Several posts on software supply chain security this week, from different points of view. Plus some interesting new API tooling, the upcoming KubeCon event and discussion of proactive monitoring of highly distributed systems.

StackHawk sponsors Devops Weekly

Adding security testing to the development lifecycle means deploying to production the right way the first time. Watch a StackHawk demo to see how you can use automated testing to avoid roadmap disruptions and slowdowns.
https://sthwk.com/watch-a-demo

News

A useful general audience summary of the software supply chain security challenge.
https://www.scmagazine.com/feature/devops/even-with-all-eyes-on-software-supply-chain-security-open-source-remains-a-neglected-target

A nice short case study of adopting more proactive monitoring approaches, in this case in a highly distributed system supporting many physical locations.
https://medium.com/mcdonalds-technical-blog/proactive-monitoring-the-why-what-and-how-c280b117a835

Conversations about operations, SRE or devops often come to discussions of centralised vs decentralised teams, of balancing experts vs generalists. This post has an excellent discussion on this topic with Don Reinertsen.
https://www.forrester.com/blogs/expertise-and-the-shared-services-problem-a-conversation-with-don-reinertsen/

A detailed paper on the tragedy of the digital commons; discussing the reliance on open source software, and the struggle to maintain hidden critical infrastructure.
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4245266

A podcast episode that raises an interesting point about the threat landscape in software today vs 15 years ago and the nuance around the definition of a vulnerability.
https://opensourcesecurity.io/2022/10/09/episode-344-python-tarfile-2022-is-nothing-like-2007/

Devops means different things to different folks, but I think everyone wants to improve on the craft of operations. This post discusses the need to build a culture of candor. Getting a “true and honest signal when things are going wrong” applies to the software and people that make up complex systems.
https://www.jasonacox.com/wordpress/archives/1331

KubeCon is back, kicking off October 24th in Detroit. To whet your appetite, this dashboard highlights some of the most popular topics being discussed ahead of the event. Will be interesting to see this grow over the next few weeks.
https://exploratory.io/dashboard/PQd2wHB2BZ/KubeCon-2022-Dashboard-by-EMA-Research-Kry3NRI4nL

Tools

Kiota is a command line tool for generating an API client to call any OpenAPI described API you are interested in. The goal is to eliminate the need to take a dependency on a different API SDK for every API that you need to call
https://microsoft.github.io/kiota
https://github.com/microsoft/kiota

Metlo is an open source API security platform. Endpoint discovery, detecting common HTTP issues (HSTS headers, PII in urls, etc.) and set up to run in CI if needed.
https://github.com/metlo-labs/metlo