The welcome speeches by the three co-organizers kicked things off by highlighting the new features of the 2024 edition of DevOxx France, including the addition of a second level and adjustments to the organization. This edition promises to explore in depth the advances and challenges of integrating artificial intelligence (AI) in various fields, particularly medicine.
Jean-Emmanuel, an oncologist and researcher in medical AI, captivated the audience with a presentation on the golden age of AI applied to medicine. He explained how machine learning techniques are driving a multitude of models to improve diagnosis, prediction, and even robotic surgery. Concrete examples included predicting disease risks several years in advance, automated interpretation of medical images, and using AI to screen for depression via platforms such as Instagram.
Despite these advances, Jean-Emmanuel highlighted significant challenges, including training data management, inherent model biases, and the risk of adversarial attacks. These factors could compromise the reliability of AI diagnoses and the integrity of proposed treatments. In addition, the presentation explored the prospects for development over the next 10 to 15 years, questioning how AI could revolutionize healthcare in an inclusive and secure manner.
An introduction to the distinction between symbolic and statistical AI was provided, specifically in the medical context. Symbolic AI, which focuses on logic and rules, contrasts with statistical AI, which learns patterns from large amounts of data. This duality is essential to understanding the different approaches to medical diagnosis and prediction.
Deep learning and LLM in diagnostics
Deep learning applications in medical imaging, such as CHEXnet for chest X-rays or Google's initiatives for fundus analysis, demonstrate AI's ability to perform complex diagnoses. However, detecting depression from Instagram photos Instagram photos and predicting cancer from satellite images raise ethical questions about surveillance and privacy.
Large Language Models (LLMs) such as GPT-4 and Med-PaLM 2 demonstrate impressive effectiveness, sometimes surpassing that of physicians in diagnostic tasks. Nevertheless, their ability to show empathy and engage in meaningful interactions with patients warrants further analysis, as does their use in screening for rare diseases.
The integration of AI into medicine offers unprecedented opportunities but comes with considerable challenges. The potential of AI to transform medicine is undeniable, but its implementation must be carefully managed to avoid compromising medical ethics, patient confidentiality, and treatment accuracy.
Human in the loop: a concept in danger?
The decline in critical thinking skills among new interns, as illustrated by the example of tumor segmentation, reveals a risk of excessive dependence on AI. This highlights the importance of maintaining a strong human component in the use of AI in medicine, to ensure that technology assists practitioners without replacing them.
This conference raised crucial questions about the future of AI in medicine, highlighting the need to navigate between innovation and ethics, technological advancement and human sensitivity. The tech community is called upon to develop solutions that not only solve technical problems but also respect and enrich the doctor-patient relationship.
Abdellfetah Sghiouar, Cloud Evangelist at Google Cloud, presented the security challenges associated with our growing dependence on open source software. His discussion highlighted the need to adopt more robust frameworks and tools to secure software supply chains.
The ubiquity and risks of open source software
Abdellfetah began by emphasizing how much developers today rely on open source libraries for almost every aspect of software development. This widespread dependency increases the risk of exposure to undetected vulnerabilities and maliciously inserted backdoors. He cited alarming statistics from Sonatype's SSCC , noting that 96% of code contains known and patchable vulnerabilities , and that attacks on the software supply chain have increased by 500% each year.
SLSA (Supply chain levels for software artifacts)
SLSA is a security framework designed to standardize and improve security across the software supply chain. It offers four levels of security, each increasing assurance and resilience against malicious modifications:
Level 0
No guarantee. SLSA 0 represents the absence of any SLSA level.
Level 1
The build process must be fully scripted/automated and generate provenance. Provenance is metadata describing how an artifact was built, including the build process, the higher-level source, and dependencies. Knowing the provenance allows software consumers to make risk-based security decisions. Provenance at SLSA 1 does not protect against tampering, but it provides a basic level of source code identification and can assist in vulnerability management.
Level 2
Requires the use of version control and a hosted build service that generates authenticated provenance. These additional requirements give software consumers greater confidence in the origin of the software. At this level, provenance prevents tampering to the extent that the build service is trusted. SLSA 2 also provides an easy path to SLSA 3.
Level 3
Source and build platforms meet specific standards to ensure source auditability and provenance integrity, respectively. We envision an accreditation process whereby auditors certify that platforms meet requirements, which consumers can then rely on. SLSA 3 offers much stronger protections against tampering than previous levels by preventing certain classes of threats, such as cross-build contamination.
Level 4
Requires two-person review of all changes and a hermetic, reproducible build process. Two-person review is an industry best practice for detecting errors and deterring bad behavior. Hermetic builds ensure that the list of dependencies in the provenance is complete. Reproducible builds, while not strictly required, offer many benefits in terms of auditability and reliability. Overall, SLSA 4 gives the consumer a high degree of confidence that the software has not been tampered with.
SBOM (Software Bill of Materials)
The SBOM is a crucial document that comprehensively lists all the components of a software product. Abdellfetah explained how a well-documented SBOM can help trace and audit every element used in software development, thereby increasing transparency and security.
A complete and accurate inventory of all internal and third-party components is essential for identifying risks. BOMs should ideally contain all direct and transitive components as well as the dependency relationships between them.
CycloneDX far exceeds the minimum requirements for a software bill of materials as defined by the National Telecommunications and Information Administration (NTIA) in response to U.S. Executive Order 14028.
Adopting CycloneDX enables organizations to quickly meet these minimum requirements and mature toward more sophisticated use cases over time. The SBOM requirements defined in the OWASP Software Component Verification Standard ( SCVS) are also covered.
Sigstore
Sigstore is a project designed to facilitate the signing, verification, and monitoring of software. By using Sigstore, developers can ensure the integrity and provenance of source code and software artifacts, helping to secure software repositories against unauthorized modifications.
Abdellfetah illustrated the potential impact of vulnerabilities in open source software with real-world examples. He discussed a case where a vulnerability in Node.js allowed a backdoor to be installed in a large supermarket's system, leading to the exfiltration of sensitive customer data.
To demonstrate the effectiveness of the tools mentioned, a live demonstration of artifact signing with cosign was performed, highlighting how contributions can be reliably verified throughout the software supply chain.
Conclusion : A call to action!
Abdellfetah concluded by emphasizing the importance of adopting a "Zero Trust" and "Shift-Left" security approach, integrating security from the earliest stages of software development to better counter threats. He encouraged developers and organizations to adopt SLSA, SBOM, and Sigstore to strengthen the security of their software projects.
This session at DEVOXX France 2024 not only raised awareness about the importance of security when using open source software, but also provided concrete tools to improve this security, thereby encouraging safer and more responsible adoption of open source technologies.
At DEVOXX France 2024, a session dedicated to the security of generative AI and large language models (LLMs) was led by experts from Thales. Here are the highlights from my notes:
Strategies and challenges for deploying generative AI at Thales
The session explored the complexities of deploying generative artificial intelligence, particularly the challenges of integration and security in critical sectors such as defense and aeronautics. Katarzyna Kapusta introduced Thales' "AI Friendly Hackers" initiative, which aims to test the robustness of AI systems against vulnerabilities through ethical hacking. Nicolas Bouillet discussed the importance of security standards for generative AI tools, while Romain Ferrari spoke about the vital role of large language models (LLMs) in improving cybersecurity at Thales.
Renan Berthier, as Product Owner in Generative AI, emphasized the importance of maximizing product value while enriching the user experience. The types of attacks discussed included:
- data poisoning
- the insertion of backdoors
- data exfiltration
- malware injection
- the theft of models and data
The defensive measures discussed included:
- data sanitation
- backdoor detection
- adversarial training
- code audits
- input processing
- watermarking of models and data
- cryptography
- federated learning
Friendly Hackers Battle Box Toolkit
During this session, a specific toolkit was presented, the "Friendly Hackers Battle Box," designed to simulate and counter attacks on models such as GPT-4. This toolkit demonstrates prompt injection techniques, allowing participants to familiarize themselves with practical defense strategies against cyberattacks targeting generative AI.
Approach to improving detection rules
The integration of Thales-specific business knowledge enriches LLMs,improving the analysis of detection rules and reducing false positives. This shows how prompt engineering can be strategically used to customize AI models.
The session concluded that AI should not be viewed solely as a potential threat, but rather as a partner in the field of IT security. With the right tools and strategies, it is possible to leverage the benefits offered by generative AI while mitigating the associated risks. Speakers emphasized the importance of responsible innovation, implementing best practices, and developing advanced cybersecurity tools to stay at the forefront of technology while protecting systems from increasingly sophisticated threats.
The collaboration between AI experts and cybersecurity specialists at Thales illustrates a proactive and multidisciplinary approach that is essential for securing generative AI technologies. The use of practices such as "ethical hacking" to test and improve AI systems demonstrates a commitment to building systems that are both robust and reliable.
Marine Sobas, Tech Lead Engineering at Dataiku, took the stage for a fascinating presentation linking the seemingly distant world of mushrooms to artificial intelligence.
Marine began by exploring the use of fungi in our daily lives, from antibiotics to yeast, while highlighting their lesser-known abilities in solving complex problems. She discussed how fungi develop optimal networks and how they can solve problems such as finding the shortest path, tasks that are often found in computer algorithms.
Mushrooms and AI: a revealing analogy
The analogy between fungal mycelial networks and neural networks in AI has opened up new avenues for thought. Marine explained how the propagation mechanisms of fungi resemble those of neural networks, suggesting that we could learn important lessons for the development of AI.
Marine shared Dataiku's mission: to make AI more accessible in the professional world. She highlighted the need for a deeper understanding of the underlying principles of AI for its successful integration into business processes.
Exploration of mycelial networks has revealed that they function similarly to an AI neural network, raising the fascinating question of whether fungi could inspire a new form of mycelium-based AI "hardware," albeit slower than silicon.
Human-AI interactions: a dynamic to be redefined
To conclude, Marine offered some thoughts on how we might interact with AI in the future. She asked whether our interactions with AI will be symbiotic or parasitic, inviting reflection on the very nature of intelligence and our shared future with machines.
This presentation not only served as a plea for close collaboration between disciplines, but also encouraged participants to view AI not merely as a tool or a threat, but as a potential partner in the search for solutions to complex challenges.
This informative session by Steve Rigano and his team at Crédit Agricole Technologies & Services focuses on the integration of a blocking "Quality & Security Gate" into CI/CD pipelines.
Context and challenges at Crédit Agricole TS
The team discussed the strategy for implementing "shift-left" in development cycles to address security challenges without compromising the developer experience or time-to-market.
They shared their experience of implementing a "Quality & Security Gate" in the CI/CD chains of their cloud-native sector and addressed the following topics:
Choice, security approach, and projections
The decision was made to implement a single blocking "Quality & Security Gate" at the CD (Continuous Deployment) level rather than multiple gates or at the CI (Continuous Integration) level.
They also discussed the importance of communication, training, guidance, and support for development teams.
Looking ahead, they plan to strengthen security levels in SonarQube and adopt a "shift-left" approach, integrating security directly into IDEs. They also plan to address the RUN phase by using Renovate Bot for automated dependency updates.
This session highlighted the importance of quality and security in the software development process and how companies can empower their teams while improving the security and quality of their product. Crédit Agricole TS's approach serves as an example for other companies seeking to implement similar measures.
Woody Zuill, an Agile and Lean software development guide with over 40 years of experience, gave a presentation on the "Mob Programming" (Software Teaming) approach as a method of teamwork in software development. Here is a summary of his presentation translated into French.
The "mob programming" approach
"Mob Programming" is a collaborative, economical, and fun way to get stuff done as a team. It's a development approach that gets the whole team involved in programming, designing, testing, and working with the "customer" (partner, Product Owner, User, etc.) together.
Key points of the session
- Facilitating excellence for all: Creating an environment where everyone can excel is crucial.
- Amplify what works: It is important to reinforce the positive aspects that stand out in the team.
- Communication failure: Woody addressed the challenges of communication within teams and suggested ways to improve this aspect.
- Leading from within and without: The importance of each team member being able to lead and follow dynamically was emphasized.
Retrospective and personal observations
Woody shared his personal experiences and observations, emphasizing the need for constant improvement, even minor improvements, as these can have significant long-term results. He highlighted the difficulty of achieving these minor improvements and questioned common obstacles such as fatigue, context interruption, and task dependency.
One critical point raised was the tendency to treat symptoms rather than address the root causes of problems. Management and biases in beliefs often affect our ability to solve problems effectively.
Luck or talent?
Woody presented a perspective on success and failure, suggesting that success is a mixture of talent and luck, and that great successes often involve a little more talent and a lot more luck.
He introduced Wiio's law, which states that communication fails except by accident, and explained that attention is often based on limited experience. He also discussed systems within systems and levels of complex systems.
Calls to action
Woody concluded by encouraging the adoption of a habit of minor improvements and emphasized the importance of differentiating between problems and symptoms. He called for reflection on the role of management, beliefs, biases, and communication in problem solving.
Finally, he encouraged experimentation as the best way to succeed by working as a united team and amplifying good collaboration. He suggested avoiding a silo culture topreventing the isolation of systems and domains, and promoted the idea that together we can better focus our attention, receive feedback, and experiment to improve things.
DEVOXX France 2024 ended with an event bringing together prominent figures from the DevOps scene, entitled "All DevOps Mercenaries." This group of experts shared their thoughts and experiences on the evolution of DevOps, its current practices, and future implications.
Participatory workshop and retrospective
The event included a participatory workshop on DevOps implementation, led by leading figures such as Arnaud Héritier from Doctolib, who shared his expertise in optimizing development methods and tools. Henri Gomez enriched the debate with his extensive experience in open source and his unique approach to software engineering, while Pierre-Antoine
Grégoire brought his broad perspective on software architecture and his leadership within the Luxembourg tech community.
Dimitri BAELI and Gildas Cuisinier rounded out the panel by sharing their passion for organizing tech teams and the crucial importance of automation in DevOps culture. Gildas, in particular, illustrated how stress-free deployments can become a reality thanks to well-established DevOps practices.
Participants were able to share their experiences and take part in a retrospective of the last 10 years of DevOps. Katia from cockpit.io introduced the term DevOps from a new angle, inviting the audience to reflect on the effective integration of DevOps within their organizations.
The DevOps Mercenaries group led a lively debate on topics such as platform engineering, Site Reliability Engineering (SRE), observability, and modern infrastructures. This closing session allowed participants to reflect not only on the successes and challenges of the past decade, but also to look ahead and imagine together how collaboration between business, development, and operations could continue to evolve.
This constructive dialogue reaffirmed the importance of DevOps as a collaborative movement and highlighted the need to adopt an integrated and holistic approach to remain agile in an ever-changing technological world.
This twelfth edition of DEVOXX France 2024 offered a fascinating insight into the evolution of DevOps technologies and artificial intelligence, demonstrating their central role in the digital transformation of businesses. Through various sessions, experts such as Woody Zuill with "Mob Programming" and teams from Crédit Agricole discussing "Quality & Security Gates" in CI/CD pipelines, the event highlighted an approach based on collaboration and continuous innovation.
From comparing fungal mycelial processes with neural networks in AI to reflecting on security and quality practices in DevOps, the deep connections between agile development, proactive security, and the ethical use of AI have been highlighted.
This convergence of themes not only reaffirmed the importance of fully integrating technologies, but also paved the way for future collaboration where technology, processes, and human perspective come together to push the boundaries of technical and organizational innovation.
Lionel GAIROARD
DevSecOps Practice Leader
