case, let's see, as using ES build 0.20.2 in the first version,

06:26.560 --> 06:31.560
and then switch to ES build 0.21.5, for example.

06:31.560 --> 06:32.560
Right?

06:32.560 --> 06:36.560
And that's just, I have pretty much everybody has those tools today on their laptop.

06:36.560 --> 06:40.560
They don't need to go and download a bunch of stuff and whatever.

06:40.560 --> 06:48.560
Now, the same thing kind of goes with folks if you're familiar with OSV scanner, which is an open source of vulnerability scanner.

06:48.560 --> 06:51.560
You know, I can run OSV scanner on my laptop.

06:51.560 --> 06:53.560
I can go, oh, here's version one.

06:53.560 --> 06:55.560
I have all these vulnerabilities.

06:55.560 --> 07:02.560
I do the same thing on the version two.

07:02.560 --> 07:04.560
And, oh, no issues found.

07:04.560 --> 07:06.560
Hey, I actually went out.

07:06.560 --> 07:07.560
I updated the packages.

07:07.560 --> 07:09.560
I can see that those things are different.

07:09.560 --> 07:11.560
I can output that as JSON format.

07:11.560 --> 07:13.560
I can keep that, you know, and so on.

07:13.560 --> 07:19.560
But just to start off, I could just do that today without having to go and set up a whole bunch of stuff.

07:19.560 --> 07:20.560
And so what did we learn?

07:20.560 --> 07:21.560
Right?

07:21.560 --> 07:24.560
We learned, hey, I was able to version one had some volumes.

07:24.560 --> 07:26.560
Version two, fix those volumes.

07:26.560 --> 07:29.560
I can do that with the software today.

07:30.560 --> 07:32.560
Analysis doesn't have to be complicated.

07:32.560 --> 07:33.560
Right?

07:33.560 --> 07:35.560
Differences and esplons and scans can just be dipped.

07:35.560 --> 07:36.560
Right?

07:36.560 --> 07:39.560
Making it visually pleasing is just a pipe and are script away.

07:39.560 --> 07:43.560
Hey, pipe it into bat and whatever else other tools you want to use.

07:43.560 --> 07:46.560
Start with simple questions you need answers to.

07:46.560 --> 07:52.560
Don't start off with super complicated questions like, hey, do I have an

07:53.560 --> 07:57.560
AGPL license and what exactly transit dependency this might live on?

07:57.560 --> 07:58.560
Right?

07:58.560 --> 08:01.560
Start simple and then kind of move on.

08:01.560 --> 08:06.560
And then correlate this data with stuff like a vulnerability scans or inventory data.

08:06.560 --> 08:08.560
So where does where's the software living?

08:08.560 --> 08:10.560
You can actually correlate that.

08:10.560 --> 08:13.560
You know, when you have more response, right?

08:13.560 --> 08:14.560
What do we start to do?

08:14.560 --> 08:17.560
Hey, look at something like ductDB for folks who aren't familiar with ductDB.

08:17.560 --> 08:22.560
Like an OLAP style database, so an analytics sort of database.

08:22.560 --> 08:26.560
And what's great about it is, and I know again, you can't see this.

08:26.560 --> 08:31.560
But you can just throw JSON on it and it will just, you can use pretty much

08:31.560 --> 08:33.560
SQL against it, right?

08:33.560 --> 08:34.560
So I could just throw my JSON.

08:34.560 --> 08:35.560
Don't need to create a schema.

08:35.560 --> 08:36.560
Don't need to do anything.

08:36.560 --> 08:42.560
I just say, hey, here's a gigabyte of my S-bombs and start to do stuff with that.

08:42.560 --> 08:48.560
And yeah, so that's going to take too long from even to run.

08:48.560 --> 08:55.560
But pretty much the basic idea is I can run a query like select distinct package dot

08:55.560 --> 08:58.560
Unrest as package name for my S-bombs.

08:58.560 --> 09:03.560
And right there is a single query that will get me all distinct packages across all the S-bombs I sent it.

09:03.560 --> 09:08.560
Okay, what else have we learned so far?

09:08.560 --> 09:13.560
Well, we understand that software makes up our environments holistically.

09:13.560 --> 09:15.560
What common packages are used?

09:15.560 --> 09:17.560
Do I have stuff like version sprawl?

09:17.560 --> 09:20.560
Am I using 12 different versions of the same package?

09:20.560 --> 09:23.560
Where are my vulnerabilities and where are they actually living?

09:23.560 --> 09:27.560
Am I using software in a way that breaks the terms of its license?

09:27.560 --> 09:29.560
I can start to answer those questions.

09:29.560 --> 09:33.560
And I don't need to send up spend week setting up a complicated architecture for this.

09:33.560 --> 09:37.560
I could just start doing that right now.

09:37.560 --> 09:39.560
Okay, so where do we go from here?

09:39.560 --> 09:43.560
So there's a couple of issues with everything I've shown.

09:43.560 --> 09:45.560
One is, hey, it could be slow, right?

09:45.560 --> 09:50.560
DuckDB can take several seconds just to sort of parse some of those S-bombs.

09:50.560 --> 09:52.560
It could be hard to scale.

09:52.560 --> 09:56.560
Hey, this sort of thing is not something that is super easy to just,

09:56.560 --> 10:00.560
is not super easy to run at scale, right?

10:00.560 --> 10:04.560
Like you're, you know, it's a duckDB is something that you can throw into a file.

10:04.560 --> 10:08.560
But for the most part, it's just in memory, so once you shut it down, that's it.

10:08.560 --> 10:10.560
It's hard to keep track of results.

10:10.560 --> 10:15.560
Everything I showed off so far is, hey, you're just getting that output to your, your terminal.

10:15.560 --> 10:20.560
And a lot of shell scripts are, and commands can be hard to manage long term.

10:20.560 --> 10:22.560
So more holistic solutions.

10:22.560 --> 10:25.560
Well, one is stuff like dependency track.

10:25.560 --> 10:29.560
Another one is Glock, disclosure I'm a maintainer of Glock.

10:29.560 --> 10:32.560
And so Glock, I'll talk a little bit about that.

10:32.560 --> 10:36.560
Glock can go in and take in things like your S-bombs and, you know,

10:36.560 --> 10:42.560
PsychoDXSPDX formats, you know, various other open source supply chain metadata,

10:42.560 --> 10:46.560
like OpenSeptSportCard, like OSV information,

10:46.560 --> 10:51.560
depth.dev information, various intodo adaptations, and those sorts of things.

10:51.560 --> 10:53.560
And then help correlate all that data.

10:53.560 --> 10:57.560
So you're actually getting some of the deeper insights there.

10:57.560 --> 11:02.560
And so, and the goals of that right are to correlate the metadata,

11:02.560 --> 11:05.560
create a graph based software supply chain data model,

11:05.560 --> 11:11.560
and then help you sort of aggregate all that information to then answer questions.

11:11.560 --> 11:15.560
And so we can do things like, for example, more complicated queries like patch planning,

11:15.560 --> 11:20.560
like, hey, a log for J, a double log for J sort of situation came out.

11:20.560 --> 11:24.560
Where does it live and what packages do I actually need to update?

11:24.560 --> 11:26.560
Hey, there's a bunch of different pieces of software.

11:26.560 --> 11:28.560
Some of them might be a common library.

11:28.560 --> 11:32.560
Well, great. You need to now update it in the common library and then update everything else

11:32.560 --> 11:34.560
that uses that common library, right?

11:34.560 --> 11:38.560
And Glock can help answer those sorts of questions.

11:38.560 --> 11:42.560
And then, you know, so, yep.

11:42.560 --> 11:48.560
And then, I'll just kind of talk a bit more about some other tools real quick.

11:48.560 --> 11:49.560
I don't know too much time.

11:49.560 --> 11:53.560
So, so other tools that you can start to look at

11:53.560 --> 11:57.560
with sort of exploring with the S-bombs and using S-bombs,

11:57.560 --> 11:59.560
oh, it's pretty, right?

11:59.560 --> 12:03.560
You know, tools like OSP, where I can just get a dump of all the software that's on my machine.

12:03.560 --> 12:06.560
Cool, take that correlated with your S-bombs,

12:06.560 --> 12:10.560
understand where do I have actual the software that is potentially vulnerable

12:10.560 --> 12:12.560
or has a license issue where it's actually running.

12:12.560 --> 12:16.560
Cube CTL or K-9s if you're using Kubernetes, right?

12:16.560 --> 12:19.560
Just dump what is your running and then correlate it with your S-bombs.

12:20.560 --> 12:24.560
Using security tools, like there's the new Google open source security tool,

12:24.560 --> 12:28.560
a scaler for example, or something like CubeScape.

12:28.560 --> 12:31.560
You know, integrate this in your build system so that you get

12:31.560 --> 12:35.560
start to answer questions in the build systems at policy time, right?

12:35.560 --> 12:39.560
Where, hey, fail a build, if version two didn't fix the,

12:39.560 --> 12:42.560
you know, didn't fix the vulnerabilities from version one and

12:42.560 --> 12:45.560
check that with your vulnerability.

12:45.560 --> 12:47.560
You can do the same thing again with, like,

12:47.560 --> 12:49.560
a deployment system, like flux or R-go.

12:49.560 --> 12:52.560
And so a couple of learnings when that I learned is,

12:52.560 --> 12:55.560
so when desirializing S-bombs only include the field you need.

12:55.560 --> 12:59.560
Desirializing every field can be very slow,

12:59.560 --> 13:02.560
whereas you just have a handful of fields you want to desirialize.

13:02.560 --> 13:04.560
I could be very, very fast.

13:04.560 --> 13:08.560
S-bombs are in a much better state around consistency than they were a few years ago,

13:08.560 --> 13:11.560
but still optional fields can be quite complicated.

13:11.560 --> 13:14.560
And then check if the S-bombs is valid first.

13:14.560 --> 13:16.560
Don't go down a rabbit hole.

13:16.560 --> 13:19.560
It's spending hours and hours trying to debug while your results are weird.

13:19.560 --> 13:21.560
When it turned out you got something that looked like an S-bombs,

13:21.560 --> 13:25.560
but was missing some key field and is not actually an S-bombs.

13:25.560 --> 13:29.560
And yeah, that's it.