How to prove the safety of your software conf42.com Python talk

How to prove the safety of your software<br/>conf42.com Python talk<br/>

```

These slides have been built from commit: 00d7d7f

[shared/title.md](https://git.verleun.org/training/containers.git/tree/main/slides/shared/title.md)]
---
---

## Introduction

- Hello! I am:

- 👴 Marco Verleun (marco.verleun@i-share.nl)

- 🏢 Employed by i-share (www.i-share.nl)

- 👷🏼‍♂️ Devops/GitOps/Cloud/Container/Cluster/Linux engineer (Pick one)

- 🎯 Passion: Secure K8S clusters (air-gapped) running secure containers

.debug[[sbom/intro-conf42-python.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/intro-conf42-python.md)]
---

## Short agenda

During this talk I want to share with you how to reveal the safety of your code without revealing the application logic.

And I hope to create a bit more awareness about the environment in which your application will be running.

Let's have a look at a different industry with similar challenges...

.debug[[sbom/intro-conf42-python.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/intro-conf42-python.md)]
---
class: pic

## For future use...

You can revisit this presentation here:

.debug[[sbom/intro-conf42-python.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/intro-conf42-python.md)]
---

.interstitial[![Image separating from the next part](https://gallant-turing-d0d520.netlify.com/containers/Container-Ship-Freighter-Navigation-Elbe-Romance-1782991.jpg)]

---

From code to production

.nav[
[Previous part](#toc-)
|
[Back to table of contents](#toc-part-1)
|
[Next part](#toc-food-safety)
]

---
# From code to production

It starts with the code...

Which gets deployed inside/on:

- An appliance
- A host
- A container

Or is reused as an module.

.debug[[sbom/python-application.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/python-application.md)]
---

## A (random) app step by step: worker.py

Let's explore what happens to an app (written by Jerome Petazzo) which will run inside a container.
The source code can be found here: [worker.py](https://github.com/jpetazzo/container.training/blob/main/dockercoins/worker/worker.py)

We'll see that the number of CVE's will increase as the code moves on during the build process from app to container image.

We will not focus on the application logic, only on the safety.

We want to assure our customers/users/ops collegues that the code does not contain any critical CVE's.

How can we do this?

.debug[[sbom/python-application.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/python-application.md)]
---

## How is this done in the food industry?

Let's first look at how the food industry is doing this.

.debug[[sbom/python-application.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/python-application.md)]
---

.interstitial[![Image separating from the next part](https://gallant-turing-d0d520.netlify.com/containers/ShippingContainerSFBay.jpg)]

---

Food safety

.nav[
[Previous part](#toc-from-code-to-production)
|
[Back to table of contents](#toc-part-2)
|
[Next part](#toc-why-use-sboms)
]

---
class: pic

# Food safety

## Would you consume this?

.debug[[sbom/food-safety.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/food-safety.md)]
---
class: pic

## Or this?

.debug[[sbom/food-safety.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/food-safety.md)]
---

## It probably depends...

- A blank container is for the adventurous amongst us and might be delicious.

- Other people might be more interested in nutritious facts.

.debug[[sbom/food-safety.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/food-safety.md)]
---

## It is nice to know what's inside

It is nice to know what the contents of a product are before you decide if you want to consume it.

Food labels are ment to do this without revealing a recipe.

.debug[[sbom/food-safety.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/food-safety.md)]
---
class: pic

## Have a look at this

.debug[[sbom/food-safety.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/food-safety.md)]
---

## Why not do the same with our

- Hardware

- Software

- Saas solutions

- etc.

.debug[[sbom/food-safety.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/food-safety.md)]
---

## ...BOMs are there to help

Have a look at <https://github.com/CycloneDX/bom-examples>

We focus on SBOM during this talk.

.debug[[sbom/food-safety.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/food-safety.md)]
---

.interstitial[![Image separating from the next part](https://gallant-turing-d0d520.netlify.com/containers/aerial-view-of-containers.jpg)]

---

Why use SBOMs?

.nav[
[Previous part](#toc-food-safety)
|
[Back to table of contents](#toc-part-3)
|
[Next part](#toc-back-to-our-app-workerpy)
]

---

# Why use SBOMs?

Do you want to be in control of your software?

Let's see some reasons why you want to use SBOM's.
.debug[[sbom/python-lcm.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/python-lcm.md)]
---
class: pic

## Did you see this?

.debug[[sbom/python-lcm.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/python-lcm.md)]
---

## Was your app affected?

If so:

- How did you know?
- How long took it to figure it out?

SBOM's are extremly useful in these situations...

Look at this:

![sbom](images/sbom/CVE-2023-38545-found.png)

.debug[[sbom/python-lcm.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/python-lcm.md)]
---
class: pic

## Like food labels SBOMs tell you what's inside

.debug[[sbom/python-lcm.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/python-lcm.md)]
---

## Example SBOM snippet

```json
{
      "id": "e1597ba21775e886",
      "name": "certifi",
      "version": "2022.12.7",
      "type": "python",
      "foundBy": "python-package-cataloger",
      "locations": [
        {
          "path": "/usr/local/lib/python3.11/site-packages/certifi-2022.12.7.dist-info/METADATA",
          "layerID": "sha256:2ecbe4cb3d052a933e1cab8d573b14cfb4c50df323e4efde9cece026ce0fc73e",
          "annotations": {
            "evidence": "primary"
    ...
      "licenses": [
        {
          "value": "MPL-2.0",
          "spdxExpression": "MPL-2.0",
          "type": "declared",
```

.debug[[sbom/python-lcm.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/python-lcm.md)]
---
class: pic

## More and more you can download them upfront

.debug[[sbom/python-lcm.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/python-lcm.md)]
---
class: pic

## And analyze them before you install something

.debug[[sbom/python-lcm.md](https://git.verleun.org/training/containers.git/tree/main/slides/sbom/python-lcm.md)]
---

.interstitial[![Image separating from the next part](https://gallant-turing-d0d520.netlify.com/containers/blue-containers.jpg)]

---

Back to our app: worker.py

.nav[
[Previous part](#toc-why-use-sboms)
|
[Back to table of contents](#toc-part-4)
|
[Next part](#toc-interesting-links)
]

---

# Back to our app: worker.py

Let's follow our app from code to deployment in a container.

During each step we'll analyze the software and show some highlights.