Supply Chain Robots, Electric Sheep, and SLSA
AllThingsOpen
9 views
26 slides
Oct 20, 2025
Slide 1 of 26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
About This Presentation
Presented at All Things Open 2025
Presented by Brett Smith - SAS Institute, Inc.
Title: Supply Chain Robots, Electric Sheep, and SLSA
Abstract: A talk about creating automation, shifting left, attack vectors, attestations, verification, zero-trust, and SLSA.
In the talk I cover creating automation...
Slide Content
Platform Engineering
Internal Developer
Platform
Platform
DevOps
Also DevOps
Platform Engineering
Internal Developer Platform
IDP
How does it benefit the developers?
How does it benefit the developers?
IDP
How does it benefit the security team?
How does it benefit the security team?
IDP
How does it benefit the platform team?
How does it benefit the platform team?
IDP
How does it benefit the enterprise?
How does it benefit the enterprise?
Shift Left - Automate Right
SBOM
Software Bill of Materials
Software Bill of Materials
SLSA
Source Track Build Track
Track/Level Requirements Focus
Build L0 (none) (n/a)
Build L1 Provenance
showing how
the package
was built
Mistakes,
documentation
Build L2 Signed
provenance,
generated by a
hosted build
platform
Tampering after
the build
Build L3 Hardened build
platform
Tampering during
the build
Track/Level Requirements Focus
Source L1 Use a version
control system
First steps towards
operational
maturity
Source L2 History and
controls for
protected
branches & tags
Preserve history
and ensure the
process has been
followed
Source L3 Signed
provenance
Tampering by the
source control
system
Source L4 Code review Tampering by
project
contributors
Source Track Build Track
Track/Level Requirements Focus
Build L0 (none) (n/a)
Build L1 Provenance
showing how
the package
was built
Mistakes,
documentation
Build L2 Signed
provenance,
generated by a
hosted build
platform
Tampering after
the build
Build L3 Hardened build
platform
Tampering during
the build
Track/Level Requirements Focus
Source L1 Use a version
control system
First steps towards
operational
maturity
Source L2 History and
controls for
protected
branches & tags
Preserve history
and ensure the
process has been
followed
Source L3 Signed
provenance
Tampering by the
source control
system
Source L4 Code review Tampering by
project
contributors
Policy as Code (PaC)
Security is codified, automated, open, and accessible to all stakeholders
Key Features:
●Codification
●Automation
●Integration
●Consistency
Benefits:
●Improved Security
●Enhanced Compliance
●Increased Efficiency
●Reduced Errors
●Greater Agility
●Improved Collaboration
Security is codified, automated, open, and accessible to all stakeholders
Key Features:
●Codification
●Automation
●Integration
●Consistency
Benefits:
●Improved Security
●Enhanced Compliance
●Increased Efficiency
●Reduced Errors
●Greater Agility
●Improved Collaboration
Shift-Down Security
Shift-Down Security
The Platform
Services
Services
The Platform
●Agentic AI
●MCP Servers
●RAGs
What is next?
Pipeline visibility: "What's the status of my
deployment unit?"
Policy compliance: "Has it run all required
checks to ship?"
Security validation: "Did security scans run and
what were results?"
Test verification: "Are all tests complete and
passing?"
Promotion readiness: "Can we move to the next
stage?"
●MCP Servers
●RAGs
What is next?
Pipeline visibility: "What's the status of my
deployment unit?"
Policy compliance: "Has it run all required
checks to ship?"
Security validation: "Did security scans run and
what were results?"
Test verification: "Are all tests complete and
passing?"
Promotion readiness: "Can we move to the next
stage?"
Where to start?
●Assess existing tools and services across teams
●Identify patterns and consolidation opportunities
●Visualize findings for a clear landscape overview
●Design platform around main use cases first
●Address uncommon scenarios later
●Use core solutions to drive broader adoption
●Collaborate on unique needs for potential platform improvements
●Prioritize the main 80% - 10% - 10%, and handle exceptions
●Assess existing tools and services across teams
●Identify patterns and consolidation opportunities
●Visualize findings for a clear landscape overview
●Design platform around main use cases first
●Address uncommon scenarios later
●Use core solutions to drive broader adoption
●Collaborate on unique needs for potential platform improvements
●Prioritize the main 80% - 10% - 10%, and handle exceptions
Potential Pitfalls
●Outliers
●Exceptions
●Team Exceptions
●Vendor Lock in: Avoid dependency on a single vendor or specialized tech
●Cloud-agnostic strategies enable flexibility and easier upgrades
●One Offs: Emphasize industry standards over custom solutions
●Outliers
●Exceptions
●Team Exceptions
●Vendor Lock in: Avoid dependency on a single vendor or specialized tech
●Cloud-agnostic strategies enable flexibility and easier upgrades
●One Offs: Emphasize industry standards over custom solutions
Ask yourself:
●How many electric sheep do you
produce?
●How many developers do you
have?
●How many teams?
Do you have:
●A complex software development
process?
●A lot of different tools and
services to integrate?
●Extensive compliance and
security requirements?
Is Platform Engineering Right for You?
●How many electric sheep do you
produce?
●How many developers do you
have?
●How many teams?
Do you have:
●A complex software development
process?
●A lot of different tools and
services to integrate?
●Extensive compliance and
security requirements?
Is Platform Engineering Right for You?
AMA
I am Smitty and I am afraid of robots
Brett Smith
GitHub <https://github.com/xbcsmith>
Brett Smith
GitHub <https://github.com/xbcsmith>
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 9
- Slides 26
- Age 41 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views