Summary
On this episode of “What’s in the SOSS,” Yesenia Yser sits down with Justin Cappos, NYU professor and self-described “OG software supply chain guy” who’s been working in this space since 2002. Justin reveals why most universities fail to teach fundamental security practices—from MFA to code signing—and how his groundbreaking software supply chain security course is creating some of the top 500 most qualified professionals in the world. We discuss the challenges of keeping curriculum current in a rapidly evolving field, the “throw them in the deep end” approach to teaching open source collaboration, and Justin’s vision for transforming security education across institutions nationwide through the Linux Foundation’s Academic Computing Acceleration Program.
Conversation Highlights
00:24 – Introduction & Guest Welcome
01:49 – The SolarWinds Effect
02:01 – Aligning with Linux Foundation’s Academic Program
04:06 – Critical Gaps in Traditional CS Education
06:35 – Teaching Open Source Culture
10:45 – Career Impact & Student Success
13:52 – Adapting to AI & Rapid Industry Change
16:30 – Vision for the Next 5-10 Years
19:52 – Rapid Fire Round
20:52 – Final Advice & Closing
Transcript
Intro music & intro clip (00:00)
Yesenia (00:24)
Hello and welcome to What’s in the SOSS, the OpenSSF podcast where we talk to interesting people throughout the open source ecosystem, sharing their journey, experiences and wisdom. So Yosene said, one of your hosts and today we have a very exciting member joining us today, Justin Cappos. Justin, please introduce yourself to the audience.
Justin Cappos (00:47)
Hello, hello. My name is Justin Cappos. I’m a professor at New York University. But really, I don’t work like most professors do. I’m very, very focused on doing things in practice. I’m also kind of like the OG software supply chain guy. I started working in this space like 2002.
So more than 20 years now and I basically came early to the party and never left. So I’ve just quietly been making a bunch of things used across the software supply chain like TUF and in-toto and gittuf and SBombit and other things like that, along with all my wonderful students and collaborators that I’ve worked with over the years.
Yesenia (01:40)
Awesome. Yeah, it’s definitely a party you don’t want to leave. Like once you’re in here, you’re in the supply chain party for life. But thank you for your contributions.
Justin Cappos (01:49)
Yeah, our party got a lot more active and a lot more hip once the kind of solar winds incident happened. Before that, it was kind of a lonely party at times, but yeah.
Yesenia (01:)
Yeah.
Yesenia (02:01)
Yes. Yeah, I do have my story on SolarWinds. It hits a drum on my heart and drama. All right, cool. So we’re going to go with the first question. And I’m curious, as a professor, what has motivated you to align your curriculum with the Linux Foundation’s Academic Computing Acceleration Program, particularly the secure open source and the cloud native tracks?
Justin Cappos (02:30)
Yeah, so really it’s always very difficult as a professor to know that what you’re teaching is moderately current. And as a professor who’s teaching like a traditional computer science curriculum, as most people do, rather than sort of an IT curriculum, you’re constantly trying to teach the fundamentals under all the technology you’re doing. And…
When it comes to things like software supply chain things move so so quickly Like a lot of the technologies and things that are just fundamental to what we’re doing In software supply chain didn’t exist like five years ago, right? And there are things that were very popular that that became unpopular things that that you know really just rapidly grew and so you’re constantly playing this game of trying to to both make sure you’re talking about things that are fundamental technology advances. They’re not just kind of a flash in the pan momentary, the latest release of some vendor that’s gonna be, that isn’t really that technically interesting or different than their last 10 releases and won’t be interesting compared to their next 10 releases.
You wanna really hit the thing that is a fundamental sea change in the field,hile also keeping everything very current so that students are getting experiences with things that are very practical. And it’s really, really difficult to do. Extremely hard.
Yesenia (04:06)
Yeah, I believe that. I know once I left university and I got into the real world, was like, yeah, they didn’t prepare me for nothing. That’s how I felt. Like we’re talking about like two different universes. I graduated eons ago. So what gaps did you see in these traditional university programs that you think this could help accelerate? I know you touched on a few, but maybe some of those that are more dear to your heart that help.
You kind of drive towards more of this usage of the acceleration program.
Justin Cappos (04:41)
Well, I think for me, software supply chain is obviously a big thing I care about and think needs to be taught better and stuff like this. I’m frankly surprised like how few universities cover really any of this at any level in any part of the curriculum.
And I mean, even just very fundamental things about like MFA or like having, you know, different review policies for, like, you know, before things get merged into your main branch on GitHub, like, there has to be review by multiple developers and stuff like this. I think just even those very, very, very basic fundamentals are under covered and under emphasized.
And then, you know, once you get one level deeper to understand things like what mechanism should you be using to sign your code? When and where should you be generating software supply chain attestations? What is an SBOM? When should you be using SBOMs? What do they do? Things like that. I think those are almost entirely missing from the vast majority of curriculums out there. And so this effort by the Linux Foundation is really an effort to try to say, these are core fundamental things that are super important in industry and also super important foundational things. And these are the things that universities we wish would teach more. And also here’s some materials and things like this that you might be able to use if you want to incorporate them, is I think the plan to try to get everybody out there so that we get more more people coming out into industry that have a different experience than the one you had, one where they do feel very prepared and do feel like they at least have some idea of what’s going on when they take that next step out into practice.
Yesenia (06:35)
Yeah, it would definitely be a good shift in the educational – I know with the folks that I talk to that leave the academic – a good question they get too, which is at least from my understanding and my experiences, what is open source? Like that’s not something that’s really discussed on these university levels. Like they’ll tell you, go use these products, but they don’t tell you this whole ecosystem behind these free tools that you’re able to find online.
It’s pretty interesting. And I know with open source education, it does require more teaching these tools, these processes, this community like culture. It is teaching the open source culture. So how do you help students understand this collaborative community driven mindset that is central to what open source ecosystem is?
Justin Cappos (07:28)
Well, personally, I think one of the best ways is to sort of throw people in the deep end, give them a little bit of guidance, but then you just kind of throw them in the deep end of the swimming pool and see what happens. And then as people thrash around, you help them a bit. I think my experience has been that working in open source is something that…
requires a lot of initiative and requires a lot of kind of awareness about how to work in a community and requires a lot of non-technical skills that fundamentally just a lot of students lack and struggle with. So I think it’s a really difficult challenge. If you want to get a lot of good contributions from people, you can take this philosophy of just trying to put them in positions where they can succeed and give them a little bit of guidance and see how they go from there. But I think it’s really hard to get to a point where everybody coming out of a university program is going to have strong open source skills because I think that just the way we admit students, that’s not really the background we look for at times.
And I’ve also even seen where there’s professors that teach classes that do a lot with open source and the professors themselves don’t work in open source. They don’t use it themselves. And they have like real fundamental misunderstandings or misconceptions about what it means to work in open source. So, I definitely think that if you’re going to teach a class, you should really be a practitioner in it too. You should really be in your spare time, in your free time, or even as your day job if you’re teaching just a class in the evening or something, you should really be doing those types of things. Because I think otherwise it’s really hard to stay current and stay effective and teach.
Yesenia (09:25)
Yeah, that due diligence of understanding the ecosystem that you’re directing them to, because it’s, it’s just going to lead them to fail. Like they’re just like, just submit a pull request. and you know, they’ll go through the common ways, like, you know, pull down the repo and try to commit. And then they’d like, I don’t have permissions to, but they might have it where you got to fork it. Right. So I think it’s really important that, there might be just an extra class in universities that is focused on open source ecosystem, open source community.
And unfortunately, like in the computer science space, there’s just so much different umbrellas to start tapping into within that umbrella of computer science. It is definitely a challenge. with this the industry, you said, the last five years and solar winds, it’s just had this high demand for secure software skills to continue to grow. it’s something when I do talk to my mentees, I direct them to open source and I’m like, it is one of those like jump in the deep end, ask for help and someone’s going to send you out the lifeboat.
But in your professional experience and thoughts, what changes have you seen in students’ interests, their enrollment, or even their career path since emphasizing secure open source development in your courses?
Justin Cappos (10:45)
Well, certainly it’s something where I think the students are a lot more sought after when they come out because I think this is a fairly rare skill set for people to have. I think, you know, I kind of made a half serious, half joking comment after I taught my first class of software supply chain security, which I think it’s probably the first…
like regular university class that is entirely software supply chain security. I said, you know, all of you who just took this class, you’re now in the top, like 500 people in the world for understanding software supply chain security. Because I really think that the talent pool, like at least the breadth that they get across that, there’s people that do deep work in one or two areas, but it’s really rare to get an entire full semester, full length university course where they’re implementing parts of Sigstore and they’re Git commit signing and they’re setting up attestations throughout a supply chain and they’re really integrating and using all these tools together end to end in a pipeline and making SBOMs and doing all of this together.
I think that that skill set is fairly rare. And from what I know from hearing back from those students later is that they were very successful at getting jobs. That this was something where people said, wow, I’m impressed that you understand deeply like a bunch of different technologies, where usually I think it’s more common that people haven’t heard of them or don’t have any experience at all.
Yesenia (12:34)
That’s great. Yeah, you gave me a goosebumps on that one. And I’ve seen a few years ago, we did a mentorship with an Alpha Omega group. And even that group, they are fresh out of university. And that group has gone to major organizations and made changes in their career. And we just finished this summer with a mentorship with, I think it was Get Tough, if I’m mistaken.
where I’m excited to see that mentees group’s growth, but as somebody who’s like hired and interviewed folks, it is a difference in skill set from somebody that has been involved in open source. Even if it’s from a smaller level or just a level of like, hey, I’m going to sit here and listen, right? I’m going sit here and listen and I’ll take notes and I’ll help the group grow in that aspect. There’s so much growth and information that they can absorb.
So keeping curriculum current is definitely a major challenge. Like I can’t even keep up with the latest, greatest. They change weekly. and then with these rapid shifts in AI, these cloud native systems are open source supply chain threats. What practices have you implemented to ensure your course content? It definitely evolves with the needs of the, industry.
Justin Cappos (13:52)
Yeah, I mean, AI is a big thing that everybody is trying to figure out how best to deal with it. And it’s really something where I would say that if you’re looking for like, what is the best approach, I’d say stay tuned because really we’re at the early stages
Yesenia (14:08)
Good response.
Justin Cappos (14:09)
And educationally people are throwing things at this and seeing what works. So we’ll figure this out. But in terms of like how I’ve tried to stay current: I think that actually things like the Linux Foundation programs are great because this is really a bunch of the experts in the field coming together to say these are the things that need to be taught. And for instance, when I went through this program for NYU to get the certification, I went and said, you know, I’m teaching a lot of these things, but there are a couple things where, you know, I didn’t emphasize this as much, or I could have said this in a different way.
Or I could, you I see that other people might spend five slides on this and I’m only spending two slides. And the fact that I have an entire course on that is like, you know, I really should probably have 10 slides on this then. And so it also kind of helped me to re, you know, to change my emphasis on different topics and push, you know, push things forward in a way that I think better reflects the reality of where we are today as industry and not just taking my personal perspective as somebody who, yes I do work very, very closely with all sorts of projects and industry, but of course we all have our own biases and our own blind spots. So it’s just helpful to see more reinforcement that I probably need 20 slides on vulnerability reporting instead of like 10.
things like that.
Yesenia (15:45)
Yeah, it’s good. mean, it’s, going to be definitely a challenge and it might be one of those that the coursework just evolves into individual courseworks where maybe one focuses on open source in AI, you know, and cloud native systems or supply chain. Who knows? Like, like you said, I love that answer. Stay tuned. It definitely is one of those to say like, you’re on that roller coaster right now. We’re just driving up very slowly to the peak for that initial drop.
So let’s take a look ahead, let’s say five, 10 years from now, how do you believe programs like yours, the Linux Foundation, this accredited initiative will help shape the next generation of developers, these researchers and security professionals?
Justin Cappos (16:30)
Well, what I really hope happens is I hope that this becomes something that’s moderately widespread at universities, where there’s quite a few schools that are going and doing this, and this leads to just an overall improvement of curriculum in general.
I don’t think it’s going to be like 100 % of schools teach all of this stuff, but I think it could very easily be the case that we see very substantial adoption and really up and down the kind of chain of schools. So everything from community colleges all the way up to like, you know, tier one research institutions and stuff like this.
The other thing that I hope happens is that the Linux Foundation has other like really great, you know, aspects to it that deal with things like we have
Automotive-grade Linux and there’s a bunch of things related to a blockchain with hyperledger and There’s there’s other areas like this that I think could roll out their own You know accelerating academic accreditation Initiative there where they have their own things that hey if you want to get our badge of approval For your program. These are the types of things you need to be covering in your curriculum so I’d love to see more parts of the Linux Foundation go and
and add an effort like this to their portfolio.
Yesenia (17:54)
Those are definitely interesting and I’m sure they’ll take a note and add it to the backlog of lists. I know the Linux Foundation has a good source of courses from the AI ML development when that was just released and a few others. But yeah, that’s.
Justin Cappos (18:09)
Yeah, and those courses are really great. Like the training courses are absolutely excellent. They tend to be more of like teaching a specific skill in many cases than a more holistic thing to use in a university where we try to teach more fundamentals and like, principles. And so they’re like an excellent supplement. really encourage anybody who’s been through university and wants kind of a refresher on the latest and greatest. think the Linux Foundation materials are terrific.
And one of the things that we’ll also see is, I’m not sure over time whether these like academic accreditation materials that are being created at universities that are more suitable for those classes, if they’ll also start like kind of blending together with some of these training courses that the Lynx Foundation provides, or if they’ll always be separate kind of things. It’ll be interesting to see how that all pans out.
Yesenia (19:12)
Yeah, definitely. And I like it as a, I personally like it as a supplement, a industry professional, it’s like, they don’t take long, you know, an hour, an hour and a half of your time and you get a refresh or just a deeper understanding of these spaces. you know, that, who knows what the next five, 10 years is, but I think we’re, from a cultural kind of perspective, I think we’re in a good
good space and leaning towards a very promising future.
So with that, we’re at the end of our interview and we’re gonna move over to our rapid fire. And here I’ll just ask a question and it should just be a quick response.
Justin Cappos (19:53)
Sounds good.
Yesenia (19:54)
So first question, first question of Vim or Emac.
Justin Cappos (19:57)
Vim
Yesenia (19:57)
Books or podcasts.
Justin Cappos (19:59)
books.
Yesenia (20:00)
Dungeons and Dragons or Magic?
Justin Cappos (20:02)
What is magic? Magic the Gathering? What is that? Dungeons and Dragons, I would say.
Yesenia: Magic the Gathering. Yeah, it’s a card game.
Yesenia (20:09)
favorite retro video game.
Justin Cappos (20:12)
the original Legend of Zelda.
Yesenia (20:14)
love Star Wars or Star Trek
Justin Cappos (20:18)
gosh, that has to be Star Trek, right?
Yesenia (20:21)
Everybody got their choice. Everybody got their choice. And then this one, I always like this one for chaos. Jif or gif?
Justin Cappos (20:30)
Is there a third option?
Yesenia (20:33)
You can add a third option.
Justin Cappos (20:35)
All right. Yeah, I don’t know that I can pronounce anything. Right, I’ll try a jiff.
Yesenia (20:44)
There we go, there you have it folks, another rapid fire. Just any last advice or thoughts for the audience?
Justin Cappos (20:52)
I would just say stay safe, use the latest and greatest software supply chain security tools. And if you’re interested in learning more about how to do them and how to work with them, there’s a couple of great places to go. Of course, the OpenSSF is just absolutely chock full of wonderful places and also tag security and compliance inside the CNCF if you’re looking for more cloud native related security.
Information is a great resource and a great place to go.
Yesenia (21:23)
Thank you for that. I want to thank you for your impact and contribution to the open source ecosystem all these years. Many thanks to our communities of contributors, always driving these projects forwards. Justin, thank you so much for your time today. It was such a pleasure having this conversation.
Justin Cappos (21:40)
thank you so much for having me. Yeah, this has been so terrific. Thank you so much.
Yesenia (21:44)
Thank you. We’ll catch you on the next episode.