Continuous Talent Development

A presentation on building and growing talent – whether it is interns, recent graduates or new hires – to feel engaged, productive and ultimately make a difference. A how-to for fighting the “The Great Resignation” and "Quiet Quitting". I cover how my team made a change in how we handled new additions to the team and creating an environment that retains talent. The presentation is based on an article I wrote that is published on linkedin titled "Continuous talent development: How to create connected, empowered and inspired employees" https://www.linkedin.com/pulse/continuous-talent-developmenthow-create-connected-empowered-smith. Attendees will learn methods they can employ on there team to help get new hires up to speed, be more productive, get more satisfaction from their contributions, and most importantly help retain the talent.

Lighting Talk: Event Driven CI/CT/CD Framework with an Audit Trail

A lightning talk I did at one of our internal unconferences to kick off the new
event driven CI/CT/CD framework I was designing to bolt onto and expand our
current pipeline. As part of the design there is an audit trail of receipts that
are used to track what was done and trigger events. The talk should lead to a
greater discussion around the how and why to go event driven. Listeners should
come away thinking about ways to gate releases by readiness, drive automated
testing, make their pipelines asynchronous, and use machine learning to make the
pipeline leaner and more reliable.

Supply Chain Robots, Electric Sheep, and SLSA

In this session, I'll cover creating automation, shifting left, attack vectors, attestations, verification, zero-trust, and how the SLSA spec helps implement solutions for each.

The main takeaway is that security needs to be applied everywhere in the pipeline. The talk will lead to a greater discussion around the challenges of securing the supply chain, supporting EO 14028 and ISO27001, and improving the security posture of your pipelines.

https://jfrog.com/blog/swampup-session-highlights/#brett-smith

Reproducable Builds: Robots recreate Electric Sheep

A talk about the security benefits and challenges of reproducible builds. It includes a real world comparison of the Debian and Fedora build systems and a discussion on the value based on the effort. Listeners should come away with knowledge of what reproducible builds are and opinions on if they are worth the effort.

30 minutes plus QA discussion. First presented at the NCSU Secure Software Supply Chain Community Day

Event Provenance Registry: Continuous Delivery Events for the Electric Sheep

What if you got a second chance to build an Event Driven Provenance service? In this talk I will cover the decision to start over, rewrite, and Open Source the Event Driven system we built in house. In the process of covering the things we changed and the things we kept I tell a few war stories. Add in what needed to be improved and what we left behind. I will talk about our involvement in the CD Foundation and how the new system can leverage CDEvents and help with SBOM storage and retrieval. Demo and Discussion included dependent on time allotment.

30 minutes
The project https://github.com/sassoftware/event-provenance-registry

Workshop: Building an Event-Driven CI/CD Provenance System

In this hands-on workshop participants will journey through the architecture of an Event-Driven CI/CD Provenance System. We will not only cover microservice architectures, but also asynchronous communication, data interoperability, message specifications, and schema validation.

We will learn how to leverage Golang for service and CLI development, Docker for seamless deployment, Redpanda as a Kafka-compatible message bus, and PostgreSQL for efficient backend storage. The workshop uses the open-source project Event Provenance Registry (EPR) as the central service to leverage these technologies.

Over the course of the session we will delve into the EPR codebase, work through coding and building Golang services, discuss the theories of event driven systems, cover some pitfalls, and examine the integration with Redpanda for effective event propagation.

The workshop provides a valuable blend of theoretical understanding and hands-on experience in the dynamic landscape of Event-Driven CI/CD architectures.

4 90 minute sessions for the full workshop. The workshop can be modified to fit a smaller time slot.

First public delivery at DevOpsCon San Diego 2024

Secure the AI: Protect the Electric Sheep

In this session I go over how AI presents security risks to the Software Supply Chain, SDLC, developers, and architects. I cover attack vectors in the supply chain and how they relate to the the OWASP Top 10 for LLMs as well as how they tie into scenarios in your CI/CD pipelines. We wrap up the session covering techniques to close the attack vectors and protect your pipelines, software, and customers.

Session is 45 minutes.

The workshop is how long? Using AI to create an all day workshop

In this session I tell the story of how AI saved me from a disaster. I agreed to do a workshop I was working on for a conference. I only had about 45 minutes worth of content but planned to have 90 minutes. I then found out after agreeing to do the workshop that the format 4 90 minute sessions (all day). I will talk about how I used AI to fill in content and tech tricks I used to pull it off from writing workshop content and generating slides to writing software to use in the workshop (Go and Python).

Wrangling Third Party Dependencies: Are the Electric Sheep Healthy?

A talk about how we are working on curating our Third Party Dependencies using automation and online resources like Ecosyste.ms, deps.dev, OpenSSF Scorecard as well as Snyk, Sonatype, and others. What libraries are we using? What libraries are unsupported, abandoned, outdated, etc...? What open source tools can we leverage to help answer these questions and more?

40 minutes