Oregon Trail Lessons for a Secure Software Supply Chain - Kadi McKean & Andy Lewis - BSides312 2025

So, our next presenters are Katie McKeen and Andy Lewis. They're gonna be Yeah. And and I have a little bit of bio on Katie. So, Katie started off with her first passion in Cobalt and mainframes. Yeah. Give it up. Uh OG there. Um and I don't have a bio on you, Andy, but I'm sure you guys will do intros. So, yep. um and they're going to be talking to you about trailblazing lessons learned from the Oregon Trail, a secure software supply chain. And with that, take it away folks. >> All right. Thank you. >> So, this is actually my first bides I've ever attended. Um so, thank you for having me here. This is a really awesome

opportunity. So, my name is Katie McKeen. I'm the community manager at Reversing Labs. Um, and along with the ride for my craziness today is Andy Lewis. So, this is a little bit about us. Um, fun fact, I'm a Penn Stater, so I blew blue and white. Um, I'm also a co-organizer for DevOps Days DC, so if you're interested in that or speaking, our CFP is open. We also have openings for sponsorships. Um, and I'm also a podcaster. So, I host a little show called 10X Insights. So, if there's a topic you're passionate about, I'm going to make a bet someone else is probably interested in learning more about it, too. So, please come talk to me. And

then Andy, I won't steal your thunder. And I'll let you introduce yourself. >> Here's my thunder. That last talk was freaking awesome. Enough about me. >> There's Dan. Dan. >> Yeah. >> If you don't know Dan, Dan's local. He's the guy that made this happen so we could get here. So, thanks, Dan. I do. >> Yeah. So, just real quick, who do we work for? We work for this little company called Reversing Labs. And if someone had to ask me what we do, I usually, you know, my my first answer is we're kickass at malware binary based analysis. Um, we're the only ones who can say we actually have a 24 pabit pabyte uh data lake. So, just think

about that for a second. That's massive, right? Um, we also are one of the only people who could figure out things like, hey, Solar Winds happened and here's why. So, that's actually how we kind of transitioned into software supply chain security. >> I think you have the clicker. >> Yeah, you want me to click that? >> Yeah. >> Okay, just kidding. >> There we go. >> So, what are we going to talk about today? You're probably like, how is this equating to Oregon Trail? So, here's our agenda for the day. We're going to go through what the Oregon Trail is, what the new trail is that we're talking about, gating process, and then we're going to talk about cutting some

corners, common deaths on the trail. So, dysentery will be brought up today. Um, you I know you're all waiting for it. Come on. Um, then sudden disasters, and then we'll wrap things up, and I promise we're going to have Andy do some talking in there as well. So, next slide, Andy. >> All right. >> All right. So, who's familiar? Like raise of hands. Who's familiar with Oregon Trail? Please don't leave me alone. Yes. Thank God. Okay. You are all my people. Thank you. So, this map should look familiar to you. It's that 2,000mi journey that we all know and love. Obviously, I couldn't get it on the green screen that we're all used to seeing it, but this really

gives you the the idea of what this journey looks like, right? There's places where you have to check in at certain locations. There's also places where maybe you can raft down a river, take your chances. Um, but things like this in this game is, you know, dysentery snake bites, drowning, that's just another day on the trail, right? And for people who actually lived it, that was their reality. So today, what I want to talk about is zero day breaches, malware, typo squatting. So our trail is a little bit more like this that we're going to be talking about today. And here everybody raise their hands. Are we familiar with the software development life cycle? Right. Yeah.

Okay. No brainer here. So this um is what we'll be talking about. And Andy, next one. >> We're getting there. >> Oh, there's lots coming. >> Trust me, that that's coming. >> Yeah. >> So, first before we get to dysentery, right? >> Everybody should know this screen. You have to choose your role wisely. And you get to choose that right up front in the game. So you can be a carpenter, farmer, what's the other one? Banker. Yeah, money. Um, and you get to choose what you want to be. But today we're talking about these three different roles. >> Andy, click, please. >> All right. Hey, if you step to your left, you'll be in the camera.

>> Huh? >> That black line there. If you are on the right side, you're not on camera. >> Yeah, there you go. >> My bad. I'm a ROR. Sorry. >> I got your six. Yes, we're taking that very seriously today. Um, that was a great talk, by the way. Um, so the players we're talking about today are these three different tribes. So, we're talking about developer, security, and we're talking about ops. And just like in the game, these three different roles have very different things that they are worried about in their day-to-day lives. So, they're going to approach the game differently based off their unique expertise and experience. Hey, so just out of curiosity, how many of y'all are

are developers in here? >> Party. >> How about how about security, especially AppSec? >> Okay. And then operations folks, people that are doing Yeah. Okay. >> Yeah, we got a good mix. >> How many in here do all three? >> Bless you people. >> There we go. Okay. All right. Well, then we're you're in the right place. I think I think you'll be glad you you saw this. >> Okay. So, going back to the trail, I think there is something that we we do want to make note of is these gating processes, right? So, those are the forts, river crossings. Those are the the gating points that I'm going to be talking about. But in reality, for the

game we're talking about, next slide is our trail looks a little bit more like this, right? We'd love to think that it was that clear SDLC, maybe the infinity one, right? But often more times than not, it looks more like this where you you go through cycles, but you also have that gating process. So if it doesn't quite meet that criteria or you fail a build or it doesn't meet like pentesting requirements, whatever, it goes back, right? So maybe you're dying or maybe you're starving to death. different little things here. So, who would say, raise of hands, that your software development life cycle looks probably closer to this. Oh boy. Okay, you're hanging in with me.

Okay. >> Thousands of hands. >> I'm sorry I'm not dressed as a hacking hyena. You know, I'm learning for next year. Okay. So this is really, you know, I just like this slide because it just goes to show you that there are different places where you can put those checkpoints in place to really make sure you're releasing secure code. And at the end of the day, that's what a successful game looks like. >> Is there anybody in here who's never heard of the salsa framework? So So by the way, gang, I am a former Marine. So, if I ask a question, the people that are honest raise their hands telling me they don't know. If you

didn't raise your hand, I assume you know. So, now I'm going to ask, who is it that wants to explain what salsa is to the people who didn't raise their hands? Anyone? Yeah. Okay. >> Yeah. Easy. Yeah. So, um, if you see I guess it's kind of hard to see it there, but sla.dev. So one of the things that is coming the the reason we're having this talk is what? Because supply chain attacks work. That's why we're having this talk. Why does supply chains attack work? Why any anybody? Yeah. Because >> dependency hell. And look, we asked for a show of hands. Who's in security? If we ask for a show of hands, who's a

blue teamer? Who's a blue teamer? >> Yeah. Of those blue teamers, what do you think? How many of you are sleeping regularly? Yeah. One. Okay. So, so why does supply chain attacks work? The reason they work is we've got blue teamers. We've got, you know, you guys see all these vendors, all these sponsors. They're here because people buy their stuff and build that fort. That's a really tough nut to crack, right? But what happens if you invite me in? If you download my backdoor library and you put it out in your release, I own your ass and all these guys be damned. So salsa is a framework that helps you understand the control points to to not

get burned that way. Did I lose anybody? Y'all with me? Please nod your heads. >> Okay, we good? We good, Kate? >> Yeah. >> Okay, ready for the next one? >> Yep. >> Okay, >> so what happens though if things don't quite make the cut, right? like if it doesn't quite make the snip test or maybe some corners are cut just because you're trying to release as fast as possible in the game, you can wrap down the Columbia River. A little risky, but without enough prep, it's probably not going to go well and you're going to have this kind of a day and you're going to be dead, right? Um, so for companies when we're thinking about this in terms

of real life, oss like compliance and hygiene are two things that you really need to be thinking about on a daily basis because those are things that you can't cut corners on because what we have found is that those will make or break you. And by that I mean it makes you more vulnerable to malware injections, misconfigured pipelines or incomplete vulnerability tracking. >> So you're rocking just so you know. So, let's let's talk about an example where maybe there's a shortcut or, you know, uh a problem here. What what's wrong with this picture? >> It's kind of blurry from here. So, I'm going to tell you all what's wrong. >> Yeah, I was going to say Andy, please.

Sorry. >> So, so we we did we've got a site. We'll share it with you in a minute. It's free. It's our intelligence, but we looked up on Pi. Is there anybody raise your hand if you don't have any freaking idea what Pi is? It's cool. All right. So, uh, if you don't know what Pi is, it's a it's a public repo of Python libraries so that if I'm writing code and I need a function, I can look up on Pi and go, "Oh, yeah, this thing does cryptography." I'll just plug into that. So, that's that's what Pi, those of you that know that better than I do, did I get it right? >> Okay, good. All right. So, what's what

are we looking at here? So, we we were up on secure.software. We are in the Pi repo, which you can't really tell. We typed in cryptography. And if you look down, you can't really see it, but some son of a gun published a library called cryptography with a spare Y. Why would somebody do that? >> Typo squatting. >> What is typos squatting? Typo squatting is you inviting me in to backdoor your release, right? So that's so this is and show your hands if you've got a really good resource that will help you understand when something's been typo squatted. >> What resource do you use?

Yeah, we we have a few different resources that we um Oh, sorry. We have a few different resources that we for our malware providers and they uh they track our domain and then we um we routinely block like a couple times a week on our firewalls. >> Okay. kind of try to stay out of it. >> Right on. >> Okay. So, one guy and nobody else is nodding along as though they were doing that too.

Is that a manual process? >> How long does it take?

>> Yeah, it's it doesn't take any extra time particularly because we already have to review the code for every change for every configur configuration management for everything. So it it's not any extra time but we don't have automation and dashboards and fancy tools. is just built into our culture. >> Okay. Would automation help you or make your life easier >> in general? >> Right. Okay. Just asking. >> Cool. >> All right. So, pop quiz. We're going to get into another one. Raise of hands. Who had plans for chaos in December 2022 to January 2023? Anybody? maybe had family plans. I don't know, a New Year's party. No. >> Does this ring a bell with anybody?

>> Don't Don't raise your hand, but if you still haven't cleaned up Log, right? Uh Jim and I were actually on a call very recently >> where the the team we were talking to like Yeah, we're still cleaning that up. >> And Katie, you've got an interesting stat. >> Yeah, I was just about to say so we have a whole research team um and this has been verified by multiple different reports, but there's still roughly 20% of that package is being used and people are downloading it like daily. So there's no tool, no checks and balances. They're just willy-nilly going, "Hey, that looks great." >> So, what he said was, "We keep cleaning it up and they keep downloading it."

>> Yeah. >> There's your automation in your culture. That's that's the inverse of your culture, right? Okay. Cool. All right, guys. So, what was the big deal with log forj? Uh, vulnerability, right? It's a zero day vulnerability. It's remote command execution. It's as bad as it gets for vulnerabilities. What's worse than that? >> Say it again louder, please. >> Malware in the package. So, this UA parserjs gets 13 million downloads a week. There are over 2,000 dependent downstream packages. You're going to use one of them today. Back in October a couple years ago, they got backed. They released a back door. Uh what's the over under on how many people pulled it down? Uh how many people think I don't know

10,000 or less? How many people think a 100,000 or less? Yeah, about 100K. How many people think a million people pulled down that backdoor package? Okay. Well, the great news is you guys are all entirely too pessimistic. There are about 2,000 people that downloaded it uh before it got popped and uh there's actually a really good talk up on YouTube about that whole kind of circus but but that is works log forj if you think about it you had solar winds Christmas right where you yet like Katie says hey we got our plans we're going to go see family we're going up to the peninsula this is going to be freaking awesome or we're going to deal with solar

Hey, you know, something that's cool. All right, that was last year. This year, hey, we got plans. We're going to see family. We're going up on the peninsula or we're going to deal with log forj. Okay, I was giving a talk about log forj one time and a guy came up to me afterwards and frankly it could have been anybody in this crowd came up to me and he's like, "Hey Andy, they did it wrong." I said, "What are you talking about? They did it wrong." He said, "Look, the smart way to have done log for J would be to identify the zero day, write the patch, get on that team, >> and then when somebody else found the

zero day, commit your patch with the extra code with with the special code, but it solves the vulnerability, right? Did I lose anybody? You guys still with me? >> Yeah. Okay. Is this still a problem? Nah, this is imaginary. We're just talking about it. So, so when we start to talk about where does all that fit, automation is key. The the attacks that you've seen are are throughout the the release cycle. The place everybody in their cousin wants to shift left or right. Who says left? Shift left. >> Yeah. Shift left. Shift left. Shift left. Why do you do that? Why do you do that? Cuz it's expensive to fix it out here, right? It's cheaper if you fix it there.

So, so who else knows that? >> Yeah. Including people who might have gone ahead and compromised the pipeline. Okay. If I say fish don't know fish swim, did I lose anybody? Fish don't know fish swim. If your controls are in the pipeline, it's just like a fish in the water. What does a fish breathe? It breathes water. Hey, you're in the water. No freaking idea. It's in the water. It's been in the water its whole life. If you put in security controls in your pipeline, if they don't have the ability to get outside of what is also living in your pipeline, you're blind. Everybody with me? Okay. So, so when we start to talk about where does this

belong, if you're starting out, it belongs at the end. Like crash testing a car. That's where it belongs, right? Because if if you pulled something down, boy, I wish we had found it further to the left. If somebody's in your pipeline, boy, I wish we had found it before we went into test. But for God's sakes, do not release it. And that means you got to have something way out to the right to test everything that could have happened. Y'all with me? I lose anybody? Okay, good. Uh, hey. So, in in the in the game, this is where Dysentery comes in. Who's a Dysentery fan? There's a big Denter fan in here. So, yes, you get covered with if

there's malware in your release. No doubt about it. The vulnerabilities though, not as big a deal, right? So, remember, think about this. Log forj was all hands on deck for quite a while for a vulnerability. If you thought you had a bad day with log forj, imagine when it's actually something like the UA parserjs that was back door. How about that? That's a fun party. Uh dependency confusion. We already talked a little bit about typo squatting. Is there anybody who needs more about dependency confusion? Okay, good. Uh misconfiguration of the pipeline itself. Hey, what if everybody could go ahead and edit the automation in Jenkins? Wouldn't that be cool? Okay, bad idea. And then the the typo squad

and we talked a little bit about that too. So Katie, >> what about AI? And >> there you go. So about the last six months since we've been talking, everybody wants to know about AI. It is literally the elephant in the room. It's cute. Look, there are problems with AI. And if I missed one, hold up your hand. But one of the biggest problems is every customer that I've spoken with lately in the abstract space is concerned that their developers are using AI to write code. What's the problem with that? >> They don't read it. Yeah. So, so here's the problem, guys. up to 20% of what AI is quote unquote learned is insecure by default.

So, so don't let the brown hairs fool you. I've been doing this for a while. There's a a Defcon talk that I took in I think it was 2006. Guy standing up there, here's my zero day. Here's my zero day. Here's my zero day. And people started leaving and he started to hold up textbooks and said zero day one came from this textbook. It's on page 34, right? Held up in another textbook. Hey, this this zero day number two came from teach yourself C++ in 21 days. So, so is it a mystery that developers don't know how to code securely? No, there's no mystery. Do you think AI is getting taught any better? We'll talk about that

in a second. All right. Malware in the in the large learning module. If so, so is there anybody in here who's not seen that movie The Matrix? Hold up your hand if you've not seen The Matrix. Okay, that's cool. All right, so there's a part in the movie where Keanu Reeves gets an upload and learns what? Kung Fu. I know kung fu. How are we teaching our large language uh models? Are we are we investing all of the cycles for everything we wanted to know? So, for example, if if I need my LLM to understand how to read QR codes, what's cheaper? Teaching it using all my own resources or doing an upload that teaches it QR

codes? Stupid question, right? Okay. So, what does that mean though? If if I'm teaching, is it data or should it be dynamic that upload? Come on, think about it. Some of y'all have been doing this long enough to remember things like the I love you virus where we learned the hard way that you don't mix freaking code with data. What are we doing today? I'll show you. We're mixing code with data, right? There's there's malware in the code. We've got bad AI that isn't just stupid, but is malicious, right? And then what's a learning bias? Is there anybody wants to explain that? >> Pepper Katie >> on your left. H Andy. >> Yes sir. Um kind of the idea that if

it's sucked in like a 100 papers on using HTTP only and that's the best thing, then it's going to lean towards just doing HTTP when it gets asked to make. >> That is an awesome example. Did y'all hear that? So learning bias is basically, hey, because of the prevalence of what I've been taught, China is always good. Everything from China is always good. Everything Chinese is always good. The that the the Chinese Communist Party is the best form of government. If I assimilate all of that, then what happens? I've got a learning bias. Does everybody understand that? Okay. And then of course, you know, hey, whatever. At some point, we all die. It's Skynet time and

you know it's been great giving you guys this talk. I hope it's recorded and the machines are enjoying it later. But but I don't want to just give you a problem. I founded the Denver Oas chapter in 2006. Jim Anakode was my six or seventh speaker. He's been teaching ABSAC for a living very well around the world since then. and Jim atmanacode.com put out some prompt engineering so that your code can write code securely. I'm going to leave that up there for a second. Is there anybody need another second with that? How many people are just this isn't affecting you? Is there anybody whose developers are never using AI to write code? >> Okay, >> got one giggle. Yeah, I'm sorry. I I

didn't mean to make you Yeah. Okay, that was rude. I won't do that again. >> So So let's talk about mixing dynamic data with what ought to be learning data. Hey, uh can create new processes. So what we're looking at right here, you guys, I I've got a different talk where we go through the headlines. This ain't it but this is happening. And we think we think this was a dry run, right? Because it was kind of small. It was kind of lightweight. It wasn't very subtle. We think this was actually a test of controls on libraries like hugging face on repos. And in this we saw hey if you slurp in my library that'll teach

your library how to read QR codes. While you're doing that, you're going to go ahead and open up a reverse shell. Are we mixing data and and function? Yes, we are. Hey, look at that. Serialized data formats that can execute code. Is there anybody you guys good on this? You understand the risk? How many of you got tools right now that'll tell you that you've got a package like that? Okay. Well, look, we work for these guys. We can help you with that. All right. The other thing that comes to play, we talked about bias and about nation states. Is there anybody that doesn't recognize a heartbleleed loco logo? Is there anybody that's unaware that the

NSA volunteered, that's your government, volunteered to help fix OpenSSL after heart bleed? Did y'all know that? >> You got

so they also try to fix it. I think it was AES when or when they they put out the contest for AES I think and then they worked then saying they took the winners like work and then they added supposedly some people think like back doors in >> is that AES or is that DES? >> So I don't know for either one of them >> nothing he's talking >> one more time >> elliptic key so yeah so then aes elliptic key cryptography. In this case though, the the assertion was look the entire internet depends on SSL for sec secure communication. Your government, the American government says we're going to help you make it secure. And the theory is that now it's

yeah, it's secure for everybody as long as you feel like the NSA is your friend. So, not a problem, right? Piece of cake. So so let's wrap it up, right? So, what is going on? You've got state sponsored attacks perhaps including your own government. You've got the supply chain poisoning. Solar Winds is probably the best example. Is there anybody never heard of the Solar Winds breach? Oh, thank God. All right. 3CX. A lot of people haven't heard about that. 3CX is what? voice over IP software, call centers in 24 time zones. Fortunately, no confidential data ever goes across VoIP networks, fortunately. So, so again, not as big a deal as it probably could have been. And

then we've seen this where the tooling itself gets compromised, right? And Katie, do you want to talk about the Disney real quick? If you don't want to, that's fine. >> Say the question. >> Yeah. Disney. Hey, come on now. >> No. So, I do want to talk about this. So, >> did anyone hear about what happened at Disney a couple months back? >> Pull out a quick Google, guys. Oh, you know. All right, Andy. Up here. Up front. >> Oh, yeah. Here we go. >> Let's hear about it. We're putting you on the spot >> again. >> Again? Yeah. Sorry. Yeah, >> I I think it was um a dev ran up a uh LLM look I think personally and this was

infected with malware that looked on his computer, found his credentials to his Slack and they basically exfiltrated all of the Slack information off of his computer based on, you know, uh a malicious LLM. >> Is that it? So >> yeah, high five to that job. >> Um, so here's the problem though with that is you think you're downloading something where it's going to be useful, right? It's going to help you in your job. Then it turns to be malicious. The problem is is that exposed a lot of like secrets to to your point, but it came in through like a tool that you can use. So the problem here is is while the guy thought he was being helpful in his

personal life, it actually like harmed his day job and then affected Disney as a business. So unfortunately for that guy, he lost his job. But what we can learn from it is how not to behave with this type of technology moving forward and how we need to be cautious in using these tooling moving forward. >> Cool. Thank you. And then XZutils. Is there anybody who didn't hear about that? >> Okay. Once again, Xutils is what a security library. You did not hear. Yeah. So, XE utils is a security library that underpins basically all of the security all of the secure comms on the internet, right? Xutils, again, great talk on YouTube about this. What happened the XEuts? What's one of

the problems with open source guys? Is there a room full of maintainers? Are there conference rooms all over the planet of maintainers? No. So X utils the whole freaking internet is built on XEuttails and there's one guy one guy maintains that library >> and guess what he was posting? >> Yeah, he I'm dealing with some mental health issues. >> Yeah. >> Oh yeah. Yeah. What could go wrong? So, so what went wrong was he eventually brought a new guy on the team who was taking advantage of the situation. What the new guy do? The new guy back toward the release. >> Yep. >> How far did it get? How many people think it got ah didn't get very far. How

many people think it got all the way into Hey, what's that what's that hacking Linux build? You remember the name? What's it called? >> Calli. What's Cali? Cali does beta testing and stuff, right? And they're super secure and they would never let like a backdoor utility into their beta build, would they? >> Yeah. Okay. Well, only once. So, so XC utils again, it it made it all the way to beta, gang. Your internet runs on what? Windows? I don't think so. So every Linux distro last year was one step away, one commit away from being backdoored by who knows who. So that's X utils. So what's the worst thing that could happen? And guys, I had a lot of fun with this. This is

what happens if you ask uh I think it was Google Gemini, hey, give me a 1980s gameflavored stampede. So that's what it is, right? when when you have all the above. Hey, it's state sponsored, it's a supply chain, and by the way, we've gone ahead and got your tools, too. Nightmare scenario, right? Okay. So, is there anybody that didn't realize there was a cheat for >> I was going to say because this is actually something like live I had to like Google a few days ago when I was trying to think of different cheat codes because I was like, I don't think there was a way. Maybe I wasn't smart enough to know how to, but was anyone aware

there were cheat codes for the game? >> Okay, good. I'm I'm not the only one in that. >> Okay, cool. All right, so what So what about cheating for for what we care about today? So again, pre I need you guys to pull out your phones real quick and bring up a browser, please, because we're going to see UA parser and JS in action. So what does UA parser do? UA parser is a library used by npm developers to determine the operating system and browser of their visitors. So when you think about the sites that you visit that render one way on Safari on your Mac and render a different way on your phone, there's a

pretty good chance UA parser or something like it is what causes that to be actually legible on your phone. Right? So so let's get that in action. Right? So go to secure.software.

And anybody need more time? Bring up secure.software. And actually, I tell you what, let me see if I can bring this up. >> Real time. >> Yeah. Hey guys, uh what's the riskiest thing to world uh to do during a talk? >> Live demo. >> Live demo. Yes. >> We're doing it. We're going there. >> All right. >> Yeah. So, who's who's got it up? Who's got secure software up? >> Okay. How we doing? Were you able to select pi pie? Don't read my stuff. >> Okay, that's good. You really can't. Okay. >> Yeah. All right. Get out of pres. Yeah. Trust me like that. All right. It's coming. >> It's coming. >> Coming to a theater near you.

>> It's coming. >> Yeah. >> There's a tab border. That's the term for it. >> All right. Okay. Let's see if we can. So, >> make that any smaller. >> I think I don't think I can smaller. Y'all see that? Okay. >> Okay. Well, that's the important part. So, let's see if we can get there. All right, that's not it. You see the Oops. That's cool. >> This is really a live demo. >> This really is. >> All right, so that's not it. That's not it. >> That was it. >> Was it? >> Yeah. >> You sure? All right, guys. I'm going to improvise a little bit here. Go figure. >> I'm terrified. >> It's okay.

Yeah. >> You got one better? >> No. Good. >> Okay.

>> Not very good at this. >> All right. Who's got security? Hit the drop down. >> There should be a community where you can pick which community it is. >> Yeah. So >> drop down and pick hi. >> You got it. Okay. Type in cryptography.

>> I think I can. I think I can. >> What comes up when you see cryptography? >> Thanks. So, so what you just did that I may look very painful is hit the drop down, right, and grab pi and type in probably cryptography. That's probably what that is, right? >> Ah, that's not what it is. All right.

Okay. How many of you didn't bookmark secure software yet? >> Okay. Trick question. How much does this cost? >> Z99. >> It you know for you guys free today because you're at our talk. Okay. Look. Here's what you're looking at. So the number one library is what? Cryptography, right? It's a top 100. It's great. So if you're working with your developers and they're pulling in this library called cryptography to do pi python cryptographic functions, thumbs up or thumbs down? Probably thumbs up. It ain't perfect, right? It's got what? It's got bones. But again, like you can't see here, you're you're one spare Y away from pulling down something that is back door. Is there anybody who can't see

that on their phone? All right, good. Cool. All right, then we're good. My job here is done. I'm going to get out of the scary live part of the demo. >> We survived. You guys should all clap for yourselves for surviving that. Okay. So, so then if you've done that, look, this is these are the things that you need to remember from this talk. And by the way, y'all, I appreciate the interactivity and I appreciate the people that participated. It's been good that the the choices you make every day. So, we heard from one guy who's got a culture that is log for J averse. We heard from a different guy who's got a culture that

is let's call it log forj filic. How's that? They love their log forj. Right. So everything you do every day matters. How many people were in the keynote this morning? >> Okay. >> You remember this community thing and I got your six and like Yeah, man. Look, it's out there. It's free. Not because we think we're going to make money on it, but because collaboration is key. This is a good resource. Please use it. Um, yeah. Okay. Have you guys ever seen the hand and arm signal for death grasp on the obvious? Yeah. This is Hey, I want to tell you I've got a death grass on the obvious. Do you? Okay. Death grasp. And I think

>> so. These are just some of the resources that we talked about today. Some of them you probably already know of. I know we talked about the salsa framework by open SSF. Uh OASP top 10 is also another pretty solid staple, but you know those are more broad um in scope. So salsa secrets software are more tactical and things you can actually get your hands on right now today. Um but other than that, we're going to open it up to questions. >> Anyone? Oh, thanks. Anyone questions? Guys, this has been great. Thank you very much. And please >> Thank you. >> Hang on. >> We got one. >> One. We got one. What are >> Okay.

How you doing? >> I'm doing great. >> He's on the spot now. Um you you were saying that AI adds um adds vulnerabilities I believe to application development >> when uh developers use AI. I was at a conference uh last week where they said it was executive saying that they get disappointed when developers don't use AI in their application development process. How do you feel about that? Oh, >> well that's an easy one. How do I feel about that? I I think again this is a cultural thing. >> Yeah. >> If if you've ingested this and your AI is tight, >> I feel really good about that, right? Because look, man, face it. If the

machine is is trained to do something right, it will do it right every time. Tragically, most AI is trained wrong to at least a little extent. And so, so I have mixed feelings. I'd want to test it or I'd want to hear what's that what's that jim atmanode.com. I'd want to hear that they were Mano customers. >> I think it also comes down to your your personal like risk tolerance, right? So it depends on how much risk you're allowing in there and then what uh checks and balances you're putting in place uh to make sure that you're actually pushing secure code. So, I mean, I think it's a great tool, but you do have to have some of that human

element where you are verifying that like this this is okay to use or oh, danger Will Robinson like absolutely not. Um, again, to Andy's point is that it depends on how the AI is trained. So, I don't think it's ever going to be the beall endall solution. I don't think anyone thinks that in here. Um, but I do think it's a helpful tool aid if it's just used appropriately. Oh, >> question was, hey, you ought to be testing it anyway, right? But again, if you're and and you're right, you ought to be testing it whether it's a AI driven or not. Again, what's the problem? If it's if it's bad AI and you're using AI to test

and if it's biased AI, how are we doing? We're not doing great. But you're right. You you got to test. That's that's and and so I guess implied in your question is and of course it's Nirvana because we're using AI, >> right? Okay. >> I guess there's disappointments by humans. >> There's disappointments. So we have humans coding. >> That's true. I saw a meme last week honestly and it made me laugh so hard but it was like I saw a guy coding not using any like AI not using any like chatbot but he was sitting there straight up coding all on his own. He's a sociopath like and and honestly that's how most people do think now but you know it

happens and there are still people out there but it is a tool that's meant to be used but again it has to be checked. >> So I think um >> I think that's it. Andy's got something. >> Any other questions? This is me telling me to shut up. Any other questions? Going once. Going twice. >> Hey gang, if you could, Alex has helped us with audio and John, so please give a hand to those guys. And thanks [Applause]