EP100 2022 Accelerate State of DevOps Report and Software Supply Chain Security

Guests:

• John Speed Meyers, Security Data Scientist, Chainguard
• Todd Kulesza, User Experience Researcher, Google

Topics:

• How did you get involved with this year's Accelerate State of DevOps Report (DORA report)?
• So what is DORA and why did you decide to focus on supply chain security for the 2022 report?
• What are the big learnings from this year's report?
• What's the difference between SLSA and SSDF? Is one spicy and the other savory? How're companies adopting these and how is adoption going?
• Are there other areas that DevOps can be a contributor in the overall security landscape?
• How can CISOs rope DevOps fully into their security gang?
• Operationally, how should security and developers and DevOps come together to keep vulnerabilities out in the first place?
• How should security and developers and DevOps come together to respond quickly to vulnerabilities when they're discovered?
• How do security and developers and DevOps come together to prove to their auditors and customers that they're doing a good job of the above?

Resources:

• 2022 Accelerate State of DevOps Report
• "New insights for defending the software supply chain" blog (and new report)
• SLSA.dev site
• Secure Software Development Framework at NIST
• "Linking Up The Pieces: Software Supply Chain Security at Google and Beyond" (ep24)
• "Sharing The Mic In Cyber with STMIC Hosts Lauren and Christina: Representation, Psychological Safety, Security" (ep92)
• Go vulncheck tool
• "Reflections on Trusting Trust" paper (1984)