Continuous Talent Development

A presentation on building and growing talent – whether it is interns, recent graduates or new hires – to feel engaged, productive and ultimately make a difference. A how-to for fighting the “The Great Resignation” and "Quiet Quitting". I cover how my team made a change in how we handled new additions to the team and creating an environment that retains talent. The presentation is based on an article I wrote that is published on linkedin titled "Continuous talent development: How to create connected, empowered and inspired employees" https://www.linkedin.com/pulse/continuous-talent-developmenthow-create-connected-empowered-smith. Attendees will learn methods they can employ on there team to help get new hires up to speed, be more productive, get more satisfaction from their contributions, and most importantly help retain the talent.

Lighting Talk: Event Driven CI/CT/CD Framework with an Audit Trail

A lightning talk I did at one of our internal unconferences to kick off the new
event driven CI/CT/CD framework I was designing to bolt onto and expand our
current pipeline. As part of the design there is an audit trail of receipts that
are used to track what was done and trigger events. The talk should lead to a
greater discussion around the how and why to go event driven. Listeners should
come away thinking about ways to gate releases by readiness, drive automated
testing, make their pipelines asynchronous, and use machine learning to make the
pipeline leaner and more reliable.

Supply Chain Robots, Electric Sheep, and SLSA

A talk about creating automation, shifting left, attack vectors, attestations, verification, zero-trust, and SLSA.

In the talk I cover creating automation, shifting left, attack vectors, attestations, verification, zero-trust, and how the SLSA spec helps implement solutions for each. The main take away is that security needs to be applied everywhere in the pipeline. The talk should lead to a greater discussion around the challenges of securing the supply chain, supporting EO 14028 and ISO27001, and improving the security posture of your pipelines.

Attendee Takeaways

Answers for the following questions:

- Why do we need supply chain automation?
- What are common attack vectors in a supply chain?
- What techniques can we use to help secure the supply chain?
- What are the security benefits of supply chain automation and shift left?
- What specifications and tools can we use to help secure the supply chain?

https://jfrog.com/blog/swampup-session-highlights/#brett-smith

Reproducible Builds: Robots recreate Electric Sheep

A talk about the security benefits and challenges of reproducible builds. It includes a real world comparison of the Debian and Fedora build systems and a discussion on the value based on the effort. Add in the work Fedora has been
doing to increase rebuildability. Listeners should come away with knowledge of what reproducible builds are and opinions on if they are worth the effort.

Attendee Takeaways

Answers for the following questions:
- What is a reproducible build?
- Why do we need reproducible builds?
- What are the security benefits of reproducible builds?
- What are the security challenges of reproducible builds?
- What is the value of reproducible builds?

30 minutes plus QA discussion. First presented at the NCSU Secure Software Supply Chain Community Day, Presented at DevOps Con 2024 San Diego.

Event Provenance Registry: Continuous Delivery Events for the Electric Sheep

What if you got a second chance to build an Event Driven Provenance service? In this talk I will cover the decision to start over, rewrite, and Open Source the Event Driven system we built in house. In the process of covering the things we changed and the things we kept I tell a few war stories. Add in what needed to be improved and what we left behind. I will talk about our involvement in the CD Foundation and how the new system can leverage CDEvents and help with SBOM storage and retrieval. Demo and Discussion included dependent on time allotment.
Attendee Takeaways
Answers for the following questions:
- What does it take to open source in house tooling?
- What should I consider when open sourcing internal tooling?
- Why we made the choices we made to open source an internal project?
- What is an Event Driven Provenance Service?
- What is the CD Foundation?
- What is CDEvents?

30 minutes
The project https://github.com/sassoftware/event-provenance-registry

Workshop: Building an Event-Driven CI/CD Provenance System

In this hands-on workshop participants will journey through the architecture of an Event-Driven CI/CD Provenance System. We will not only cover microservice architectures, but also asynchronous communication, data interoperability, message specifications, and schema validation.

We will learn how to leverage Golang for service and CLI development, Docker for seamless deployment, Redpanda as a Kafka-compatible message bus, and PostgreSQL for efficient backend storage. The workshop uses the open-source project Event Provenance Registry (EPR) as the central service to leverage these technologies.

Over the course of the session we will delve into the EPR codebase, work through coding and building Golang services, discuss the theories of event driven systems, cover some pitfalls, and examine the integration with Redpanda for effective event propagation.

The workshop provides a valuable blend of theoretical understanding and hands-on experience in the dynamic landscape of Event-Driven CI/CD architectures.

4 90 minute sessions for the full workshop. The workshop can be modified to fit a smaller time slot.

First public delivery at DevOpsCon San Diego 2024

Secure the AI: Protect the Electric Sheep

In this session I go over how AI presents security risks to the Software Supply Chain, SDLC, developers, and architects. I cover attack vectors in the supply chain and how they relate to the OWASP Top 10 for LLMs as well as how they tie into scenarios in your CI/CD pipelines. We wrap up the session covering techniques to close the attack vectors and protect your pipelines, software, and customers.

Attendee Takeaways

Answers for the following questions:
- Why do we need to secure the AI?
- How do we secure the AI?
- What is the OWASP Top 10 for LLMs?
- What are the AI attack vectors in the supply chain?
- How do we close the AI attack vectors?

Session is 45 minutes.

Wrangling Third Party Dependencies: Are the Electric Sheep Healthy?

A talk about how we are working on curating our Third Party Dependencies using automation and online resources like Ecosyste.ms, deps.dev, OpenSSF Scorecard as well as Snyk, Sonatype, and others. What libraries are we using? What libraries are unsupported, abandoned, outdated, etc...? What open source tools can we leverage to help answer these questions and more?

Attendee Takeaways

Answers for the following questions:
- Why do we need to curate Third Party Dependencies?
- How to find libraries are we using?
- What libraries are unsupported, abandoned, outdated, etc...?
- What open source tools can we leverage to help answer these questions and more?

30 - 45 minute session. First presented at The 4th Annual North Carolina Cybersecurity Symposium 2025

Platform Engineering: Herding the Electric Sheep

A talk about platform engineering, DevOps, DevSecOps, sprawl, chaos, compliance, and security. Why engineer an Internal Developer Platform when I have DevOps? DevOps works fine when you are a 20 person start-up but it often doesn't scale to Enterprise level development efforts. When you have 3000 developers with different needs and you are responsible for EO compliance and security a modular self-service platform is a good choice to build. In this talk I cover the challenges we have faced in a 3000 developers enterprise and how we are working to address them. I also cover how we are working on automating, integration, and scaling the creation of our internal developer platform. We talk about the tools we are using and the good and bad decisions I have made along the way. I also talk about how we are leveraging SBOMs, SLSA, and other tools to help build out a secure and compliant platform. Attendees will learn the benefits and challenges of Platform Engineering

Attendee Takeaways

Answers for the following questions:
- Do we need a Platform Engineering Team?
- Is an IDP the right solution for my situation?
- What does a large scale IDP look like?
- What does it take to support a large scale IDP?
- What does security and compliance look like in an IDP?

30-45 minute session