At KubeCon + CloudNativeCon EU, I sat down with Ayse Kaya, Senior Director of Strategic Insights & Analytics at Slim.AI, to talk about the three S’s of Software Supply Chain Security — SBOMs (Software Bill of Materials), Signing, and Slimming.
Open source lies at the core of the company, and Kaya talks about one of their open source projects, DockerSlim, which provides a set of commands to simplify and optimize your developer experience with containers.
She goes into detail about Slim.AI’s key missions: to help developers build secure containers faster and to help organizations secure their software supply chain automatically.
We then talked about one of the hottest topics at KubeCon EU this year — Security, especially Software Supply Chain Security. Kaya feels that there is increased awareness around the software supply chain.
Slim.AI recently released a Container report and Kaya shared some of the key findings of the report. “As a cybersecurity veteran, I was expecting to see 1-2% of vulnerabilities in the high-end critical category, but there were around 20% of vulnerabilities on average. It’s an enormous attack surface, especially in production,” she said.
Key highlights from this video interview are:
- Kaya says that the company’s core missions are helping developers build secure containers faster, and enabling organizations to secure their software supply chain automatically.
- Role of open source at the company.
- We discussed how much awareness is there now around the software supply chain security.
- Security in the cloud-native world continues to be a challenge for both people and machines.
- Kaya goes into the concept of the three S’s of security: SBOMs, signing, and slimming, and how they can help with securing containers.
- Key findings from the Slim.AI Container report.
Solutions: Get started with Slim.AI solutions
The summary of the show is written by Emily Nicholls.
Here is the automated and unedited transcript of the recording. Please note that the transcript has not been edited or reviewed.
Swapnil Bhartiya: Hi. This is your host, Swapnil Bhartiya, and welcome to another episode of TFiR Let’s Talk at KubeCon in Valencia. Today we have with us Ayse Kaya. You are head of analytics at Slim.AI. First of all, it’s good to have you on the show.
Ayse Kaya: It’s wonderful to be here! Thank you for having me.
Swapnil Bhartiya: Perfect. We have covered Slim so many times, so our audience knows about the company, but I would of course ask you to tell us more about the company. But before we talk about the company, I’d like to talk about you. Tell us about yourself. What do you do at the company?
Ayse Kaya: So before the company and me, I would like to take a moment to express gratitude for Swapnil. The fact that we are here at this conference in person that is focused on developers and Open Source at decor, and the fact that we can do this face-to-face is a source of pure joy.
I hope that, with my whole heart, we can keep it. It’s beautiful, especially at this excellent choice of space and time. Spring in Valencia, it doesn’t get any better than this. So Slim.AI, as you said, you’ve covered it a couple times, but I’ll talk about the core mission.
Our mission is twofold. For developers, we help developers build secure containers faster. For organizations, we help them secure their supply chain security, the software supply chain automatically. So the keywords there are secure, fast, and automatically. It’s in the same spirit with CubeCon and this very podcast, we have at our core, an Open Source DNA at Genesis.
We have this project that is very well-known, called DockerSlim. It was invented by one of our co-founders, our CTO, Kyle Quest, a technical genius. It is about to surpass half a million downloads right now across the globe. Developers have integrated it to their CI/CD systems.
It is about to get 14,000 stars on GitHub, which makes it among the 0.1% of all the GitHub projects out there, about 12 billion of them. It’s a very special place to start with, and that’s the core foundation that we build our technology upon. We extend that technology with Slim.AI. Extend its capacity, make it richer, layered, full, a lot more efficient, fast and secure. That’s what we do at Slim.AI right now.
Swapnil Bhartiya: Excellent. Now, I will talk about something which is more kind of technical or in the core of which is about software supply chain security as well. We have been hearing a lot about it last year, even they were executing orders by the president, Even FBI came up with the [inaudible 00:03:07]. And there are a lot of Open Source projects. SPDX, DataSax, Linux foundation. Then there a lot of complementing competing projects as well. So first of all, if I ask you from your perspective or for what you have seen, how much awareness is there in the space about understanding the software supply chain? Because it’s not like there is a big monolith where all the code base is coming from one source. It’s a bit different.
Ayse Kaya: It’s quite different, actually. Great question. So you were asking about my background myself a little bit. I’ll start there and then get to the supply chain story really quickly. I am an engineer by training. My grad in research work has been focused on operations research, applied mat and physical supply chain. I am very familiar with that side of the world.
And then I spent quite some substantial time in my career in cybersecurity. Right now, 2022 is being talked about as the year of software supply chain security. I would say that the physical supply chain practitioners get the third party vendor management processes a little better than their software peers. It’s something that’s being spoken right now. But in the physical side, the companies like Walmart’s and Apples of the world have been asking the critical questions.
They are doing their due diligence about their third party, the supplier onboarding very well right now. And there’s that transferable knowledge that we can utilize in the software side. You mentioned how things are changing. The entire focus at this conference is about Open Source, how digital economy is run on Open Source and feature is being built, written in code in Open Source.
There is a lot of reuse of the code as we know it, right? As an engineer, I have seen how much modules are being used to create. It’s almost like not starting with Lego pieces, but you are starting with these modules and configuring in a very different phase. And I’m not saying that we are lacking in originality. That’s the nature of human progress. It’s very cumulative. So you take what is out there, and you start adding your own custom code and needs into a whole different thing.
But at the end of the day, you come up with these architectures. The architectures of the feature metaverses and multiverses that we are building, that are basically… They are a huge code base of third party vendors, contributors. Some of them you are never aware of. You are not in constant conversation with. And vendors are vulnerable if something happens in the code base.
You go into your spam above materials, and then try to find which maintainer did what, when. This is a continuous process as well. The software is a living structure so it changes all the time. Different versions are being added. Different people are signing different things at different moments. It is almost like this snowball thing that moves all the time, and you are always behind.
Swapnil Bhartiya: Right. One more thing that is happening in this space, and it depends on how you look at it or what kind of commentary is that we look at… We talk about observability a lot these days. Sometimes when we do look at… I was talking about the old school monoliths. Back in those days, it’s just one code base.
You look at it, you know everything. A cloud native world is kind of… The whole DevOps movement was meant to break the old silos. But now we are kind of seeing the emergence of new silos. Some people call it federated, but it depends on how much federation is actually going on because silos are built and based on your expertise.
You are interested in data, so you will go into data. Somebody will go into networking. Some will go into security. So it’s not that utopia that we wanted to build, that one person is doing everything else. Which also means that when we talk about observability, you know what is happening, you can analyze what is happening, but what about doing something about it?
Which leads to the security, you know? So if you look at all the s-Bombs and everything else, you do know about the project. But who is going to do the work, where is the owners? I talk to a lot of folks, some responsibilities are the providers. Some is on the vendors. And in the end, everything is on the user because you have to… So where does the bucket stop?
Ayse Kaya: I mean, ignorance is bliss. So if you don’t know, you sleep well, I would say. But knowledge is not enough. It goes a long way, I would say. It’s not redundant or trivial or unimportant, I will say. But it is not everything, as you said.
So how you’re going to act upon these things, it matters a lot. That’s why we talk about the three S’s of security. For me, the three S’s are the SBOM, the signing, and the Sliming portions are mostly about this deepening of knowledge and action mindset. With SBOM, I’m thinking of a high resolution map of everything. It is a good way to start. It’s a bird eye view. It is not enough. It actually can be quite… I don’t know if you have looked into any substantial applications as well.
For a human being, it’s very hard to understand. Even for machines, it’s not trivial. But then that’s the start, right? That’s like knowing is a step in the right direction. Then the signing part comes in, where we can talk about truth and trust. So looking at those things on the map and saying, “Hey, these things are what they say they are.” They’re coming from the source of truth.
We can depend, we can trust them. In a dynamic system like today, tomorrow, two minutes later, it’s really important to get the trust, the truth into the system model. But again, that is not enough by any means. There’s complexity that you see. You can trust that you are seeing the truth, but now what? So Sliming is the part where I think the most intelligence needs to go into the system. AI recommender systems, and you know, all these understandings with optimization.
I see it as a reconfiguration of the landscape, like get rid of everything that you do not need in that landscape before you start that third party verification process at all. Why do you have to care about all the Open Source packages, licenses, special permutations, spatial permissions that you have in your court if they’re redundant? If they don’t have to be there at all, right? Sliming is mostly about this intelligent optimization layer.
Don’t get me wrong, I’m not saying that you need to Slim right away. You need to give the developers that playground. Give them the option to do all sorts of things, have fun. Don’t redefine in the process of trying to optimize. That premature optimization… Timing is everything.
Premature optimization definitely kills the fun. But at the end of the day, you’d want to ship optimized Slim containers that you have removed the fat from, literally and metaphorically. So you want to have the optimized containers in your production environment. That’s where the Sliming, the third S comes in. That’s where we are a player at.
Swapnil Bhartiya: One more thing is that your folks will work on the report. You work on the report. And then of course, onto the next project. Tell us a bit about the report, especially what are some of the key findings? I’m pretty sure that we’ve touched on some of those topics right now, but tell about the report.
Ayse Kaya: Container report is the beginning of something a lot more profound. We are investing in this research facility intelligence. And with the container report, we took the first step in the right direction. It is the first of its kind in the industry. It has not been done before. We looked into the top containers in Docker Hub, 140 of them.
And we did cluster them, create them into nine different categories so that we can do these in group art group dynamics analysis. What we have seen was like an… Although we have a lot of container enthusiastic experts in the team, had surprised us. So three findings that I would like to like very briefly talk about: the first one was about scan times and size correlation. So bloated containers are killing CI/CD pipelines, literally. They are a time sink, a waste of time for CI/CD pipelines.
The second finding was about the complexity, and complexity is hindering understanding for even the best in class experts. I was expecting some outlier numbers in the number of packages, patient permissions and libraries we see in containers. But even the average is so high, it’s impossible for DevOps people, developers to understand what’s going on inside these containers. And it is not just these spatial purpose… It’s not just the general purpose containers that are like by nature large, but also these smaller spatial containers, like build tools and infrastructure and DevOps containers.
It’s impossible almost for humans to really understand what’s going on under the hood. And the third finding is about attack surface. And it is not about just a vulnerability account. All these special permissions packages create these zero day attack surface potential issues for your containers.
The vulnerabilities are huge in terms of numbers, but what really struck me was the percentages. As a cybersecurity veteran, I was expecting to see 1-2% of vulnerabilities being in high end critical category. 20% of all these containers, and some of these containers have been pulled by a million times from Docker Hub. They contain… Like 20% on average, contains high and critical vulnerabilities. It’s an enormous attack surface, especially in production.
Swapnil Bhartiya: Yeah. The security landscape… As you were saying, ignorance is bliss, but sometimes when you start learning about it… But the thing is that we are seeing a lot of positive trends in the direction. Awareness is there.
So I should thank you so much for taking time out today to share these insights. And also most importantly, you talked about three S’s of sort of supply chain security, and also the whole focus on Sliming down as well. So I really appreciate those insights and as well, I would love to have you back on the show. Thank you.
Ayse Kaya: Thank you so much for having me. Huge fan.