UK, U.S., Docker discussed on Code Story
Was when we were required. So everything is growing in our good people in the team and we are by the way all remote companies. So we have engineering, engineer in Germany, developer advocates, teaming UK social architects in the UK and U.S. and engineers in the U.S. and Israel. And product manager has seen both you as an eastern. So we're all abroad. All across. And our next steps in the product is one always be the leader in infrastructure as code security. Two, start handling every other piece of the supply chain of your software. So from scanning only infrastructure code, we are have evolved to also scan open-source vulnerabilities and also see eyes, CDs, configuration, and essentially our goal is to map secure and fix every part of your supply chain. Knowing what's the best place to fix and what's the best fix out there for your code at any step of your pipeline from ID to ci CD version control systems, mission controllers, and runtime. Barack I'm curious, how does bridge crew contribute to improving security around the supply chain? It's obviously an important topic nowadays with a lot of the supply chain issues going on and things out there that you read the news. How does bridge crew really contribute to positively affecting supply chain security? I think that first it is important to mention how do we define supply chain of software. Supply chain software is of the different building blocks that we lead you as a developer team leader. To bring product from inception from the deck phase to a production environment. And that supply chain includes the building blocks of open-source packages. Infrastructure is code, DevOps pipeline, version control system configuration. Docker images and the list goes on. Our software today is built from so many pieces of puzzle. That we really need to invest in every piece of that platform to have a complete picture of a product. And attackers today can utilize different parts of our supply chain. To create a mail function in our product. So if our product was a car, some of our suppliers were suppliers of wheels of engines of electronics. And each one of those suppliers could have created a very bad driving experience for me. And the user. Could have been also a security about a security experience as a driver. Or a passenger. And in software, it's kind of similar. I can have misconfigured pipeline that does not have a secret storage, for example. So my secrets to production environmental gave the pipeline admin access can actually leak into unwanted places to bad actors. And also, my pipelines can have bad defaults in the infrastructure as code or bad packages being used in the pipeline. And we actually have seen a tax like that in the past year. For example, we code call was a famous breach of 2020. Where every code repository out there that used code code, which is a popular tool for code coverage, and did not have a signed artifact of code code. Possibly had a malicious library injected into their pipeline and linking some of the codes or secrets that exist in that pipeline. Cold call have reacted fast and have resolved in patch these issue. But it made all of us security practitioners DevOps practitioners, DevOps practitioners, ask if our pipelines architecture is defined correctly. If the networking we defined correctly is the packages defined correctly. In the pipeline configurations and what bridge crew is introducing these days is a new way to explore every asset of your supply chain in a visualization that allows you to research what are the security risks, enemies configuration in every step of the way. Let's switch to you, Brock. Who influences the way that you work? Name a CEO, a CTO, an architect, really any person that you look up to and why. There are people who have worked with the first one was the first architect of fort skit, the previous startup that I used to work with. His name is gosh, Hasan. And he really taught me how to learn better. So I thought that I knew a lot about software engineering. And he really taught me of if there is something that I don't know or Google doesn't know. What's the best way to approach the research of a new capability that is not documented yet? How to test my code better and how to gradually deploy a software in small chunks that are that can be easily consumed by other team members. And I think that the second architect that most influenced my thought process is Martin Fowler, I have never met him in life, but he has an amazing blog. And amazing, amazing set of webinars. Did I really recommend this as a place to start reading about software architecture and the different advantages of different types of architectures? Well, we talked about a mistake, but a little bit different spin. If you could go back to the beginning, what would you do differently or where would you consider taking a different approach? Think I think that what we what we didn't know at the beginning was how aggressive would be the open-source. Adoption of the tool that we've developed. And it grew really, really fast. And we haven't anticipated it, and we haven't we could have done better work in leading those initial community users to contribute more code. We.