WEBVTT

00:00.000 --> 00:10.400
Take your seats and we are moving to the next speaker.

00:10.400 --> 00:11.600
He goes for another stress.

00:11.600 --> 00:16.400
He's going to talk about Alan OTP's journey towards CRE compliance.

00:16.400 --> 00:27.680
Take your voice, sir.

00:27.680 --> 00:30.640
So let me tell you the story about the airline

00:30.640 --> 00:35.000
ought to be your need towards CRE compliance.

00:35.000 --> 00:38.640
Chapter 1, the Kingdom of Code.

00:38.640 --> 00:43.800
In the Kingdom of Code, there is to the micitaward of airline.

00:43.800 --> 00:47.360
The tower of airline, informally known as the airline program

00:47.360 --> 00:53.560
in language, has been open sourced for more than 30 years.

00:53.560 --> 01:00.560
And as such, it has received thousands and thousands of contributions.

01:00.560 --> 01:06.600
The tower of airline was forged in the workshops of erection

01:06.600 --> 01:12.520
and has a reputation for never falling, not even in the hardest storms.

01:12.520 --> 01:16.520
But in the shadows, dark forces are gathering.

01:16.520 --> 01:27.200
And it's really unknown if this new beast can create vulnerabilities for the tower.

01:27.200 --> 01:33.200
Across the run, hundreds of fervent towers were built.

01:33.200 --> 01:37.640
And in the recent years, New Architects came.

01:37.640 --> 01:41.760
With these architects, you modified a bit of the island tower

01:41.760 --> 01:46.280
and created new towers, such as the Elixir Tower and the Gling Tower.

01:46.280 --> 01:49.240
And those are now informally known as the Elixir Premier Language

01:49.240 --> 01:51.720
and the Gling Program Language.

01:51.720 --> 01:55.640
The best thing about this tower's airline, Elixir and Gling,

01:55.640 --> 01:59.000
is that they enable really complex communication patterns,

01:59.000 --> 02:05.160
which ones use thousands of pigeons from towers to tower.

02:05.160 --> 02:08.920
The pigeons carry scrolls, which are messages,

02:08.920 --> 02:12.320
and based on that, new businesses can be built.

02:12.360 --> 02:15.720
Which ones? Well, we have some known companies.

02:15.720 --> 02:19.400
WhatsApp uses the pigeons to send messages.

02:19.400 --> 02:23.000
Clarna uses the pigeons to send money.

02:23.000 --> 02:25.600
Quivera uses to send important letters,

02:25.600 --> 02:32.240
an erection and Cisco uses it for more of our global communication.

02:32.240 --> 02:36.640
But outside the run, there were other towers.

02:36.640 --> 02:41.520
And these towers were facing new challenges.

02:41.600 --> 02:46.880
New beasts came to those towers and started to attack them.

02:46.880 --> 02:50.960
And these are known if these new beasts

02:50.960 --> 02:52.880
can attack our towers.

02:56.560 --> 03:00.320
Such, they can slow towards, informally known,

03:00.320 --> 03:03.320
as the Elixir Co-System Foundation met

03:03.320 --> 03:07.800
in the great holes of the Elixir Tower.

03:07.800 --> 03:12.200
In there, they had also scouts that have spotted red dragons

03:12.200 --> 03:16.760
and worms, spotted losing gates outside the run.

03:16.760 --> 03:18.600
And then they was, again, and known,

03:18.600 --> 03:22.200
is that something that can happen in our towers?

03:22.200 --> 03:24.960
It remains to be seen.

03:24.960 --> 03:29.480
There was one thing that was 100% sure known.

03:29.480 --> 03:33.040
Instead of relying on whatever so-one says,

03:33.040 --> 03:36.680
is a vulnerability, we need to be a united front.

03:36.680 --> 03:39.240
How do you do that?

03:39.240 --> 03:42.200
You created the best tree book.

03:42.200 --> 03:45.040
The best tree book basically is the one

03:45.040 --> 03:48.520
that is going to tell to the run, we're going to identify the dragons

03:48.520 --> 03:51.800
and we're going to save something in some vulnerability.

03:51.800 --> 03:53.800
We're going to name those dragons.

03:53.800 --> 03:56.360
Because, again, we know about our run.

03:56.360 --> 04:00.120
So this is going to apply to the whole all of the towers.

04:00.120 --> 04:06.200
And that's all we're going to publish and update the best tree book.

04:06.200 --> 04:09.480
So that everyone that is in the run can follow up with,

04:09.480 --> 04:12.760
whether you have a vulnerability or not.

04:12.760 --> 04:17.320
Informally, this is one, we say that the Elixir Foundation,

04:17.320 --> 04:19.560
Erlangico-System Foundation, became a CNA.

04:24.440 --> 04:29.880
Now, not long after that, came a royal decree by the king.

04:29.880 --> 04:33.160
And it was mandating the following items.

04:33.160 --> 04:37.880
It was saying, for now on, you need to keep a legion of materials.

04:37.880 --> 04:39.720
For every wall.

04:39.720 --> 04:42.360
This is really tricky.

04:42.360 --> 04:45.560
Because the walls have thousands of stones.

04:45.560 --> 04:49.000
And it was said that if you take an Apache stone,

04:49.000 --> 04:53.560
and you put on top a GPL stone, the Apache stone is going to melt

04:53.560 --> 04:55.320
and slightly contribute to the GPL.

04:55.320 --> 04:56.920
Is that something that you want?

04:56.920 --> 04:58.840
I don't know, you need to know, right?

04:58.840 --> 05:01.400
So you need to do your legion material sense.

05:01.400 --> 05:03.240
Understand, what is it that you can combine?

05:06.920 --> 05:09.240
You need to post the scouts to watch for the relance.

05:09.240 --> 05:12.360
Sure, you need to know if you're going to be attacked.

05:13.240 --> 05:16.840
You need to declare your threats and pass it out immediately,

05:16.840 --> 05:19.800
which also makes sense.

05:19.800 --> 05:23.960
And finally, you need to prove the defenses you seem regular audits.

05:23.960 --> 05:27.560
Fail to comply with this royal decree,

05:27.560 --> 05:31.160
informally known as the CRA, and your tower

05:31.160 --> 05:33.480
may be closed for business.

05:33.480 --> 05:34.680
So it has a huge impact.

05:40.360 --> 05:44.760
To fortify fences, they cancel off towards maps.

05:44.760 --> 05:47.720
And the other feedback through its working security groups.

05:47.720 --> 05:51.080
And there was one thing that was clear.

05:51.080 --> 05:53.960
Given that all the other towers and the whole realm

05:53.960 --> 05:58.360
is built on top of the other tower,

05:58.360 --> 06:02.040
because the other thing is a modification of it.

06:02.040 --> 06:05.080
It makes sense that the maintenance of the towers

06:05.080 --> 06:08.760
are going to implement the following protocols that I'm going to discuss.

06:08.760 --> 06:12.600
So that we can comply with the royal decree.

06:16.600 --> 06:21.560
The maintenance of the tower are going to post gatekeepers.

06:21.560 --> 06:24.680
The gatekeepers are the ones that are going to check

06:24.680 --> 06:27.480
with key practices and are going to check if you're doing that patch

06:27.480 --> 06:29.080
on the other tower.

06:29.080 --> 06:31.480
You need to have maybe a reviewer that is checking that as well.

06:31.480 --> 06:34.680
That's all.

06:34.680 --> 06:39.320
What are we going to create, of course, a legion of materials?

06:39.320 --> 06:45.560
We're going to post scouts, so that we can watch for dragons.

06:45.560 --> 06:49.960
And publish official notices together with the cancel off

06:49.960 --> 06:53.080
towards the airline ecosystem function.

06:53.080 --> 06:55.560
Let's see how we do this, because we cannot just

06:55.560 --> 06:58.520
with all ourselves the maintenance of the other tower.

06:58.520 --> 07:03.080
We need reliefs that are not helpful.

07:03.080 --> 07:06.520
For the gatekeepers, the gatekeepers are the ones that are going

07:06.520 --> 07:08.760
to check risky practices.

07:08.760 --> 07:12.120
As I said before, if you are patching a wall, you need to know

07:12.120 --> 07:13.400
whether you are doing it correctly.

07:13.400 --> 07:15.240
And so one is reviewing it.

07:15.240 --> 07:18.280
You need to have maybe a test, so that you know that if there is a

07:18.280 --> 07:22.920
crack, don't just leave it, go and fix it, so far.

07:22.920 --> 07:26.040
How do you get to a good baseline?

07:26.040 --> 07:30.920
I would say it's pretty tricky to know if you're doing things correctly or not.

07:30.920 --> 07:32.920
So what can we do then?

07:32.920 --> 07:37.800
Well, the cancel of towards together with the maintenance of the tower,

07:37.800 --> 07:40.680
when I'm fixing the open SSF kingdom.

07:40.680 --> 07:45.160
And they try to understand what is this new technology called scorecard.

07:45.160 --> 07:49.560
Scorecard is a technology that is going to find risky practices.

07:49.560 --> 07:53.240
And now we have quite a few risky practices that we didn't know about.

07:53.240 --> 07:55.240
And now we have a baseline.

07:55.240 --> 07:58.200
Based on that, the maintenance of the tower

07:58.200 --> 08:02.920
fixed the mocks or high priority issues, and they continue to work on it.

08:02.920 --> 08:06.120
But now at least the most risky issues have been fixed.

08:06.120 --> 08:09.080
Now there's also one thing.

08:09.080 --> 08:13.400
There were some practices that were good in the Erland tower,

08:13.400 --> 08:16.760
but it was not recognized by the scorecard technology.

08:16.760 --> 08:20.760
So we did, well, anyone, I guess, could do.

08:20.760 --> 08:22.520
We contributed back.

08:22.520 --> 08:26.680
We have that those practices, so that now everyone that is using

08:26.680 --> 08:30.120
the Erland, Elixir, or Blint towers,

08:30.120 --> 08:35.000
those practices are going to be recognized by scorecard.

08:35.000 --> 08:39.000
Given this, we can close off the regular audits,

08:39.000 --> 08:43.240
because this is the technology that's going to do those regular audits.

08:43.640 --> 08:48.280
Ledger of materials, this is really tricky.

08:48.280 --> 08:53.480
You need to list every stone that is part of the tower.

08:53.480 --> 08:58.520
We have thousands of stones, and even more, you cannot stack

08:58.520 --> 09:01.720
sometimes one stone on top of the other one,

09:01.720 --> 09:04.200
because one is Apache, maybe the other one is a GPL,

09:04.200 --> 09:06.360
sometimes that doesn't go together.

09:06.360 --> 09:08.840
So it's not stable.

09:08.840 --> 09:10.680
What do we do in this case?

09:10.680 --> 09:15.240
We decided to go on this set, the OF review toolkit,

09:15.240 --> 09:16.840
Kingdom and Re use.

09:16.840 --> 09:18.760
These are two different kingdoms,

09:18.760 --> 09:23.480
but they have somewhat similar technology that overlap.

09:23.480 --> 09:26.760
For the Re use, it's really interesting,

09:26.760 --> 09:31.000
because they are able to give them a stone,

09:31.000 --> 09:33.640
if it has rooms, which are,

09:33.640 --> 09:36.600
informally known as pdx license identifier,

09:36.600 --> 09:39.160
they know what it is, and they're going to tell you, yeah,

09:39.160 --> 09:42.040
we know what this one is, that's perfectly.

09:42.040 --> 09:47.880
For the stones, where those rooms are a bit more tricky to spot,

09:47.880 --> 09:51.400
or actually toolkit, implicitly throughs can code,

09:51.400 --> 09:58.360
is able to tell you what is the category in which these stones go think.

09:58.360 --> 10:02.440
Based on that, we combine both technologies using custom machinery,

10:02.440 --> 10:05.160
so the now for the things that have rooms,

10:05.160 --> 10:07.640
we know what they are, and the ones that are not,

10:07.640 --> 10:09.640
because again, we have thousands of stones,

10:09.640 --> 10:12.920
not all of them follow the room principle,

10:12.920 --> 10:17.080
then those will follow with the OF review toolkit.

10:18.360 --> 10:22.840
Even more, OF toolkit was really good at categorizing,

10:22.840 --> 10:27.960
but there was one thing missing, the printing in a scroll of this,

10:27.960 --> 10:31.080
was not really working, so we contributed back to that project,

10:31.080 --> 10:33.800
so now that is printed, and this is what now,

10:33.800 --> 10:37.000
the island tower and the electricity tower are used in.

10:38.280 --> 10:44.360
How does it look like now? Well, I think you can more or less with it.

10:44.360 --> 10:48.200
We have what is informally known as a SPDX package.

10:48.200 --> 10:50.600
A package can be thought as a bunch of stones put together

10:50.600 --> 10:53.640
so that it serves a purpose, that's all.

10:54.600 --> 10:58.280
There's someone that built the wall,

10:58.280 --> 11:00.840
we have some references with the commenter, say, well,

11:01.000 --> 11:06.280
this is about this case, this is the OTP SSH package or part of the wall,

11:06.280 --> 11:13.320
which version, where you send, and if there's any kind of known vulnerability into it,

11:13.320 --> 11:17.320
so we have this as well. All the stones have been analyzed,

11:19.080 --> 11:22.360
and then we have the names of all the stones that they are categorized.

11:23.560 --> 11:27.000
But this is not enough, right? We need to know as well if there were some tests,

11:27.880 --> 11:31.560
so we have that as well in our SPDX. You take it and you see it quite clearly.

11:32.840 --> 11:38.600
In this case, we say that the SSH test package is the one that contains the test for the OTP SSH

11:40.120 --> 11:44.200
part of the wall. But it's also important to the documentation.

11:44.200 --> 11:48.920
We have that as well categorized, because it's not the same the wall that is on the outer side

11:49.480 --> 11:54.440
of the tower, which maybe needs to be robust and start the, that part of the inner wall,

11:54.520 --> 12:01.080
which is maybe more for the key to go and type. All of it is part of the package

12:01.880 --> 12:07.720
around the tower, project OTP, and also important if there are dependencies,

12:07.720 --> 12:12.760
and you cannot build the package OTP SSH because you need a solid base first,

12:13.800 --> 12:17.400
that is also explicitly stated in this stroke.

12:17.640 --> 12:26.920
A bit more. What happens when you need to take prefabricated walls? What are prefabricated walls?

12:26.920 --> 12:33.080
The vendor packages. You need to deal with those as well. Those are the ones that

12:33.720 --> 12:38.600
the maintainers cannot build themselves, so they take the sanctions somewhere else and they put it

12:38.600 --> 12:45.400
into the project integrated now. As such, you need to identify the version that is associated or

12:45.480 --> 12:51.880
designed that you took with it, so that you know what kind of tower you're building, so to speak.

12:55.240 --> 13:01.160
By some of this, the work we also got the stamp of open chain license compliance.

13:04.760 --> 13:11.960
Given this, we have the ledger of materials. Now we're going to talk about the scouts.

13:12.200 --> 13:19.240
The scouts are the ones that are going to monitor dragons. The part of money to

13:19.240 --> 13:23.240
the dragons, in this case, especially refers to the prefabricated walls, because those

13:23.240 --> 13:29.720
are the ones that we don't know if we could be affected. Whether they know initially exactly

13:29.720 --> 13:33.800
how to do it, but then we figure out that we can talk to the people from the OTP kingdom.

13:34.040 --> 13:42.040
They have some really nice, bestiary books, and now we just created custom machinery because

13:42.040 --> 13:48.040
the prefabricated solutions from OSB was not integrating well enough. The Mingi is in that case,

13:48.040 --> 13:54.600
is that the OSB kingdom at the time that we did the integration to monitor dragons was not able

13:54.600 --> 13:59.720
to recognize something called open vets, so they'd use the move false positives. So we handle that ourselves.

14:00.680 --> 14:07.960
And then this couch, what they're supposed to do is, if they find a dragon exploding

14:07.960 --> 14:14.600
our vulnerability in some of the prefabricated walls from some other project, then they're supposed

14:14.600 --> 14:25.000
to send a message immediately to their own tower. Finally, a publishing of the official notices.

14:25.560 --> 14:34.040
Any kind of vulnerability that is reported in the run, that is going to be published by the

14:34.040 --> 14:41.880
cancel of stores, C.I. Of course, there's need to be an immediate patching of walls by the

14:41.880 --> 14:46.600
maintainers, and the maintainers will tell where I'm also going to print something called open vets.

14:47.640 --> 14:52.680
What is it that they're going to do? Well, they're going to replicate the vulnerabilities in the

14:52.760 --> 14:58.040
open vets format, and they're also going to say, if there's a pre-package wall that is

14:59.240 --> 15:04.760
vulnerable, is it really applying into the Atlanta where you're not? That is going to be also

15:04.840 --> 15:18.680
contained in there. The attack. One misty morning, a couch on sheltered the car.

15:21.640 --> 15:31.480
The dependency dragon sheltered this car. This was a dragon that was known to exploit

15:32.120 --> 15:41.560
subtly pre-package and a walls. We know from our legend of materials that kind of prefabricated

15:41.560 --> 15:49.800
wall has been integrated into the tower. As such, this couch follows protocol and informs tower.

15:49.800 --> 16:01.560
How? Well, something a message, but that's what you do. The message arrives to the tower.

16:05.160 --> 16:09.960
This is what it looks like. It has been spelted by the scout Erlan's counterbot,

16:11.240 --> 16:18.920
really important scout. It affects the version 28, and there's possibly a vulnerability

16:19.000 --> 16:26.360
unit to check it out into your open vets statement. It identifies the prefabricated wall

16:27.240 --> 16:37.800
and the dragon that is causing that. So, cb-226, 22184. Given that we have the

16:37.800 --> 16:43.800
ledger from materials, now it's really easy to check if this is something that could be affecting us.

16:44.360 --> 16:52.200
We will also check the OSB, a bestiary book, to see what they said that it is about.

16:53.560 --> 16:59.960
In this case, during the integration process of that prefabricated wall into the Erlan tower,

17:01.400 --> 17:06.600
we were not affected. Beakers, the stones that were vulnerable were not part of where we moved

17:06.600 --> 17:11.800
to during the integration. Now, this is not open vets. This is our own format that we created

17:12.440 --> 17:18.360
because the Erlan tower has many different parts of the wall, like the runtime system and many

17:18.360 --> 17:24.840
different applications. And as such, what we do in this case is identify the prefabricated wall,

17:24.840 --> 17:30.120
we put the dragon that is assigned and the applications that have been affected.

17:31.320 --> 17:38.760
Based on this, we can generate open vets statements. The open vets statements goes to the

17:38.840 --> 17:44.360
print machine and now we have the name of the dragon. We have the packages affected. In

17:44.360 --> 17:49.640
this case, if you are based on the OTP tower version 26, you are not going to be affected.

17:50.520 --> 17:54.680
If you are using yes, part of the wall version 14, you are not affected.

17:55.880 --> 18:01.480
If you decide to go to the next iteration of the design, which is cooler, then you are not going to be

18:01.480 --> 18:05.720
affected. But let's say that you wear on the version 26 and you get updated,

18:06.360 --> 18:12.520
a minor part of the wall, in this case, ERTS 1401, then you are not affected either.

18:12.520 --> 18:18.520
And as such, this is like 20 statements because it gets complex. But then you know for sure you are

18:18.520 --> 18:23.640
not affected. It will be good if the open vets for my have ranges, nice things easier,

18:23.640 --> 18:29.240
but I couldn't find it, so this is what we do. Not affected, at least home was not present.

18:30.120 --> 18:34.680
Even more, we have the legend of materials, right? But in the legend of materials, maybe you don't

18:34.760 --> 18:41.320
want to see the ERTS and what not. We are going to put as well this prefabricated wall that we took

18:41.320 --> 18:48.040
from this version is not affected. Then now you can have a margin between the yes form

18:48.040 --> 18:50.760
and the open vets and you can remove the false positives.

18:55.960 --> 19:02.600
Pre-solution, the attack passed, the defenses hold, and the tower fireman is to compliant with

19:03.480 --> 19:10.120
a sealant against the danger. Now, call two arms. This is what we have done for the basic

19:10.120 --> 19:15.800
building block. If you are building on top of it, you still need to do your work. And the same

19:15.800 --> 19:20.600
thing goes for any kind of technology that you have. You need to keep your ledge honest,

19:21.560 --> 19:30.520
your scout sharp, and your notice is swift. If you haven't done so yet, join the watch.

19:31.480 --> 19:35.960
This is kind of work if you are going to join, because there are way too many towers,

19:36.600 --> 19:41.640
and the council of towards or your foundation is not big enough to be able to deal with all the

19:41.640 --> 19:47.640
issues. So you need to join the watch. If you join, all the towers can stand for generations.

19:48.360 --> 19:52.520
And please, remember, the racons never sleep.

19:54.360 --> 19:56.360
Thank you.

19:56.360 --> 20:03.640
Well, I was fantastic. Thanks to a question for the long half time for questions.