DevOps security updates, GitHub's SBOMs, AI tools from Microsoft and GitLab, JetBrains Aqua, and recent cyber threats. It's all in this episode! Join in the conversation at The DEVOPS Conference in Copenhagen and Stockholm and experience a fantastic group of speakers.

Darren (0:00:06): But if it's seamless in the way that the current GitHub advanced security offering is, I can see this being the new industry standard for SBOM. 

Marc (0:00:21): Welcome to DevOps Sauna Season 4, the podcast where technology meets culture and security is the bridge that connects them. We are back in the sauna. Hello, Darren. 

Darren (0:00:44): Good afternoon, Marc. 

Marc (0:00:47): Good afternoon as well. Stormy days here in Helsinki as of our time of recording, and it's time for the news. And speaking of stormy things, as of the time of recording today, we have two big systems down. ChatGPT has been down today. And what do we do now, Darren? 

Darren (0:01:07): Yeah, I've forgotten how to do my job without ChatGPT to do all of the heavy lifting for me. So I guess I'm just slacking today. 

Marc (0:01:14): Absolutely. I mean, you know, summarizing and refactoring and reorganizing and writing code. And what about those Excel macros? Where are you going to get those now if ChatGPT doesn't come right back up? 

Darren (0:01:26): I've not even thought about using ChatGPT for Excel yet. So you're already expanding my horizons here. 

Marc (0:01:32): The pleasure is all mine. But in seriousness, it's interesting seeing the amount of... I'm curious if these are going to come out of cyber attacks later or rather something like that. But it feels like the amount of cyber attacks that we're getting lately, it's like everybody is getting hacked. You see half a billion records kind of coming out lately from various places. What's your take on that, Darren? Are things changing in terms of the attack spheres today? 

Darren (0:01:59): They're not changing in a way that is inconsistent with the last five years. One of the most interesting things that happen when you're in security is eventually you'll install a scanning tool. And this scanning tool will go through a process where it downloads definitions of attacks, of CVEs, the common vulnerabilities and exploits. And you will actually see the file size grow for each year that it downloads. And it got to a point where it was basically doubling every year. With one outlier, I think. I think 2019 to 2020 remained very similar, but yeah, we're going to continue to see a growth in attacks as people become more connected and they become more lucrative. 

Marc (0:02:43): Yeah, I guess this Ticketmaster one was really interesting for me that, you know, once again, half a billion users had their accounts basically exposed and for sale. And it's quite a bargain. I think they were only asking for $500,000 for that. So I think that's not bad.

Darren (0:03:02): Yeah, it's not too pricey given the volume of data. But it's Ticketmaster. So I'm guessing the people in question didn't pay the additional no hacking fee. 

Marc (0:03:12): Okay. Yeah. I thought that was explicit on each bill with a set of other fees that are. Okay. We digress. Let's get to the news that we've planned to look out. There's a really interesting thing going on right now with JFrog and GitHub offering an alliance. And I think that's really interesting. 

Darren (0:03:32): Yeah. They've just kind of formed this DevOps alliance, GitHub and JFrog, it's just going to bring the two tools a lot closer together, which is quite useful because, well, there's a lot of things that are very useful about JFrog, but in my opinion, it's alway kind of sat quite alone and to see it being dragged closer to your code, it's just an interesting thing to me. I'm not sure how much has come out of this yet because it was announced a couple of days ago, but it will be interesting to see how this is going to shape DevOps in the upcoming months. 

Marc (0:04:06): Yeah, I really look forward to this because GitHub is becoming more and more popular all of the time. And the integration effort with JFrog products like Artifactory especially, it's never been that great, but it still does require some work and bringing those together to have a more native kind of interface and more investment and knowing that those companies are working together on this. I think that that's really cool and it's going to have implications all the way down into software bill of materials, SBOMs, the way that the workflows are managed. I think this is going to be a really good one. All right, speaking of Microsoft, and we started with a bit of AI, so Microsoft is putting more AI into DevOps workflows and Azure is one of the bigger cloud platforms as well as DevOps platforms at the moment still. And doing copilot for Azure, I think is going to be really, really interesting to help basically reduce the barrier between developers that have a you build it, you run it type of mentality and being able to get their stuff out onto the cloud as easily as possible. 

Darren (0:05:18): Yeah, I don't disagree, but this Azure is actually kind of just the start of the story because the copilot for Azure was actually released as part of these copilot extensions, which we're now starting to see ways of integrating copilot with various third party partners tools, things like Docker and Sentry and obviously Azure. So what we're seeing is we're starting to see copilot kind of, which has already established itself as an extremely useful tool, but it's now starting to expand its sphere of influence, which is exciting to see. 

Marc (0:05:52): Yes, and it just gets better and better all of the time. And the feature sets are just getting richer and the ability to leverage these things all the time, I think is really exciting. 

Darren (0:06:03): It is until ChatGPT goes down and then we're kind of even more stuck than we were. 

Marc (0:06:08): So this is true. This is true. All right, cool. So let's talk about GitLab. We've had some talk lately in our episodes about GitLab as well. And, you know, they're clearly developer favorite in many places, but I kind of felt like Duo's been lagging behind just a bit compared to copilot, but there's a new version of the AI tools coming now from GitLab. 

Darren (0:06:35): I don't think you're wrong about the lagging behind. I actually, I don't think before our discussion with Dan Plumbley on the previous episode, I'd really even heard the name of GitLab's AI offering, which is quite surprising. But yeah, Duo Enterprise, basically it's been released, I believe that's more tilted towards DevOps than it is pure coding. So again, it's probably quite similar to what we're seeing with GitHub copilot extensions. So now GitLab Duo, it's adding these DevOps capabilities, things, and some of them are quite interesting from like a security standpoint, because they're looking at fixing security vulnerabilities proactively, which is always something that makes me happy to hear. But like just the ability to summarize issue discussions, these kinds of things in GitLab, and it's kind of, it seems like it will be a bit more flexible than the copilot extensions maybe because GitLab has this one pane of glass and being able to use the AI more presently in different views in that pane is going to be a huge advantage. So if they can leverage this, well, I think it's something that will give them advantage over copilot. 

Marc (0:07:49): Yeah, it's interesting that you put the single pane of glass perspective in there on this one. To me, it's neat how Microsoft is putting copilot into its whole suite of products. However, most people that are using GitHub are not necessarily managing their issues in GitHub. They're using something else like Atlassian products, for example, but there are still a lot of developers that are managing, and there's a lot of integration inside of GitLab with the way that you handle issues. And there's some really nice things with the security aspects of this as well, and how you handle things that are coming back from your SAS and your DAS scanning. So having the Duo inside the single pane of glass with GitHub might leverage a lot more data and context than what you have with copilot today. That's cool. 

Darren (0:08:37): Yep. Yeah, with the copilot extensions, I think we're going to see a lot of integration, but that's the advantage I think GitLab will be able to maintain, just that kind of invisible integration where it's just there and functioning as you need it to, as has been kind of their goal to kind of bring all these open source tools together under one roof. And if they can keep the AI tools kind of hidden in the walls, then I think that's going to be a big advantage.

Marc (0:09:07): Really cool. Now, we've been talking, we talked a bit on the topics with open source, about the changes with HashiCorp and its open source licensing, and there's the fork into OpenTofu. And there is a new version 1.7 that has come out. And what's going on there, Darren? 

Darren (0:09:30): It's kind of interesting to hear that. So yeah, after OpenTofu forked, they've released 1.7.0, and it has kind of an interesting security feature in that it has end-to-end encryption. So the safe file is kind of protected in transit. And it is interesting because it begs the question, I don't understand why that wasn't there before. Like it's 2024, encryption is the standard way. So it's one of these kind of wins, but it also sounds like a bit late to the party. Like it's something that probably should have already been happening since 2015. So I'm curious why it doesn't, or why it hasn't before. 

Marc (0:10:14): It's a really good point. And let's follow this one a bit further. Good choice for Infrastructure as Code and DevSecOps. But let's see how this plays out. All right, GitLab 17 and AI for DevSecOps. So we talked about this a little bit already, but there's a major update that bringing CICD catalog of reusable pipeline components and a nice dashboard. So there's a launch coming on June 24th for GitLab Duo Enterprise. And the DevSecOps features are going to be really interesting in this one. 

Darren (0:10:50): Yeah, I think they are. There's kind of a nice list of them. So we're going to start seeing easier ways to integrate things like SAST. We're going to start seeing better analytics capabilities. And one of the things that's exciting me is the native secret manager, because there's always a situation where what will happen is we'll need to set up something like HashiCorp Vault or Keycloak or something where we can store secrets. And this is something that's kind of been a bit lagging in GitLab up until now, as far as I'm aware. But now this native secrets manager coming is going to be kind of cool. I'm curious what's running behind the hood regarding it though, because as said, we get this kind of open source tool chain. And that means we kind of have these opportunities to vet everything that's being called into GitLab, presumably. So let's see what happens with those. I'm kind of curious. 

Marc (0:11:51): There's one of those features about helping with analytics to understand user behavior and this kind of telemetry type of things. Did you have any view here? I think that this is something that we want to validate that our users are acting in the ways that we had hoped they were. Did this one pop up on your radar as well? I think this could be quite interesting. 

Darren (0:12:14): It could, because this is actually one of the things that's going to be coming up with this too on the horizon. And anyone trying to get any kind of certification, it's one of the functions of a CM, a security information events management system, which is to understand user behavior. So from a security perspective, it's quite interesting to see whether this will replace, or not replace, but will augment the function of your CM to understand what your users are doing and maybe be able to flag deviations from the norm, which is an important proactive step when it comes to security. 

Marc (0:12:50): Good. On to JetBrains releasing its Aqua IDE for test automation. And this is really neat. It's a Java, Python, TypeScript, JavaScript, lots of different languages here. And this one I kind of missed a little bit, but what did you think about this? 

Darren (0:13:11): Yeah, as you say, it's just a IDE designed for test automation. And test automation is something we don't talk about quite a lot on this podcast, but it's maybe something we should change because test automation is such a critical thing that often gets overlooked. And I'd rather we weren't guilty of it as well, but maybe at the moment we are. It's, yeah, and it's put out by JetBrains. So the same people who put out the IntelliJ IDE and PyCharm. I know they're quite popular. Though I think VS Code has been stealing a lot of their market share in the last few years. But yeah, it covers quite a lot of aspects of test automation. So debugging HTTP requests appears to be built into the system. Database management, even has Docker support for containers. So I think there's quite a robust toolkit here. It's probably going to at least replace one or two tools on your system if you can get this running nicely. So I think it's out for release. It was released in the middle of May. So I'm not sure if all the bugs have been worked out, but it has been as like a public preview for a couple of years, but we'll see. At least I always had a good time with PyCharm. So I think if you're using test automation, it's worth checking out. 

Marc (0:14:31): Now, being one of the stubborn old school guys that has very recently replaced Vim with VS Code, I don't completely understand why an IDE with the specialty in test automation would be a separate function or a separate IDE. 

Darren (0:14:50): I don't disagree with you, but I do think it comes from the kind of philosophical choice of JetBrains, because as you've seen with VS Code, you have like a kind of code agnostic IDE, but JetBrains very specifically have PyCharm. It's for Python and it does Python. You have IntelliJ. It's for Java and it does Java. So they kind of have a very opinionated tool set. And this to me seems like it's an extension of that. 

Marc (0:15:19): I'm glad you said opinionated because I tend to like opinionated tools in that somebody has made some decisions, but I generally trust developers and engineers that make decisions for reasons. And oftentimes it's those decisions and limitations that actually help one to learn what you're trying to achieve with a specific tool or a project that you have to use certain tools. So that's interesting. We'll have a shot at it. So lots of talk about supply chain security. We started this episode by talking about how we're getting breaches and there's something all the time about supply chain security. And GitHub has this artifact attestations based on Sigstore. And this one looks like this could be a game changer. 

Darren (0:16:06): Yep, this is very exciting because as of right now, building a software bill of materials is often a task that's left at the sidelines. So if GitHub can introduce the artifact, well, let's talk about what they are. So artifact attestations is just software signing. So it's basically a way of protecting the integrity by building this kind of paper trail of the artifacts pulled into your software in order to make it. So if you're coding in Python, you pull libraries in, this will keep track of those libraries. If you're importing DLLs for whatever reason, this software is, or this attestation system is designed to keep track of these. And when GitHub advanced security added the kind of Dependabot, the secret scanning, this sort of thing, I was incredibly impressed with how easy they were to activate. They were in most cases, one click activations. And I can't think of any SBOM system, which isn't an investment of time and an investment of money. So if GitHub is able to implement this in such a way that it becomes, I won't say as easy because with it having software signing, it's going to be more complicated. But if it's seamless in the way that the current GitHub advanced security offering is, I can see this being the new industry standard for SBOM. 

Marc (0:17:31): Absolutely. And when I think about attestations kind of at the theoretical level, I think of, okay, we have a separate system where we are putting and signing data about everything that is in our software so that we have an external audit trail that we can compare back to and make sure that the software that we're running is a software that we built and certified type of thing. So thinking of being able to do that all within one tool, just even at the theoretical level, removes a lot of complexity. And then thinking that it's now an integrated service. Yeah, this could be really neat. All right. So in a similar area, we had this reset sonotype exposure. How do you pronounce this, Darren? 

Darren (0:18:14): I believe it's PyTailor.

Marc (0:18:16): PyTailor, yeah. So what's going on here? 

Darren (0:18:20): Well, as we've been seeing for a considerable amount of time, people have been trying to attempt these typosquatting or namespace squatting attacks where they create packages for programming languages, in this case, Python, and they add them to reputable repositories under names that are very similar to the names of actual systems or that look like they should be an actual system. So we end up thinking things like, if we have something that says GPT requests, which is one of them, that can look easily like this authentic package. And what these libraries do is they actually have malware embedded in them. So typically what they'll do is they'll have like an encoded string. They'll send a request to get a malicious file, usually a binary file. And that's what we're seeing here with this PyTailer, which was the setup.py file had a base64 encoded string, which was calling out to an external server and downloading a malicious runtime, which added all kinds of persistence, all kinds of command and control to Windows systems. This is actually just the latest in a long list of this kind of attack. They're often described as these tool package attacks where they disguise themselves as some kind of management tool, some kind of simplified version of a well-known utility to try to basically trick people into downloading and using them. And then when they do, you get malware. And yes, Sonatype has uncovered this in another example. The list of examples they have is 30 entries long at the moment. So it's not something that's going to be disappearing. And it's cool to see that these security tools are starting to flag these. 

Marc (0:20:15): And as you mentioned, the block lists just get longer and longer and longer over time. So one of the features of these tools. But by the time that the average IT person or average developer would find one of these through news, then it would already be popping up in your scanning tool as a no-no or as an error. 

Darren (0:20:37): That would be the ideal. And it's one of the things that I'm hopeful AI will help fix by increasing the scanning speed of such tools, of such libraries. 

Marc (0:20:47): All right. A few more things going on in the UK. And there have been identified more than 3,000 cyber breaches in 2023. And AI processes that use personal data need to follow current data protection and transparency standards. But there's also some interesting things about GDPR and data security. What do you find here? 

Darren (0:21:12): Yeah, I think this GDPR is, as you know, general data protection. The idea is to protect people's personal information. And now it's actually being wielded in the UK as this line of... It's like a line in the sand for security against AI development. So AI is developing so rapidly. And the reason I wanted to talk about this story in particular is irony. Because as we know, Britain voted to leave the EU. The EU just implemented the world's first AI Protection Act, which is actually exactly what the UK is now calling for. But it's just a bit of interest, kind of a tip of the hat to the EU for being ahead of the curve here. And yet we're going to see a lot of data privacy concerns outside of EU countries as they try and catch up with these regulations. And the UK is already struggling in that sense. So hopefully they'll implement something similar to the EU AI Act they did with GDPR. They basically said they build this GDPR compliance system where they basically took the GDPR Act into use without being a part of the EU. But it's just, I don't know, a warm feeling of the EU doing something right, which pleases me. 

Marc (0:22:33): Suffice it to say that I don't think post-Brexit that the UK is preferring domestic data breaches. 

Darren (0:22:42): No, I wouldn't say so. 

Marc (0:22:46): All right. Thank you very much, Darren, for this. It's always nice to review and see what's going on in the world of DevOps from many different angles. This has been the DevOps news live from the DevOps Sauna. We'll now tell you a little bit about who we are. Hi, I'm Marc Dillon, lead consultant at Eficode in the advisory and coaching team, and I specialize in enterprise transformations. 

Darren (0:23:16): Hey, I'm Darren Richardson, security architect at Eficode, and I work to ensure the security of our managed services offerings. 

Marc (0:23:23): If you like what you hear, please like, rate, and subscribe on your favorite podcast platform. It means the world to us.