Episode 20: Taking Open Source Supply Chain Security Seriously with Dan Lorenc
Description
Sponsored by Reblaze, creators of Curiefense
Panelists
Justin Dorfman | Richard Littauer
Guest
Dan Lorenc
Software Engineering Lead, Google
Show Notes
Hello and welcome to Committing to Cloud Native Podcast! It’s the podcast by Reblaze where we talk about the confluence of Cloud Native and Open Source. Today, we are very excited to have as our guest, Dan Lorenc, who is a Staff Software Engineer and the lead for Google’s Open Source Security Team. Also, he founded projects like Minikube, Skaffold, TektonCD, and Sigstore. Dan will take us back to how he got into open source, Google, Cloud, and how he ended up being a lead for Google’s Open Source Security Team. We learn more about one of the bigger attacks that happened when Codecov Bash Unloader got compromised, what SGET is, what Google is doing to stop dependency nightmares, zombie dependencies, vectors, and why people should not sign Git Commits. Dan has written several blog posts and he talks more about some of them, and he shares some tips on the easiest way to get your security up if you are using cloud providers for working on open source projects. Download this episode now to find out much more from Dan!
[00:01:53 ] Dan tells us how he got into open source, Google, Cloud, and how he ended up being a lead for the Open Source Security Team. He tells us about his first open source project called Minikube.
[00:05:07 ] Justin brings up the safer curl URL pipe to bash which has been a topic on Hacker News. We learn more about the attack that happened earlier this year when Codecov bash installer got compromised and Dan explains more about that. Dan goes in-depth about what SGET is.
[00:11:04 ] Richard asks Dan if he thinks it’s important that people sign their Git commits and he talks about a blog post he wrote a couple of weeks ago about this.
[00:12:40 ] Dan explains how we can deal with security with stuff in the cloud and he tells us one of the biggest concerns he has right now.
[00:15:12 ] Find out more about the security leads across Google, and he tells us about an amazing paper that he recommends reading called “Reflections on Trusting Trust” by Ken Thompson.
[00:17:23 ] Some people at the PSF got a $300,000 grant for supply chain security and Justin asks Dan if he had a role in that. Also, Justin mentions the reports going to Congress and the powerful XKCD graphic.
[00:19:57 ] Learn what Google is doing to stop dependency nightmares, zombie dependencies, and vectors hitting that area. Also, Richard wonders if you can know as a cloud user what the dependencies actually are that you’re able to be exploited by.
[00:26:54 ] Richard wonders how Dan stays sane, and how does he decide what to work on next. Also, Dan wrote a blog post called, “Procrastination Driven Development” and he describes how this all works in his brain.
[00:31:07 ] One thing Justin wants to know is what repository or what package manager keeps Dan up at night. He wonders if there are any out there that need attention, or are they getting the attention that they need.
[00:33:30 ] Find out where you can follow Dan on the internet and also some great tips to get your security up if you are using cloud providers at the moment for working on open source projects.
Links
Cloud Native Community Groups-Curifense
“Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack” By Ryan Naraine (Security Week)
“Should You Sign Git Commits?” By Dan Lorenc
“Reflections on Trusting Trust” By Ken Thompson
“Securing Open Source Software at the Source” By Ashwin Ramaswami
“Zombie Dependencies” By Dan Lorenc
“The Dependency Jungle” By Dan Lorenc
“Procrastination Driven Development” By Dan Lorenc
“Open Source is Under Attack-Dan Lorenc (YouTube)
Credits
- Executive Produced by Tzury Bar Yochay
- Produced by Justin Dorfman
- Edited by Paul M. Bahr at Peachtree Sound
- Show notes by DeAnn Bahr at Peachtree Sound
- Transcript by Layten Pryce
Transcript
[00:01 ] Dan Lorenc: Open source is starting to become a worry because the tigers are starting to attack it. It was known about these attacks and supply chain attacks in general for decades, right? They go back to at least 1984 I think when Ken Thompson published this amazing paper called reflections on trusting trust, he pranked a bunch of his coworkers at Bell Labs by putting a backdoor into a compiler, that back door was so smart that it would insert backdoors into everything it compile. His coworkers were very smart though. So they know how to disassemble these binaries and [00:27 inaudible], but his backdoor was so good that it also inserted a backdoor into all the disassembling tools. So it would hide the back doors when his coworkers looked at it. So he really baffled everybody and kind of showed that unless, you know, the tools that built all of the tools that built the tools you built all the way down, it's hard to build up trust and software at all.
[00:44 ] Richard: Hello and welcome to Committing to Cloud Native, the podcast where we talk about the confluence of cloud native and open source. Very excited to introduce our guest today. Before I introduce him, I want to make sure we get to the other panelists on this episode. I am, of course, Richard, Littauer the man without the plan. And then we have Justin Dorfman, the man with the Dorf, Justin, how you doing?
[01:08 ] Justin: I'm doing great. I'm really excited to talk to Dan.
[01:12 ] Richard: Me too, Dan, as Justin just said, is our guest. This is Dan Lorenc. He is calling today from Austin, Texas. Dan is a staff software engineer and the lead for Google's open source security team. He looks very secure where he is. I can see lots of, no he's just a normal guy in a t-shirt. So don't be overwhelmed by how awesome his title is. Dan, how are you doing today?
[01:36 ] Dan Lorenc: I'm having a great day. Thanks for having me on.
[01:38 ] Richard: Is it really hot in Austin right now? It's really hot everywhere else.
[01:41 ] Dan Lorenc: Yeah, it's pretty warm. It's not as hot as it can get here in the summer, so don't want to brag too much, but yeah, we're warm.
[01:48 ] Richard: Pretty good. Now you live in Austin, but you've been in the cloud space for eight years. Tell us how you got where you are. How did you get into open source and Google and cloud?
United States
