Session Name: Mining for Microservices – Managing the Supply Chain in a Microservice Architecture
Finding, sharing, and tracking microservices that make up our ‘logical’ applications is often the reason why cloud-native architecture is considered ‘complex.’ Supply chain management in a shared microservice architecture has its own challenges compared to monolithic development. Supply chain management speaks to improving security in the software systems we create. At the core of these discussions is the generation of SBOMs and CVE reports. In monolithic architecture, the creation of application SBOMs and CVE reports are done at the CI build step. But how do we mine the SBOM data at the application level in a microservice environment without a monolithic build? This presentation will review the supply chain complexities in a microservice architecture with hundreds of run-time dependencies, each having its own SBOM and CVE reports. It will introduce Ortelius, an open-source unified supply chain catalog, incubating at the Continuous Delivery Foundation, that aggregates SBOM and CVE microservice level data up to the consuming ‘logical’ applications. Attendees will learn how they can easily produce application-level supply chain reports that meet new federal security requirements, even in complex cloud-native environments.
Tracy is CEO and Co-Founder of DeployHub, a unified catalog for governing the supply chain to deliver secure, high-quality microservices at scale. Tracy is an expert in supply chain management and pipeline life cycle practices with a hyper-focus on microservices and cloud-native architecture. She currently serves as a board member of the Linux Foundation's OpenSSF. She previously served as a founding board member at both the Continuous Delivery Foundation (CDF) and the Eclipse Foundation. She is also the Community Manager of Ortelius, an open-source unified supply chain catalog.