Dasith Wijesiriwardena

Software Engineer | Solutions Architect | Tech Speaker | Geek with an unhealthy fascination for distributed systems and a #microsoftie. Not in that order. I’m currently based in Melbourne and work for Microsoft.

I’ve been developing software for close to 2 decades now. Since my early days of playing with C++, VB, ASP and PHP, software development has gone through a paradigm shift. These days I mostly work on things that run natively on the cloud and edge. Join me on my journey through the world of .NET and all things distributed.

Consider any opinions expressed here as my own.

3 minute read

I presented some my learnings around modern software supply chain security tools and landscape at API Days Australia 2023 and K8SUG Meetup in November.

I had my team co-present the topic with me this time. My team in Microsoft Industry Solution Engineering have been building solutions to enable government and defence customer teams in Australia and secure software supply chains have been the main focus.

With the renewed focus supply chains attacks and with the supply chain security endorsement by the White House, every government industry and adjacent vendors are looking at making their own software supply chain more secure. Australia being a close ally of the US and with more recently with AUKUS, the industry here is looking to the US for patterns and practices.

It’s in this landscape that my team was trying to bring the modern approaches and practices to customers here in Australia. We saw the open source community and the k8s ecosystem move in the direction of artefact signing and attestations and wanted to talk more about how everyone can benefit from the industry push for software supply chain security.

In this talk we try to introduce teams to the concept of supply chain security and what you can start doing today to make your supply chain secure and how you can make the distribution and consumption of your software more secure for your consumers as well.

The talk abstract is as follows.

In the rapidly evolving landscape of software development, open source dependencies have become the building blocks of modern applications, enabling rapid innovation and collaboration. However, this newfound efficiency comes with inherent risks, as the supply chain for software becomes increasingly complex and vulnerable to various threat vectors.

In “Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools,” we embark on a captivating journey through the critical importance of secure supply chains in the software development lifecycle. Join us as we delve into the challenges posed by open source dependencies and the innovative tools that have emerged to address them.

We live in a Kubernetes world. As more and more workloads are run on Kubernetes, it becomes essential that every dependency that contributes to compiling, building, and running workloads need to come under the scanner. We will explore tools that allow you to build a chain of trust from source code to running container instances During this talk, we will explore how the convergence of software development and secure supply chains has become paramount in instilling confidence and mitigating risks. We will examine the threat vectors that jeopardize the integrity of the software supply chain and highlight the need for comprehensive security measures.

About API Days

This is the sixth time I’ve presented at API Days in the “platform” stream and I’m really grateful from the opportunity to share my learning with the community for such and extended period of time. I’ve been covering many facets of distributed systems and things like the container ecosystem for a while now.

This year the API days conference was held in the Pullman Melbourne hotel and had 5 parallel tracks and workshops. I believe it was the most attended API days Australia event in its short history.

About K8SUG - Australia

The k8s user group meets roughly once a month to discuss the latest and greatest topics around the k8s landscape. This was my first time presenting at the meetup and I got the chance to network with many k8s enthusiasts.

Meetup

From their meetup page:

This is a group for anyone interested in Kubernetes from anywhere to join online or in-person in Melbourne, Australia. We meet to talk about anything Kubernetes / OpenShift related including but not limited to how to Build, Secure, Operate, Manager Kubernetes Clusters, how to Secure and Backup containers, Migrate containers between On-Premises and across Multi-Cloud, how the DR works for the containers etc. Any one is using or planning to adopt Kubernetes should join us to either learn or share the experiences on Kubernetes. It can be vanilla Kubernetes or any managed Kubernetes or OpenShift either OnPrem or in the Public or Private Cloud.

Recording & Slide deck

Short Version from API Days

Extended Version from K8SUG



If you have any thoughts or comments please leave them here. Thanks for taking the time to read this post.

Leave a comment

You may also enjoy

LLM Prompt Injection Considerations With Tool Use

8 minute read

My team at Microsoft Industry Solutions Engineering have recently been building heaps of LLM based solutions for customers of varying sizes across industries. There are some patterns that are emerging from these solutions and today I wanted to write about a pattern we used at a customer to prevent a class of prompt injection attacks with regards to tool use. Some of it may seem trivial or just common sense from purely a security sense but remember that most teams building these solutions are cross functi...

What is ORAS and why should you care?

11 minute read

Most systems we build today are delivered as containers. Container registries and associated technologies are an important cog in this ecosystem. As the container ecosystem matures, there is an increased need to consume associated artefacts like Helm packages, software bill of materials, evidence of provenance, machine learning data sets etc from the same storage. There are even upcoming use cases like WebAssembly libraries that need a home. Container registries have evolved to become more than their ini...

Instrument MQTT based python messaging app using Open Telemetry

9 minute read

Some time back I did a bit of an intro to OpenTelemetry and in there I covered some basics like what Signals and Context Propagation are. I also spoke about how concepts like Tracing, Spans and Instrumentation interrelate to one another. I even put some code samples up at GitHub to demo this. Most if not all of those code samples are in .NET and they demo tracing and baggage. Since I did that talk in 2021 the OpenTelemetry community have decided to add logs as a signal. Logs Are a Signal There are 4 t...

Lessons learned from doing EdgeDevOps (GitOps) in the bush, air and underwater - API Days Australia 2022

1 minute read

I recently spoke at API Days Australia about my experiences building distributed systems and some challenges my team faced deploying and running them on the edge. It is not an exaggeration to say that most modern systems that teams build are running on the cloud in a distributed architecture. There are some well-known successful practices around DevOps for these cloud native solutions as well. But what happens when you want to use the same workflows to deploy and run on the edge where connectivity might...