Skip to main content

📩 Stay Updated! Follow us on LinkedIn and join our mailing list for the latest news!

All Posts By

craig

What’s in the SOSS? Podcast #16 – Dell’s Sarah Evans and Lisa Bradley and Ensuring Secure Open Source Software at the Enterprise Level

By Podcast

Summary

In this episode, CRob sits down with Sarah Evans, security research technologist at Dell and Lisa Bradley, senior director of product and application security at Dell. They dig into the challenges of implementing secure open software at a complex enterprise.  

Sarah sits on the OpenSSF Technical Advisory Council and at Dell’s she has been instrumental in cybersecurity innovation, conducting research within the global CTO R&D organization. Her career spans pivotal roles, including being an enterprise security architect and engaging in Identity and Access Management and IT at prestigious organizations like Wells Fargo and the U.S. Air Force.

Dr. Lisa Bradley is a distinguished cybersecurity expert and visionary leader. She has earned her reputation as a trailblazer in the field of security and vulnerability management. In her current role, she oversees Dell’s Product Security Incident Response Team (PSIRT), Bug Bounty Program, SBOM initiative, Dependency Management, and Security Champion and Training Programs.

Conversation Highlights

  • 02:38 How Dell is managing its ingestion and productization of open source software
  • 04:54 The complex task of managing open source software for a company the size of Dell
  • 06:34 The importance of executive support when implementing security initiatives
  • 10:40 Lisa and Sarah answer CRob’s rapid-fire questions
  • 12:40 Lisa and Sarah’s advice to aspiring developers and security professionals
  • 14:12 Lisa and Sarah’s call to action

Transcript

Sarah Evans soundbite (00:02)
That’s a game-changer when you can go into some of these technical engineering and security conversations and say well, it’s on Dell dot com, and we have a commitment to do this by a certain date and that partnership and that collaborative spirit really increases with that common goal.

CRob (00:20)
I’m CRob and I do security stuff on the internet. And I’m also a community leader within the OpenSSF. And one of the cool things I get to do with the OpenSSF is host What’s in the SOSS? And it’s a podcast where we talk about people within the open source ecosystem. And with us this week, I have two wonderful people that I’m so very pleased to call my friends. They both work at Dell. And so I want to introduce you all to Lisa Bradley and Sarah Evans. Ladies, welcome.

Lisa Bradley (00:49)
Thanks for having us.

CRob (00:50)
Maybe each of you just take a brief couple seconds to introduce like who you are and what you do.

Lisa Bradley (00:55)
Sure, I’ll take a stab first. Lisa Bradley, I’m in the product and application security team. I’m a senior director for Dell Technologies. My focus is vulnerability response or otherwise known as PSIRT in the industry. And I have the Bug Bounding program underneath me and some part of the Security Champion and our Dependency Management platform where we get to protect against open source and making sure that our customers are protected against the open source that we use in our product. And I also have a big part and role in the SBOM  initiative for Dell.

Sarah Evans (01:28)
I’m Sarah Evans. I am a security innovation researcher at Dell Technologies. I work in our global CTO research and development team. And I’ve had the opportunity in that role to get involved with OpenSSF, which is a foundation that is helping secure the open source software supply chain. Some of my efforts there are around the technical advisory council. And as a governing board observer and governance committee member, I also participate in the AI/ML working group. So this is a great topic because it brings something I’m passionate about, which is open source software security together with industry leadership that we’re doing within our company to improve our product security vulnerability response by improving our ingestion of open source software. So that’s really exciting.

CRob (02:20)
Dell is a very large OEM supplier of hardware and software solutions and you all use open source within your portfolio. Could maybe you talk a little bit about Dell’s open source journey and kind of maybe give us some insight into how you’re managing your ingestion and productization of open source software.

Sarah Evans (02:38)
I’ve been at Dell for four years. And when I joined the company and I got involved in OpenSSF and understanding our open source software supply chain, one of the things that really became obvious, especially through my work in partnership with Lisa and the security team, has been to kind of know your why, why are we doing this? And so our journey to secure our consumption of open source is really around protecting Dell customers and ensuring that they have a fortified supply chain. One of the quotes that I like is from Thomas Reed, where he says, the chain is only as strong as its weakest link, for if that fails, the chain fails. And so this is kind of the start of our journey and open source is doing the backwards math to understand how we need to secure our ingestion of open source software.

Lisa Bradley (03:26)
And that’s where I come in on the other side, is that when we’ve already released products that have open source in it, my job is to make sure that we are aware of the vulnerabilities in the open source that we’re using, that we inform those product teams and that those product teams go and get that update from that open source and repackage whatever their product is with it and ship that security update out to our customers to deploy those fixes for the open source vulnerabilities.

Sarah Evans  (03:55)
And just to add to what Lisa said, why this is so important for our company and our customers is that open source software has an outsized impact on our upstream link in our vulnerability. Open source has an outsized impact on the upstream link to vulnerability response because it’s everywhere. And Sonatype has done a really great research report where they showed that 98%  approximately of all code bases contain open source software and it’s vulnerable. 92% contain outdated or vulnerable code. And so if we are able to improve our processes around open source software ingestion and then the associated incident response it really has a big impact on the process as a whole.

CRob (04:34)
Dell is not a small provider. So this seems like this would be a really big task of trying to understand the scope of everything you’re using within open source and then like the vulnerability management piece. Could maybe the two of you shed a little insight into maybe some of the steps or how you started to implement some type of management of all this software?

Lisa Bradley (04:54)
A lot of it that we started with was SCA type of tools, doing scanning to make sure that we even knew about the inventory that existed because there were products written before the thought of having to do security or even the thought of having to know what your inventory is. So we spend a lot of time building up, making sure that we had the right tooling for our teams to understand that inventory.

Then we started focusing on shifting it left. So while we’re actually building to making sure that we’re scanning and knowing about our inventory throughout the whole process, not just after the fact when that product was available and that release was available. This has allowed us to have a strong inventory, not only of our open source, but our vendor components that we utilize and our internal components that we utilize.

So we’ve been focusing very heavily on making sure that our product teams have an inventory. It’s part of our SDL process. It’s one of the controls that they need to have an inventory. And then what we’ve been focusing on recently is making sure that we integrate that inventory into what I call DMP, which is our dependency management platform. And basically, we ingest the inventory. We could produce a customer-facing SBOM so that we have consistency of the SBOMs that we’re giving our customers and that we could understand the different parts of that inventory, especially in the open source side, so that we could be aware about the vulnerabilities. 

It has been a long journey. Tooling support has been key. Making sure that our product teams understand the importance of knowing what they put in their software and keeping up their software. It’s been quite a journey. We’re still on it, especially with some of the new things with SBOM and the new fun twists coming out with some of the regulatory asks. But I feel quite positive of where we’re at and where we’re continuing to go.

Sarah Evans (06:34)
And everything that Lisa just described is a huge effort on behalf of the company. And one of the things that we have found to be very helpful is the strong executive and operational support that security teams receive when they are on this technical journey to help work with engineers to accomplish and achieve all of these goals. The tone from the top has been really important and the executive support that we’ve had here at Dell has really been a very helpful driving force in accomplishing some of these challenging technical security goals in partnership with engineering. 

One of the things right now on Dell dot com are our ESG goals, our environmental, social and governance goals that talk about how we are building trust with our customers. And so there is a section that talks about some of those key drivers. One of those is the software bill of materials associated with some of that regulation that Lisa was just talking about. Now by 2025, 100% of all actively sold Dell designed and branded products and offerings will publish a software bill of materials, providing transparency on third party and open source components.

So that’s a game-changer when you can go into some of these technical, engineering and security conversations and say, well, it’s on Dell dot com and we have a commitment to do this by a certain date. And that partnership and that collaborative spirit really increases with that common goal.

CRob (07:58)
Very impressive to hear. Putting another hat on for the moment as security practitioner, I know it’s always a challenge as a internal security person to try to get that executive buy-in and that backing. Can you maybe share a little insight into how you all were able to get that? It sounds like it’s coming right from the very top of your organization. So that sounds amazing.

Lisa Bradley (08:20)
Our CISO is a big strong supporter of pushing the goals. And so a few of us worked together and provided him the suggested goals for the ESG. He took them further up to get them published. I think also one of the things that’s been helping us is we put together a PSoC and  within the PSoC, we’re really focused on the security practices and the product portfolio. It has executive leadershi extremely high up. And so bringing forward topics like the executive order and, you know, the EU CRA and other things like that.  And what do we see from the industry? What do we see from our customers and what are the right security practices we should be doing? 

And so the open source, the inventory, all of that have been brought into that. And then what we’ve done as a security team is we work through that and we worked with the different governance, security governance teams within the different, I’m gonna call them brands just to make it easier or business units, within the company to partner on joint goals together. It’s not that we’re working across just the security team into the team, but then there’s people that are right in the business that are pushing those goals also.

Sarah Evans (09:28)
Yes, and the Product Security Operations Committee gives senior leaders who are responsible for different parts of the company an opportunity to align on, yes, this is a hard problem. They align on timelines. They talk about, you know, this is the right thing to be doing. And then through that alignment, then they are able to go and execute with leadership to their teams. So it’s happening in the engineering teams, in the IT teams, and of course in our security teams. At a company the size of Dell, having that executive leadership alignment is also a really big driving force behind the success.

Lisa Bradley (10:06)
And there’s another layer and then there’s like layers underneath of like who’s gonna drive the different work streams to make it happen and then layers underneath of the people actually doing the work. It all sort of comes together. It is making our job on the security team significantly easier when we can say things like there’s an ESG goal, there’s a regulatory ask and there is a PSoC-approved goal that came up from above. In the past we were always struggling to get that attention in the security space. And now a lot of these things that we put in place are helping get that attention and drive that awareness. And we’re hearing significantly less no’s than we ever used to.

CRob (10:40)
It’s really amazing to hear about the progress that you’ve made with your security programs and just how you’ve embraced a lot of kind of open source ideals and your integration with open source within your organization. So let’s move on to the rapid-fire section of the talk here. First question to both of you: spicy or mild food?

Lisa Bradley (11:01)
Spicy, I’m from Buffalo.

Sarah Evans (11:04)
Mild. (Laughter)

CRob (11:06)
Next question. Open or closed source?

Lisa Bradley (11:09)
Open.

Sarah Evans (11:10)
open.

CRob (11:11)
Yeah, alright, right answer. Next question. This was predominantly focused at Lisa. Trigonometry or calculus?

Lisa Bradley (11:18)
Calculus. That was easy! I didn’t have to blink! (Laughter)

CRob (11:22)
Alright, next question to both of you, bourbon or Scotch?

Lisa Bradley (11:26)
Tequila. (Laughter)

Sarah Evans (11:27)
Bourbon.

CRob (11:28)
Fair, fair. And then because I know that Lisa was a developer back in her way past: tabs or spaces?

Lisa Bradley (11:34)
That’s a hard one. Tabs!.

CRob (11:37)
And, Sarah, did you ever get the opportunity to do development in your past?

Sarah Evans (11:40)
No, I haven’t.

CRob (11:42)
You’re exempt from the tabs versus spaces debate.

Sarah Evans (11:46)
Actually, because I didn’t do development in my past, I had some real imposter syndrome about getting involved in open source software and the security of it. But I leaned in and I have been able to overcome that. So especially with support from colleagues such as yourself, CRob.

CRob (12:04)
And that’s what I honestly love about the open source ecosystem is that allows people to contribute their best selves. How are they best see fit? Some people rate code. Some people help provide that translation from like regulatory speak or InfoSec speak to the development community. So yeah, I appreciate these different perspectives. So as we wind down here, a couple of questions for you. What advice might you two ladies be able to share with people that are new to the ecosystem? Someone that wants to get into open source development or cyber security.

Lisa Bradley (12:40)
One of the things that Sarah just sort of pointed out is that you don’t have to always be a technical person. There’s always passion and drive and there’s a lot of information out there that you could look at to learn. So don’t be afraid to learn and jump in. We all need all the help that we could get right now, I think. Making sure that we continue to fight the good fight is important. So don’t be afraid to jump in.

Sarah Evans (13:04)
And on the flip side of that, I had a dollar for every time that I worked with a software developer who prefaced any conversation with me by saying, well, I’m not a security person, I would probably be on an island in Fiji right now. Security is one of these topics that you have been exposed to without even realizing it. And so you can definitely always build from what you know and launch into how what you know ties into security. I did a recent talk at Open Source Summit with my colleague Jay White, and we posited that being in security is sometimes like a driver’s license. There’s people of all occupations and careers and lifestyles sitting behind the wheel on the highway when we’re sitting in rush hour traffic. But we all have these common driver’s license and rules of the road that we follow. And so understanding security principles is something that everyone and anyone can learn and that software developers, including open source software developers are in a perfect position to bring into their knowledge suite.

CRob (14:06)
And then finally, either of you have a call to action you want to share with our audience to help inspire them?

Lisa Bradley (14:12)
One of the things that is top of mind is AI and how do you utilize AI now to be better at the job that you do in security and be safer and the better protect your customers. And the other thing that comes to mind is you should always be thinking of your customers. They are always the most important things to protect. And so have that viewpoint when you’re coding, when you’re developing, how long you’re taking the fixed vulnerabilities knowing about vulnerabilities, knowing about what you’re consuming in the first place, trusting what you consume — all of that sort of all comes into play. And just think about the customer viewpoint when you’re doing all that job.

Sarah Evans (14:49)
And I would encourage and call any open source developer, every open source developer, that as you’re innovating with an emerging technology, to think about the lessons learned from the prior decades and bring those forward with you into the place where there’s a lot of unknowns. So as Lisa pointed out, AI is a space in which we’re really leaning in around the innovation. But those software development and security lessons and system security lessons that we’ve learned the past decade still very much apply going forward. Even though we still have a lot of unknowns that we haven’t figured out, I call to action all open source software innovation developers to continue leveraging security fundamentals. And if there is an opportunity to innovate to incorporate those more easily and smoothly, lets figure out how to do that.

CRob (15:42)
Ladies, I really appreciate you both showing up today on What’s in the SOSS? And I think keep up the amazing work of your program at Dell and please keep being amazing contributors to our open source ecosystem. And that’s a wrap. Thanks folks.

Announcer (15:57)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at OpenSSF dot org slash get involved. We’ll talk to you next time on What’s in the SOSS?

What’s in the SOSS? Podcast #15 – Bidding Adieu to Omkhar Arasaratnam

By Podcast

Summary

In this episode, CRob chats with Omkhar Arasaratnam, who has served as the general manager of the OpenSSF and was co-host of What’s in the SOSS? As Omkhar moves on to the next chapter of his occupational journey, he reflects on his tenure with the OpenSSF, shares his open source origin story and highlights the achievements of the OpenSSF and the tactics he used to engage different stakeholders.

Conversation Highlights

  • Omkhar shares his open source origin story
  • 02:14 – Things Omkhar is proud of during his tenure at the OpenSSF
  • 04:36 – The challenge of keeping myriad stakeholders engaged
  • 07:12 – Areas of open source supply chains that public policymakers and regulators should better understand
  • 09:44 – Some challenges ahead for the open source ecosystem
  • 14:58 – Omkhar answers CRob’s rapid-fire questions
  • 17:57 – Omkhar’s advice for people entering the open source community

Transcript

Omkhar Arasaratnam soundbite (00:01)
Finding a way to bring technical knowledge to somebody that may not be as technical or non-technical knowledge and options to those that are deeply technical is definitely an area where I chose to spend a lot of my time. And hopefully to some good effect.  

CRob (00:19)
Hello everybody, I’m CRob. I do security stuff on the internet and I’m also a community leader within the OpenSSF. And one of the cool things I get to do is I get to host “What’s in the SOSS?” the OpenSSF security podcast where we talk to amazing people within the open source ecosystem. And today we have a real treat. My dear friend and pal, Omkhar is here with us. For those of you that don’t know, Omkhar has been with us for the last year and half as the general manager of the Open Source Security Foundation. And today we’re going to talk a little bit about kind of reflecting upon his tenure here with the foundation. Maybe start us off, Omkhar. I don’t know if anyone has officially heard, but could you share with us kind of what your open source origin story was?

Omkhar Arasaratnam (01:04)
Absolutely. It’s a pleasure to be here on this side of the table. I began messing around in open source back in the late 90s. I actually began my career at IBM and very humble beginnings. I began doing tech support. So for all those that have seen the tropes about, you all the best folks start in tech support, I heartily endorse that. Going through the ranks of tech support, IBM was quite focused on ensuring that their PowerPC platform was well supported under Linux. And there was just this nexus of me having time on my hands, me being interested in the subject and dabbling around. So to answer your question, my earliest kind of foray into open source was back in the late 90s. So that’s like 25 years ago. Been a minute.

CRob (01:52)
We will not speak of dates, sir. That will not reflect well on either of us.

Omkhar Arasaratnam (01:56)
Indeed, indeed. I am noticing that in the camera that you guys can’t see, there may be a few grays in my hair that we’ll need to address. (laughter)

CRob (02:06)
Reflecting back on your tenure here within the OpenSSF, what are you most proud of that we’ve achieved over the last year?

Omkhar Arasaratnam (02:14)
That’s a really interesting question. I’ll bifurcate this into the behind the scenes versus what we’ve what we’ve been able to provide kind of outwardly facing. When I joined May 1st, 2023, my goal was to make board meetings boring. I guess the preconditions that we needed to satisfy in order for that to be true included building up trust, building up predictability, building up a cadence and a rigor where people felt like even when they weren’t actively involved in a meeting ,the right thing was being done so I was quite proud that I guess our last board meeting was in August and Seemed pretty boring to me. (laughter) That’s a good thing.

The thing I was most proud of from an outwardly-facing perspective was the work that we did around the technical initiative funding process. So for those that aren’t aware, we have a number of technical initiatives under the OpenSSF, both code hosting as well as specs and documentation and stuff like that. And in conjunction with the TAC and the board, we came up with a way of basically writing grants once a quarter for any of our technical initiatives. And I think that’s a great way of taking and taking the funds that the foundation has and really deploying them to good use. 

We have this really, really daunting task of securing all the open source. And any way that we can find to create these asymmetric opportunities where the amount of effort going in doesn’t necessarily scale linearly with the positive effect coming out, we need to take advantage of them. And, you know, there’s so much goodwill and elbow grease that engineers can put in and eventually we may need to solve funds. So I was really proud of the work that we did. And thank you for the collaboration on that as the lead of the TAC, around putting in the technical initiative funding to support our technical initiatives at the OpenSSF.

CRob (04:16)
I agree. I was very proud of us being able to implement that. Thinking of it, we live in a really complex space. We have a lot of different personas and stakeholders we get to engage with. Could you maybe share with us some of the tactics that you use to help keep these different stakeholders engaged throughout your tenure?

Omkhar Arasaratnam (04:36)
I’ll first self-reflect and say I’m not sure that I did a perfect job at it, but I certainly tried my best constrained by the amount of hours in a day, the amount of, you know, time zones that we have to cross and all that. What I try and anchor on is really trying to find a way to figure out what a win is for each person and, conversely, what they’re most concerned about. And in some cases, a win for one person may not be completely aligned with a win for others and we need to be able to construct our goals in such a way that we’re achieving maximum happiness, which at times may disenfranchise others. But I think with any of these spects of engagement, the best thing — the thing that always rings true — is to have a transparent and clear decision-making process.

And whether you agree with the outcome of the decision or not, nobody feels like they were they were done wrong. Like nobody feels like somebody achieved something through a sleight of hand. And I think by building that trust, that’s most important. I also think that, I mean it seems obvious, but everybody comes with a different background and a different perspective. So when we’re speaking to senior leaders within the government who are very adept at working through their legislative process in order to make stuff happen for citizens, that’s a very different set of skills than somebody that may be an expert in cryptography. 

And being able to find a way to align between the two is is an area I spent a lot of time. And I admit this as a software engineer, right, there are people that are genuinely smart in their own way. Just because you don’t understand data structures and algorithms doesn’t mean that, you know, you’re automatically demoted to the bottom of the stack. Quite the contrary, finding a way to be able to bring technical knowledge to somebody that may not be as technical or non-technical knowledge and options to those that are deeply technical is, is definitely an area where I chose to spend a lot of my time and hopefully to some good effect.

CRob (06:54)
One of the stakeholders we worked a lot with were broadly government bodies. So thinking about that, is there one thing that you wish these global public policymakers and regulators understood better about open source software and open source software supply chains?

Omkhar Arasaratnam (07:12)
Yes, and honestly, think this applies not just to governments, but all of the stakeholders, right, and those stakeholders could be members of the community, it could be government, it could be private corporations, it could be foundations. Everybody needs to figure out what that Rosetta stone is so that we can move forward.

One of the tripping hazards that we had early on — to quote a specific and well-known issue — was with the CRA, the Cyber Resilience Act in Europe. There were some provisions in early drafts which weren’t necessarily best aligned with the open source community. And specifically there were some concerns around how, at least in very early drafts, open source maintainers may have liabilities associated with software defects, or contributors could have liabilities associated with their contributions. And it just didn’t fit the culture of open source.  

And, you know, when push came to shove, there was a point at which when certain executives within the European Commission were asked, well, why didn’t you ask? They said, well, you know, we asked and nobody turned up. And the mediation that needs to occur in order to provide a good outcome is that neither party can kind of sit in their corner with their arms crossed and be like, hey, you meet me, you meet me here. There has to be a meeting in the middle. 

The good news story coming out of this is, I think, through a lot of hard work within the OpenSSF, as well as other foundations, there has been a much more constructive discussion around the CRA. The government, I believe, has understood the best way to engage the community, and the community has also coalesced around certain forums in which they can express their concerns as well as provide an opportunity to provide feedback on how the implementation will go. 

To get back to it, I think this anecdote really provides a clear view of why we need to be able to meet in the middle. And as I said, that extends not only between government and the community, but also foundations in the community, the community and commercial entities, things of that nature. If we can really figure out how to collaborate rather than attempting to conform one party to the other party’s thinking, that’s what really gets us to the best outcome.

CRob (09:36)
It’s a great perspective. Let’s get out our crystal ball. What challenges do you see ahead of the open source ecosystem?

Omkhar Arasaratnam (09:44)
I want to start by acknowledging and fact-dropping. So my good buddy, Frank Nagel over at Harvard Business School produced a study which determined that the supply side of open source, that’s the amount of money that goes into building, sustaining, contributing to open source,is about four, just over $4 billion. That’s a lot of, a lot of money. But the demand side, like the value provided through that investment is about $8.8 trillion with a T. That’s,  I mean, I don’t even know how many commas is in that. I think that’s —

CRob (10:22)
I ran out of fingers. (laughter)

Omkhar Arasaratnam (10:24)
Gonna have to start counting toes soon.  And of course there’s the oft-quoted, study from Sonatype that cites, and like my genuine opinion and I’m not questioning Sonatype’s calculation here, is that this is probably an undercount and that 90% of commercial software contains open source. So putting that together, the curation of open source and ensuring that it is secure isn’t just, an intense desire by a bunch of geeks. It is securing public good. It’s an incredibly important mission and something that we should take very seriously as we gaze into that crystal ball. 

Some of the hurdles that I worry about in the future are, an we used to, we used to talk about this when I worked in corporate, bad people don’t care about your risk acceptances, right? Like they’re not going to be like, oh your record of compliance excluded that system. Okay. I’m not going to append that. That’s just not how things work. 

And I think the analog in open source is less about like a particular control or a particular scope statement or a particular risk acceptance, but more around Balkanization. What I really worry about is that we’ll align into these little fiefdoms — be it in the community, be it in the commercial sector, be it in the public sector, like wherever, we’ll align to these little fiefdoms — and the bad person that’s trying to make a bad thing occur will be able to jump over these walls quite easily and trivially because that Balkanization results in a failure mode that they can exploit. 

I know there’s a lot of pride in open source that comes from meritocracy in that anybody can contribute. Anybody can, make a suggestion, and ultimately it’s up to the maintainers and community whether to accept that. But what i’ve noticed is there’s also the other side of it, which is if we drift too far We get into a scenario Where the project itself becomes Balkanized and is no longer accepting open ideas.

So there’s this balance between having this meritocracy and a healthy culture, and the culture devolving into something that’s unhealthy which causes concerns about safety in terms of people not wanting to contribute and various aspects of the community dwindling. The strength of the open source community is the community. And we produce some of our greatest code through community collaboration based on meritocracy.

I get really uncomfortable and concerned when discussions or debate drift outside of, you know, passionate debate on sides of which the better text editor is and into, you know, things drifting into thought police territory. I think that can be quite a negative. I think the other side of it is, back to the HBS study, order of magnitude difference between investment and the outcome. Y’all need to step up. And by y’all, I mean private sector and public sector. I think there are a lot of good actors within the ecosystem. I think, I’ve seen a lot of great contributions from larger organizations and smaller organizations alike. 

On the public sector side, we have organizations like the Sovereign Tech Fund in Germany. I’d love, as a taxpaying American citizen, to see our government put money behind open source. There has been great progress that has been made through various federal, state and local and tribal organizations within the US. But I would love to see something like the US equivalent of a Sovereign Tech Fund run within our government. I know this is a lofty goal as we record this two months before a presidential election, but I’d love to see that. 

I will state in closing that not all of our problems are financial. Through various OpenSSF programs including the Technical Initiative Funding and Alpha Omega, I can assure you all the problems aren’t technical. But if we can kind of get those out of the way, focusing on some of the gnarlier, non-technical problems start to become a bit easier.

CRob (14:58)
Very nice. Well said, sir. Thank you. Well, let’s move along to the rapid-fire part of the show. (sound effect: “Rapid fire!”) First question. Omkhar, what’s your go-to Linux distro?

Omkhar Arasaratnam (15:11)
I am currently a Debian guy. Although I have a clear Linux install from our good friends at Intel. 

Back in my day, I used to be a Gentoo developer. I used to be a maintainer for the PowerPC64 platform as part of my duties at IBM. So that’ll always hold a place in my heart, and I need the audience to know if you are running Google Chrome OS, that is literally built on Gentoo portage. So you’re using Gentoo in my opinion.

CRob (15:41)
Hahahaha! Very nice. Thinking back across your career, what’s your favorite programming language and why?

Omkhar Arasaratnam (15:48)
Oh, it’s C because that’s where I cut my teeth and I can make all kinds of heinous mistakes in it. Although in my recently-found free time, I, I — Rust community, don’t hate me — I tried picking up Rust, and it’s hard to bend my brain around it. It’s a me problem. It’s not a Rust problem. But I did find for whatever reason, Go to be very intuitive. And I don’t know whether part of it was knowing Pascal in my past, but I just found, like, I picked up Go in a weekend. Rust. we’re, we’re having counseling sessions.

CRob (16:25)
Hahaha! Very nice. Thinking across the amazing, the many things you’ve put in your mouth, what’s your favorite adult beverage?

Omkhar Arasaratnam (16:35)
Oof. I’m going to go with — my preferences around beer are in the extremes. So I like really dark, heavy porters and stouts. And I like right light crisp Pilsner’s and I’m not a big hops fan. The in-between isn’t an area I dwell much in. So looking at the darker side, there is, I think it’s a stout, maybe a porter, called Mexican Cake, which is super dark, super heavy, really sweet and has a habanero back to it. And as a —

CRob (17:10)
What?

Omkhar Arasaratnam (21:43.83)
Yeah, it is, it is great! So that, that is currently top of mind.

(Sound effect: “Oh, that’s spicy!”)

Haha! That’s right. That’s right, it is.

CRob (17:20)
And potentially the most controversial question of all, what’s your favorite open source mascot?

Omkhar Arasaratnam (17:27)
Honk. I mean, without question. Close second is Tux the Penguin.

CRob (17:32)
Nice. Well said, sir. Thank you very much for playing. (Sound effect: “That’s saucy!” )As we wrap up today, I want to thank you for your partnership . It’s been incredible to work alongside you, helping the community and helping our different stakeholders. What advice do you have? If there was an inspired listener out there, how could you encourage them or route them to be able to participate and join this amazing community?

Omkhar Arasaratnam (17:57)
I’ll do you one better. I’ll give you, I’ll give, I’ll give two bits of advice. The first to the community itself. Be welcoming and know your biases. We shouldn’t be increasing hurdles to entry for getting people to participate. Like, the intellectual hazing that sometimes occurs is unnecessary and it leads to really bad outcomes and discourages people. For those that do want to participate, roll up your sleeves and join. 

I mean, to take the OpenSSF community as an example, one of which I know quite well, join the Slack. Join the weekly meetings, show up on the mailing list, participate. There is no judgment. There is no downside. And by engaging in the community, you will get to contribute to making open source more secure for everyone. And we don’t just need software engineers. We need people that are community managers. We need people that are in marketing. We need people that are DevRel, we need everyone. So show up and find out the topic that’s most interesting. 

I’ll say the other thing to bear in mind for those that are looking to participate for the first time, this is largely a homogenous group of volunteers that are only driven by contributing. So if you want to volunteer, don’t show up and be like, hey, we’re can I help? Do a little bit of digging.

See which topic interests you the most. And hey, if you don’t see one, maybe that’s an opportunity to create a new work group or a SIG.

CRob (19:30)
Very nice, thank you. That was some excellent advice. And again, it has been a pleasure. I look forward to catching up with you in the future as you go off on your adventures and start your new journey. Thank you for everything you’ve done for us.

Omkhar Arasaratnam (19:434)
It’s been a pleasure. Thank you for giving me the opportunity to serve the community, and I stand by the sidelines cheering y’all on. I really believe in the mission. can’t wait to see all the great things that y’all are going to accomplish moving forward. (Sound effect: “The SOSS is the boss!”

CRob (19:59)
Thank you, sir. And with that, well, this is a wrap. Have a great day, everybody.

Omkhar Arasaratnam (20:02)
Thanks, you too, CRob.

Announcer (20:04)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at OpenSSF.org/get involved. We’ll talk to you next time on What’s in the SOSS?

What’s in the SOSS? Podcast #14 – CoSAI, OpenSSF and the Interesting Intersection of Secure AI and Open Source

By Podcast

Summary

Omkhar is joined by Dave LaBianca, security engineering director at Google, Mihai Maruseac, member of the Google Open Source Security Team, and Jay White, security principal program manager at Microsoft. David and Jay are on the Project Governing Board for the Coalition for Secure AI (CoSAI), an alliance of industry leaders, researchers and developers dedicated to enhancing the security of AI implementations. Additionally, Jay — along with Mihai — are leads on the OpenSSF AI/ML Security Working Group. In this conversation, they dig into CoSAI’s goals and the potential partnership with the OpenSSF.

Conversation Highlights

  • 00:57 – Guest introductions
  • 01:56 – Dave and Jay offer insight into why CoSAI was necessary
  • 05:16 – Jay and Mihai explain the complementary nature of OpenSSF’s AI/ML Security Working Group and CoSAI
  • 07:21 – Mihai digs into the importance of proving model provenance
  • 08:50 – Dave shares his thoughts on future CoSAI/OpenSSF collaborations
  • 11:13 – Jay, Dave and Mihai answer Omkhar’s rapid-fire questions
  • 14:12 – The guests offer their advice to those entering the field today and their call to action for listeners

Transcript

Jay White soundbite (00:01)
We are always talking about building these tentacles that spread out from the AI/ML security working group and the OpenSSF. And how can we spread out across the other open source communities that are out there trying to tackle the same problem but from different angles? This is the right moment, the right time and we’re the right people to tackle it. 

Omkhar Arasaratnam (00:18)
Hi everyone, and welcome to What’s in the SOSS? I’m your host Omkhar Arasaratnam. I’m also the general manager of the OpenSSF. And today we’ve got a fun episode for y ‘all. We have not one, not two, but three friends on to talk about CoSAI, OpenSSF AI and ML, how they can be complementary, what they do together, how they will be focusing on different areas and what we have ahead in the exciting world of security and AI/ML. So to begin things, I’d like to turn to my friend David LaBianca. David, can you let the audience know what we do?

Dave LaBianca (00:57)
Yep, hey, so I’m David LaBianca. I’m at Google and I’m a security engineering director there and I do nowadays a lot of work in the secure AI space.

Omkhar Arasaratnam (01:06)
Thanks so much, David. Moving along to my friend Jay White. Jay, can you tell the audience what you do?

Jay White (01:16)
I’m Jay White. I work at Microsoft. I’m a security principal program manager. I cover the gamut across open source security strategy, supply chain security strategy, and AI security strategy.

Omkhar Arasaratnam (01:23)
Thank you, Jay. And last but not least, my good friend Mihai. Mihai, can you tell us a little bit about yourself and what you do?

Mihai Maruseac (01:30)
Hello, I am at Google and I’m working on the secure AI framework, mostly on model signing and supply chain integrity for models. And collate with the GI, I collate the OpenSSF AI working group.

Omkhar Arasaratnam (01:43)
Amazing. Thank you so much and welcome to one and all. It is a pleasure to have you here. So to kick things off, who’d like to tell the audience a little bit about CoSAI, the goals, why did we need another forum?

Dave LaBianca (01:56)
I can definitely jump in on that one, Omkhar. I think it’s a great question. What we saw since, you know, ChatGPT becoming a big moment was a lot of new questions, queries, inbounds to a whole bunch of the founders of CoSAI surrounding, hey, how are you doing this securely? How do I do this securely? What are the lessons learned? How do I avoid the mistakes that you guys bumped into to get to your secure point today?

And as we all saw this groundswell of questions and need and desire for better insight, we saw a couple things really happening. One is we had an opportunity to really work towards democratizing the access to the information required, the intelligence required, the best practices required to secure AI. And then everybody can execute to their heart’s content at whatever level they’re able to, but it’s not about not knowing how to do it. So we knew that that was our goal. 

And then why another forum? It was because there’s amazing work going on in very precise domains. OpenSSF is an example, but also great work in Frontier Model Forum, in OWASP, in Cloud Security Alliance, on different aspects of what you do around AI security. And the gap we saw was, well, where’s the glue? Where’s the meta program that tells you how you use all these elements together? How do you address this if you’re an ENG director or a CTO looking at the risk to your company from the security elements of AI?

How do you approach tying together classical systems and AI systems when you’re thinking about secure software development, supply chain security? How do you build claims out of these things? So the intent here was, well, how do we make the ecosystem better by filling that gap, that meta gap, and then really working hand in hand with all of the different forums that are going to go deep in particular areas? And then wherever possible, you’ll figure out how we fill any other gaps we identify as we go along.

Omkhar Arasaratnam (04:00)
That’s great. Jay, Mihai, anything to add there?

Jay White (04:02)
Nothing to add, just a bit of a caveat. When David and I spoke way back early on in this year, I was extremely excited about it because as he said, what’s the glue that brings it all together? And you know, up to that point, Mihai and I had already started the AI/ML Security Working Group under the OpenSSF. We’re sitting here thinking about security from the standpoint of well, what’s happening now with these open large language models? How are we creating security apparatus around these models? How is that tying into the broader supply chain security apparatus? And what ways can we think about how to do that kind of stuff? 

And then of course, when I met David, I said, man, this is phenomenal. We are always talking about building these tentacles, right? The tentacles that spread out from the AI/ML security workgroup in the OpenSSF. How can we spread out across the other open source communities that are out there trying to tackle the same problem but from different angles? So, this the right moment, at the right time and we’re the right people to tackle it.

Omkhar Arasaratnam (05:01)
That’s a great summary, Jay. It takes a village for sure. Now we have two of the OpenSSF AI work group leads on the podcast today. So, I mean, how does this relate to the work that we’re doing there, guys? Sounds very complementary, but could you add more color?

Jay White (05:17)
The way that we think about this is well, let’s start with the data. Let’s start with the models and see how we can build some sort of guidance or guideline or spec around how we sign models and how we think about model transparency. And then of course, bringing on a SIG, the model signing SIG, which actually built code. We have an API, a working API that right now we’re taking the next steps towards trying to market. I’ll let Mihai talk about that a little bit further. As a look forward into this conversation, I sit in both CoSAI and AI/ML Security Working Group. So, when we get to that level of discussion, the tie-in is amazing. But Mihai, please talk about the technical stuff that we got going on.

Mihai Maruseac (06:03)
We have two main technical approaches that we have tackled so far in the working group and they are very related. So one is model signing and the other one is trying to get moving forward for some way of registering the supply chain for a model. So the provenance, the SLSA provenance are similar. And I’m saying that they are both related because in the end, in both of these, we need to identify a model by its hash, so we to compute the digest of the model. 

As we work for the model signing, we discover that just simple hashing it as a Blob on disk is going to be very bad because it’s going to take a lot of time. The model is large. So we are investigating different approaches to make hashing efficient. And they can be reused both in model signing and in provenances and any other statement that we can do about AI supply chain. They would all be based on the same hashing scheme for models.

Omkhar Arasaratnam (07:02)
And Mihai, maybe to drill into that a little bit for the folks listening in the audience. So, we can use various hashing techniques to prove provenance, but what does that solve? Why is it that we want provenance of our models? What does that allow us to better reason over?

Mihai Maruseac (07:21)
Yeah, so there are two main categories that we can solve with the hashing of a model. One is making sure that the model has not been tampered with between training and using it in production. We have seen cases where model hubs got compromised and so on. So we can detect all of these compromises before we load the model. The other scenario is trying to determine a path from the model that gets used into an application to the model that got trained or to the data sets that have been used for training. 

When you train a model or when you have a training pipeline, you don’t just take the model from the first training job and put it directly into the application. In general, there are multiple steps, fine-tuning the model, combining multiple models, or you might do quantization. You might transform a model from one format to another.

For example, right now, a lot of the people are moving from pickle formats to safe tensile formats. So each of these steps should be recorded. In case there is some compromise in the environment, you will be able to detect it via the provenance.

Omkhar Arasaratnam (08:27)
Got it. David, I know that your focus has been more on the leadership of CoSAI, but certainly, it’s not the first time you and I have spoken about OpenSSF. I’m curious as you look across the work at OpenSSF, if there’s other opportunities where we may be able to collaborate in CoSAI and how you see that collaboration evolving in the future.

Dave LaBianca (08:50)
I think it’s a great question. We have three in our real work streams. One of them is fundamentally around AI software supply chain, secure software development frameworks. The other two are preparing the defender and AI security governance. But the beginning, the inception of this conversation around that CoSAI wanted to do something in this AI secure supply chain space was conversations with Mihai and others at Google, and Jay, and realizing that there were actually lots of opportunities here. 

You know, one of them that was really straightforward from everybody was, hey, nobody’s really just looking for a provenance statement when you’re a CTO, CIO, director or the like. They want to claim there’s something they’re trying to prove to the outside world or at least state to the outside world. How you compose all of those elements together, especially when it’s not just a model, it’s your entire application set that you’re binding this to. 

It’s the way you did fine-tuning or the way you’re using large token prompts, pulling it all together and being able to make that claim. There needs to be guidance and best practices and things that you can start from so that you don’t have to figure this out all out yourself. So that was one key area. 

Another area was there’s really truly amazing efforts going on in OpenSSF in this element of the AI space on provenance. One of the things that we feel that a group like CoSAI can really help with is collaborating on what are those additional not technical bits of how you prove or create the provenance statement, but what are the other things that over time a practitioner would want to see in a provenance statement or be able to be attested to with a providence statement so that the provenance statement actually ties more closely to a claim in the future? You know, things like, hey, should we have to state what geography the training data was allowed for as part of a statement as you go forward? Things like that. 

So bringing that AI expertise, that ecosystem expertise around things that people want to do with these solutions. And then working with and collaborating with OpenSSF on what does that mean? How do you actually use that? Do you use that in a provenance statement? We see that that’s the type of amazing opportunity, especially because we have really wonderful overlap. Having Jay and Mihai as part of this and all of the other board members that are doing OpenSSF, we see this really great opportunity for collaboration. There’s always that possibility that teams bump heads on things, but like the idea that we’re all working towards the same mission, the same goal, it should be good challenges as we get to the weird edges of this in the future.

Omkhar Arasaratnam (11:13)
And that’s certainly one of the biggest benefits of open source that we can all collaborate. We all bring our points and perspectives to a particular problem area. So at this part of the show, we go through three rapid-fire questions. This is the first time we’ve had three guests on. So I’m going to iterate through each of y’all. Feel free to elaborate. As with any of these answers, I’m going to give you a couple choices. But a valid answer is no, Omkhar, actually, it’s choice number X and here’s why. Fair warning: the first question I’m gonna make judgment and the first question is spicy or mild food? Jay White, let’s begin with you.

Jay White (11:53)
You know what? Somewhere in the middle. I like some things spicy. I like some things mild. I like my salsa spicy, but I’m not a fan of spicy wings.

Omkhar Arasaratnam (12:02)
I mean that was a politically correct statement. Let’s see if Mihai has something a little more deterministic.

Mihai Maruseac (12:08)
I am kind of similar to Jay, except on the other side. I like the spicy wings, but the mild salsa.

Omkhar Arasaratnam (12:15)
Oh man, you guys, you guys, you guys need to run for office. You’re just trying to please the whole crowd. Dave from your days on Wall Street, I know you can be much more black and white with, are you a spicy guy or a mild guy? 

Dave LaBianca (12:29)
Always spicy. 

Omkhar Arasaratnam (12:30)
Always spicy. See, that’s why Dave and I are going to hang out and have dinner next week. All right. Moving into another controversial topic: text editors, Vim, VS Code, or Emacs? Let’s start with Mihai.

Mihai Maruseac (12:43)
I use Vim everywhere for no matter what I’m writing.

Dave LaBianca (12:45)
I mean, it’s the only right answer. I mean, there’s only one right answer in that list and Mihai just said it. So, I mean, like that’s easy.

Omkhar Arasaratnam (12:51)
Absolutely. How about you, Jay? What are you going to weigh in with? 

Jay White (12:54)
It’s Vim. It’s the only answer.

Omkhar Arasaratnam (12:59)
The last controversial question, and we’ll start with Mr. LaBianca for this. Tabs or spaces?

Dave LaBianca (13:09)
That we even have to have this argument is more of the fun of it. It’s got to be spaces. It’s got to be spaces. Otherwise somebody’s controlling your story with tabs. And like, I don’t want that. I want the flexibility. I want to know that I’m using three or I’m using four. It’s spaces.

Omkhar Arasaratnam (13:23)
There’s a statement about control embedded in there somewhere. Mihai, how about you?

Mihai Maruseac (13:28)
I prefer to configure a formatter and then just use what the formatter says.

Omkhar Arasaratnam (13:34)
Ahh, make the computer make things consistent. I like that. Jay?

Jay White (13:38)
I’m spaces. I’m with David. I had to use a typewriter early on in life.

Omkhar Arasaratnam (13:42)
Hahaha. I got it.

Dave LaBianca (13:47)
I have those same scars, Jay.

Jay White (13:48)
Hahaha. Yeah!

Omkhar Arasaratnam (13:52)
So the last part of our podcast is is a bit of a reflection and a call to action. So I’m going to give each of you two questions. The first question is going to be what advice do you have for somebody entering our field today? And the second question will be a call to action for our listeners. So Mihai, I’m going to start with you, then we’ll go to Jay and wrap up with Mr. Labianca. Mihai, what advice do you have for somebody entering our field today?

Mihai Maruseac (16:52.204)
So I think right now the field is evolving very very fast, but that shouldn’t be treated as a blocker or a panic reason. There is a firehouse of papers on archive, a firehouse of new model formats and so on, but most of them have the same basis and once you understand the basis it will be easier to understand the rest.

Omkhar Arasaratnam (14:35)
Thanks, Mihai. What’s your call to action for our listeners?

Mihai Maruseac (14:39)
I think the principle call to action would be to get involved into any of the forums that we are talking about AI and security. It doesn’t matter which one, start with one and then from there expand as time allows to all of the other ones.

Omkhar Arasaratnam (14:52)
Jay, what advice do you have for somebody entering our field today?

Jay White (14:56)
Fundamentals, fundamentals, fundamentals. I can’t stress it enough. Do not start running. Start crawling. Take a look at you know, what was old because what was old is what is new again, and the perspective of what is old is lost on today’s engineer for automation and what’s new. So, your perspective might be very welcomed, especially if you concentrate on the fundamentals. So, anyone coming in today, become a master of the fundamentals, easiest path in and that way your conversation will start there and then everyone else who’s a bit more advanced will plus you up immediately because respect to be given to those fundamentals.

Omkhar Arasaratnam (15:39)
Completely agree. Fundamentals are fundamentals for a reason. And what is your call to action for our listeners?

Jay White (15:46)
So, my call to action is going to be a little different. I’m going to tackle this making a statement for everyone but targeting underrepresented communities because I also co-chair the DE&I working group inside of OpenSSF as well. I feel like this is an excellent opportunity not just for me to tackle it from this standpoint in terms of the AI/ML security working group but also for CoSAI as well. Look, just walk into the walk into the room. I don’t care whether you sit as a fly on the wall for a couple of minutes or whether you open your mouth to speak. Get in the room, be seen in the room. If you don’t know anything say, hey guys, I’m here, I’m interested, I don’t know much, but I want to learn. And be open, be ready to drink from the firehose, be ready to roll up your sleeves and get started. And that’s for the people in the underrepresented community.

And for everyone I would say, I would generally say the same thing. These rooms are free. The game is free. This is free game we’re giving you. Come in and get this free game and hold us accountable. And the merging of information security in general, cybersecurity down into this great AI engine that’s spinning back up again. The merging of these worlds are colliding at such a rapid pace, it’s an excellent time to get in and not know anything. Because guess what? Nine times out of ten, the people in there with the most to talk about don’t know anything either. They’re just talking and talking and talking until they say something right. So, get in and be ready and open to receive.

Omkhar Arasaratnam (17:28)
Those are extremely welcoming words and that outreach is welcome and amazing. Wrapping things up, Mr. LaBianica, what advice do you have for somebody entering our field today?

Jay White (17:41)
So I think honestly, it’s gotta be leaning into where Jay was going. For me, foundational security is the way you don’t speed run the last 40 years of vulnerabilities in your product, right? And whether you like the academic approach of reading and you want to go read Ross Anderson’s Security Engineering, rest in peace, whether you want to find it yourself, but there is so much knowledge out there that’s hidden in silos. 

And this doesn’t just go for people who starting their career. Twenty years in, if you’ve never looked at what information warfare sites the house have found or what signals intelligence have found, like if you haven’t looked across the lines and seen all the other ways these systems go wrong, you’re still working from a disadvantage. So it’s that foundational element and learn the history of it. You don’t have to worry about some of that stuff anymore, but knowing how you got here and why it’s happening now is so critical to the story.

And then especially with AI, please, please don’t forget that, yes, there’s an ooh shiny of the AI and it’s got new security problems, but making sure you’ve prevented access to your host, that you’ve got really strong authorization between systems, that you know why you’re using it and what your data is. Like these things are fundamental, and then you can worry about the more serious newer threats in these domains. But if you don’t do that stuff, really, really hard to catch up.

Omkhar Arasaratnam (18:56)
Words of wisdom to completely agree. And your call to action for our listeners, Dave?

Dave LaBianca (19:02)
I’m gonna tie it together, both Jay and Mihai, because I think both stories are super important. CoSAI is based on this idea of we really wanna democratize security intelligence and knowledge around securing AI. You can’t do that when it’s a single voice in the room, when it’s just Google or just tech companies in the US or just take your pick on what that just is. So my call to action is one, our work streams are starting, please lean in or anybody’s workstreams. It doesn’t have to be CoSAI’s workstreams. Lean in, bring your voice to the table because we need the different viewpoints in the room. We need the 10th person in the room going, wait, but I need a cost-effective solution that works on this low-end device in this region. Nobody can fix that if we don’t make sure that folks are in the room. 

Yes, you have to hold us accountable to make sure we make that space as Jay was saying, but we then also need those voices in the room. And regardless of where you come from, we need that contribution and that community building because there’s no way you can ever pick up anything whether it’s from Microsoft or Anthropic or IBM, Intel or Google and then say that’s gonna work for me. You need those diverse inputs, especially on the security side, right? They’ll let you go, OK well my company thinks about it or my entity thinks about it this way and I need to then figure out how I Find solutions that build to it So I think, you know, get involved, bring your voice to the table and help us all see the things that we’re missing that we’re kind of blind to because of either, you know, we work at a big tech company or whatever.

Omkhar Arasaratnam (20:29)
Thanks so much, Dave. As we close out, I’d love a quick, how should folks that are interested get involved with CoSAI as well as the AI/ML workgroup at the OpenSSF? Maybe we’ll start with Mihai. Mihai, if somebody’s interested in getting involved at the OpenSSF AI ML workgroup, where do they go to? How do they start?

Mihai Maruseac (20:49)
So join a meeting and we can go from there. The meeting is on the OpenSSF calendar every other Monday. 

Omkhar Arasaratnam (20:55)
For anyone that’s looking for where to check that out go to openssf.org, and it’s all up there on the home page. Dave if folks want to get involved with CoSAI, per your generous invitation, where can they go to learn more and how can they get plugged into those work groups that are spinning up?

Dave LaBianca (21:11)
So first things first, go to one word coalitionforsecureai.org. That gets you your starting points around how to find us and how to see where we go. Look at our archives of our email lists. Look at our GitHub repo that shows what we’ve currently published around our governance and our controlling rules. And then in September, look out for the calls to action from our work streams around participation and the rest. And then it’ll be exactly as Mihai said. Join us. Come troll on a GitHub repo, whatever you want to do, but find a way to get engaged because we’d love to have you there.

Omkhar Arasaratnam (21:40)
Amazing. Jay, anything to add in terms of new folks looking to join either project as you span both?

Jay White (21:45)
I’m accessible all over the place. You can find me on LinkedIn. But find me, find Mihai, find David, and contact us directly. We are more than happy to usher you in and bring you in, especially once the workstreams spin up in the Coalition for Secure AI. But Mihai and I were there every other Monday at 10 A.M. Pacific Standard Time. 

Omkhar Arasaratnam (22:08)
All right, well, thanks so much, guys. Really appreciate you joining, and I look forward to y’all helping to secure and democratize secure AI for everyone.

David LaBianca (22:16)
Hey, Omkhar, thank you for having us.

Omkhar Arasaratnam (22:18)
It’s a pleasure.

Announcer (22:19)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at OpenSSF.org/get involved. We’ll talk to you next time on What’s in the SOSS?

What’s in the SOSS? Podcast #13 – GitHub’s Mike Hanley and Transforming the “Dept. of No” Into the Dept. of “Yes And…”

By Podcast

Summary

In this episode, Omkhar chats with Mike Hanley, Chief Security Officer and SVP of Engineering at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions.

After Duo’s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco’s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community.

When he’s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and nine kids.

Conversation Highlights

  • 01:21  Mike shares insight into transporting a family of 11
  • 02:02  Mike’s day-to-day at GitHub
  • 03:53  Advice on communicating supply chain risk
  • 08:19  Transforming the “Department of No” into the “Department of Yes And…”
  • 12:44  AI’s potential impact on secure open software and, specifically, on software supply chains
  • 18:02  Mike answers Omkhar’s rapid-fire questions
  • 19:26  Advice Mike would give to aspiring security or software professionals
  • 20:38  Mike’s call to action for listeners

Transcript

Mike Hanley soundbite (00:01)

Core to everything that we do is this thesis that good security really starts with the developer. Internally, for our engineers, that means the developers who are Hubbers. But it’s also all of our customers and all of the developers and all of the open source maintainers and communities that are using GitHub. 

Omkhar Arasaratnam (00:18)
Welcome to What’s in the SOSS? I am this week’s host, Omkhar Arasaratnam. I’m also the general manager of the OpenSSF. Joining us this week is Mike Hanley. Mike is the CSO and SVP of engineering at GitHub. Prior to joining GitHub, Mike was the vice president at Duo Security where he built and led the security research, development and operations function. After Duo’s acquisition by Cisco, for many billions of dollars in 2018, Mike led the transformation of Cisco’s cloud security framework and later served as CISO for the company. And when he’s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, Michigan with his wife and eight kids. Hold on. Do we need a pull request, Mike?

Mike Hanley (01:02)
I think we do. I think we need to update that to nine kids.

Omkhar Arasaratnam (01:04)
Well, congratulations to the Hanley family on a ninth. 

Mike Hanley (01:08)
Thank you, Omkhar I appreciate it.

Omkhar Arasaratnam (01:11)
I’ve got to ask you a question that every parent has probably asked you. How do you transport your family around? I mean, logistically, I’m curious.

Mike Hanley (01:21)
We have one of those amazing vans that looks like we’re running a summer camp. We have a Ford Transit, and it’s all-wheel drive, because I’m in Ann Arbor, Michigan, so we’re a four-seasons kind of area, so we need to make sure we can get around in the snow. But it’s great. It’s just got the side door, so when we get to school, everybody just sort of files out in a line, and we throw the door shut, and we’re off to the races. So Ford Transit, 12 seats. I got space for one more. (Laughter) So we love that thing. It’s great for getting around with the whole fam.

Omkhar Arasaratnam (01:48)
That’s amazing, a feat of engineering. Speaking of engineering, you’re the CSO and SVP of engineering at GitHub. Can you walk me through your role overseeing both of these teams and what it means for you, what it means for how you think about secure software development at GitHub?

Mike Hanley (02:02)
Yeah, so I initially joined GitHub a little over three years ago to be the first chief security officer. So bringing all the security programs together and then sort of writing the next chapter of that story. And about a year after I got to GitHub, so a little over two years ago, I said yes to the opportunity to also take on running all of engineering at GitHub. And having those two hats may seem a little bit unique on the outside, but I think it’s actually very natural for us at GitHub because core to everything that we do is this thesis that good security really starts with the developer and internally for our engineers, that means the developers who are Hubbers at GitHub building everything related to GitHub. 

But it’s also all of our customers and all the developers and all the open source maintainers and communities that are using GitHub. We want security to start with them as well and start with in a way that works for them as well. So secure in their accounts. So things like the 2FA work that we’ve done, but also that it’s easy for them to get security value into the projects and communities that they are a part of.

Omkhar Arasaratnam (03:05)

You’re the home for the world’s developers, and GitHub has this unique role in helping to secure the software supply chain, which is an area that can be really difficult for leaders to understand in depth and breadth. How are you advising organizations that are on their journey to better understand their supply chain? What would you advise security leaders or developers tackling this issue? 

I mean, as, I consider myself a software engineer who’s been doing security for a long time. Not every security leader has a background like you or I, where it comes from a place of software engineering. I’m curious how you articulate the complexity to those that may be more oriented towards risk or infrastructure, things of that nature.

Mike Hanley (03:53)
Yeah, I think the biggest danger, Omkhar, in terms of organizations or teams understanding their supply chain risk is they think too small or they have a too narrow of a lens. It’s like, well, my supply chain is secure because I know or have an attestation as to what totally composes the software that I’m actually building, packaging and publishing. And while that’s good, and certainly it’s something that organizations should do — and if they’re doing it great pat on the back to them because frankly, they’re already a leg up over a lot of other places that are doing nothing — but it’s important not to stop there. 

It’s…we’ve seen this actually with if you look at a lot of the mainstream incidents that have kind of hit the news in the last few years, of course you’re very familiar with all these, but they’ve involved things like attacking build systems. Some of them have been back doors in software

Some of them have been insider threats, and you sort of have this range of potential attack vectors on the security of your software. So I think you need to consider things like, of course, having an inventory of what’s there and doing, you know, sort of the bread and butter vulnerability management that you would, and dependency management that you, that you would or should be doing as a best practice. 

But it’s also considering, you know, how do I trust or how do I assess the organizations that are actually producing the software that I depend on? Are they secure in their persons? How do you think about the accounts and communities that are actually contributing to that work? Do I understand all the third-party integrations and tools that I’m using, of which many organizations I would suggest don’t have a full inventory of many of those? When we look at third party integrations on GitHub, there are a vast sort of sea of those that customers and developers and organizations use. 

Having an understanding of like, what’s plugged in where? What do they have access to? The people who develop and operate that integration or the service I’m integrating with, what’s their security look like? And I think it’s really just understanding this very broad kind of network of effects that happens goes well beyond just, like, the idea that somebody could potentially commit a backdoor, which is obviously an important thing to assess or that there might be a vulnerability and a dependency that you have. These are actually important things to assess, but your threat model needs to be much, much broader than that. 

And I think for every organization that’s really worried about their code getting backdoored, good, they should be thinking about that. But they also need to make sure they actually go look and say like, what third-party applications of our developers authorized sort of full and unfettered access to our build systems on? If you haven’t done that, you need to make sure that you’re looking at some of those things. And this has really actually informed a lot of the decisions that we’ve tried to make at GitHub in the course of the last few years. 

I mean, the one that I think is what I hope will be one of the most impactful things that’s happened in supply chain security in the last several years was actually driving two-factor authentication adoption. And you’ll remember the sort of package hijacking attacks that happened on the NPM ecosystem in late 2021. And that was a really interesting set of learnings for us because the adversary incentives are so clear. If I can just get one piece of code to run a Monero miner on this package that’s in the top 500 on NPM, I’m going to get at least 10,000 downloads an hour out of that. 

And so the incentive is very high to go attack those accounts, but the vast majority of maintainers and developers that we found at the time actually weren’t using 2FA. And it’s sort of interesting to look and say, well, in the IT world, if you started a corporate job tomorrow, you would get a managed laptop, an account, and something that was enrolled in 2FA, because that’s now a best practice and a standard in IT. Yet we don’t have, or we haven’t quite caught up with those types of standards and best practices in the broader sort of developer ecosystem. 

So I think the 2FA work that we did — while it was hard to get many, many millions of developers enrolled in 2FA — that’s the kind of thing that just raises the bar for everybody and it substantially increases the attack cost of a supply chain attack because you’re kind of crowding out account takeover and sort of these other low hanging fruit that would most commonly be exploited by a bad guy. 

Omkhar Arasaratnam (07:38)
I think that’s a great point and thanks for all the great work that you all have done in order to increase some of the security basics like 2FA more broadly. I want to jump back to your role at GitHub. And as I mentioned before, as somebody that personally identifies as a software engineer who’s been doing security for a really long time, you know, software engineers the world over have oft complained about the security department coming in and saying, you can’t do this, blah, blah, blah. And then their velocity slows down and they can’t do the cool thing because security person said no. Both teams roll up to you. How do you balance that? How do you, how do you see that impacting your day to day? Is that a, is that a good thing? Bad thing?

Mike Hanley (08:19)
What you described is what I often call the Department of No. And really, I think a modern security team, especially in a modern software-driven organization, of which the vast majority of companies are at this point, you have to be the Department of Yes And. Which is, yes, we want to do the new thing. We assume that our engineers, our finance people, our marketing people have the right goals for the company. And we want to figure out how to make that particular endeavor successful and contemplate the risk management needs that we have as a company. 

We want to make sure the good thing happens while making sure that the bad thing does not happen. I think for us internally, having both teams under one roof while there’s traditionally this separation that you mentioned, that separation comes with challenges because it actually, in many cases, encourages the security team to sort of sit in the ivory tower and come down and say, well, Omkhar, you can’t do that because reasons. And usually that engagement happens

at the 11th hour, right? I mean, it’s very rare that you get sort of negative security feedback early in a model like that.

And I find that by having the teams together, I mean, literally all the security leaders are sitting in the same calls as the engineering leaders because they all are part of the same team. And we have this notion internally that really everybody in the company is on the security team. And obviously, that means something specific for engineering because they’re doing development work that impacts the security of the company, the security of our stakeholders. They’re building things to make sure that we can realize good security outcomes, especially for open source maintainers and our paying customers. So they kind of have a threefold mission there where they’re helping with security.

But it’s also true for the finance people who report a gift card scam from our CEO or the HR and recruiting folks who are looking out for fake potential employees who are trying to scam their way into the company. So that idea that everybody’s on the security team is really a cultural approach for us to make sure that everybody’s a part of that broader network. And so this is basically the antithesis of this idea that humans are the weakest link. In fact, we view them as the strongest part of our security program and actually an enhancement of all the tooling that we have by getting everybody engaged. 

But specific to engineering, I think it’s great because it actually makes sure the incentives are tightly aligned, right? Like I’m responsible for making sure that the website is running and secure all the time. Like those are the two things that are effectively my set of responsibilities to the business and they are not in any way intention. In fact, if you look at the vast majority of our investment profile, it is actually going toward those two things. Now we’re actually doing a lot of net new features and we’re building new things all the time and we’ve got you know experimentation on bets that we want to place in the future, but the overwhelming amount of our work goes to to those two priorities that I mentioned a minute ago.

You know we’re really geared toward like making sure that security is a good experience for everybody not not a bad one, which doesn’t mean we don’t say no from time to time. But I think you minimize the number of no’s by having security as deeply engaged in what’s happening at the edge as possible, because the security team can’t actually be everywhere all at once. Our security team is not equivalent to the number of engineers that we have in the company. I don’t know. I’ve yet to meet anybody who can say that. And I don’t think I will in this lifetime. Certainly not with the jobs reports that we see that suggest there’s a vast shortage of security talent and expertise. And certainly you and I see this when we’re thinking about how to help open source maintainers. It’s just not out there. It doesn’t exist en masse. And it doesn’t exist in sort of broadly available sense. 

But if you’re really leaning into the idea that we want to help the engineers and you recognize that security team is not going to be a part of great security work all the time, you actually want to make sure the engineers are the superheroes from a security standpoint or the finance folks are the superheroes from a security standpoint and you shift that mindset toward one that’s actually trying to drive that outside the security team. This actually works really, really well for us, and I think creates a really tight coupling between those two teams. And it also allows us to, I think, focus on like higher order concepts. 

So for example, the idea not just that we do security, but that we do it well, and we do it in a way that’s actually a great experience. So we talked a little bit about 2FA, spending the time with the design team and the product teams to figure out what is doing this well and in such a way that it’s not alienating, that it’s actually a good experience, that people actually adopt it at scale without feeling like it’s being foisted on them in a counterproductive way. 

Because when you end up in that scenario, people find a way to get around your security controls, whether they’re your internal developers or stakeholders that you’re affecting with an initiative like that. So really having everybody together under one roof driving those common goals, I think has actually been like very, very healthy for both the company’s internal security objectives, but also for our ability to affect broad change in the open source ecosystem as well with things like that 2FA initiative that we did.

Omkhar Arasaratnam (12:44)
I think you’re spot on. Humans are ingenious. Humans will want to do the thing that provides them the least friction. Let’s make the security, the secure thing, the thing that provides least friction. Your story about everyone’s accountability being security. It’s not just the security team, it’s finance, it’s engineering, et cetera, reminds me and sounds a little corny, but 20 years ago when I was just getting into security, I was at this conference and everybody had this lanyard that said, I’m a firewall. And, you know, 20 years later, it seems kind of corny, but the idea was security was everyone’s accountability and it didn’t need to be backstopped by SecOps. If somebody at the frontline could stop that upstream, the benefit was even larger. 

Now, if we switch gears a little bit and think about everyone’s favorite topic, AI. How do you think AI will impact open source security, and what ways do you see it helping us to secure the software supply chain?

Mike Hanley (13:42)
My view on this is very bullish and it is summed up as this. I think AI will be two things. One is it will redefine the idea of shifting left in software development, which is, you know, we’ve been talking about this for more than 10 years at this point. The idea obviously that you move security value as far left as possible. What that’s meant to date has been, you’re generally getting feedback sort of at CI/CD time, right? Like after you’ve written the code, submitted it for review and it’s going through testing, that’s typically when you’re getting feedback. So that’s left obviously of boom in most cases where boom is your thing has been deployed to production, you find a vulnerability or you get breached. 

AI is basically saying when you are in the editor, bringing your idea to code through the keyboard or other input device, at that moment, you don’t just have security expertise, you actually have an AI pair programmer who has a vast range of knowledge and expertise in a variety of topics, accessibility, security, scalability, the particular language or framework that you’re using, right there with you, giving you more secure suggestions, helping you check your work, and literally just paired with you the entire time. 

So I think that is the realization of what we really want with shift left, because you can’t actually go any further left than when you’re bringing your idea to code in the editor. And I think that’s the highest value place to add security value and it’s also the best experience for developers because you are in the flow doing the work in that moment, not, hey, I committed my changes up, I’m waiting for tests to run while I go get lunch and then I come back or maybe even it’s the next day depending on how slow your build systems are. 

The next day I get feedback and I gotta go, what was I thinking at that moment when I did this? So that shift left and adding security value right in the idea in real time is huge and that is uniquely available to us because of the advances in AI, certainly with GitHub Copilot, but there’s others out there as well that are trying to do similar things. So that’s one. 

The second is AI gives us an opportunity not just to help address vulnerabilities in new and existing code, right? So this idea that as I’m writing it, I can get higher quality, more secure code in real-time, but also I’m adding value to things like my CI/CD. So it’s, I’m getting better suggestions from automatically getting suggested fixes from some of the tooling that I have now, instead of just giving, hey, there’s a problem here. It’s there’s a problem here and here’s how you should fix it. So there’s tons of value there, but, but it also enables the idea to retrospectively fix things. 

And I think this is one of the like grand challenges that we’ve had frankly in, in security generally, but especially in open source security Omkhar as you know, like a lot of the building blocks that we have for everything that we do and experience are maintained by a small number of people who don’t necessarily have robust access to security resources. And in many cases, fundamental building blocks of the internet are unmaintained at this point. Major projects that people depend on are unmaintained. And that is a huge challenge for the whole ecosystem. 

But the idea that, particularly through AI and agents, that we might actually be able to at scale

ingest process and refactor or fix bugs at scale in open source projects to me is super exciting, super compelling. It’s a way to supercharge, not just your internal developers who are writing first party code, but actually help supercharge open source developers or open source communities and really empower them to go do this work. They’re like, they may not be incentivized to do, they may not have the resources to do, they may not have the expertise as part of their community of maintainers and their project to go do. That to me is super compelling. 

And you know, it’s interesting when you say like, well, we’re dependent on these things, if only we could figure out what to do about it. And often, we talk about, well, we can deploy people to go help. And yeah, that’s good. That helps for the short term. But that doesn’t scale. And it doesn’t necessarily help with these massive excavations that it takes to go back into projects that have 10, 20, or more years of history behind them. So I’m excited that AI can actually help us get the leverage that goes beyond what we can do with human scale, especially where we have tactically deployed things or sort of volunteer firefighter resources that can go help with a small number of things. AI is going to give us the lift, I think, to go scan and support and help fix and really renovate, maybe is a nice way to put it, some of the projects that we depend on for the next 10, 20, and 30 years.

Omkhar Arasaratnam (18:02)
That’s a great point, Mike. And it’s also why we look forward to programs like the AI Cyber Challenge from DARPA and seeing the work that’ll come out of that. Switching gears a bit, we’re going to go into rapid-fire mode. So I’m going to ask you a series of questions, give you a couple of possible answers. And of course, it’s up to you whether to choose one of them or say, hey, Omkhar, you got it wrong. Actually, this is how I feel. So are you ready to go?

Mike Hanley (18:30)
I’m ready, go.

Omkhar Arasaratnam (18:32)
Spicy vs. mild food?

Mike Hanley (18:35)
It’s basically always spicy for me.

Omkhar Arasaratnam (18:37)
Always spicy. I knew we got along good for a reason. Now this is a controversial one. We talked about bringing AI to the IDE. So let’s talk about text editors, Vim, VS code or Emacs?

Mike Hanley (18:48)
My tastes have changed over time. I would say I’m more of a Vim guy now, but at times I’ve actually just used Nano, which I don’t know that that’s a popular answer. (Laughter) I’m not proud of that, to be clear, but at times that was the preferred editor in a prior life.

Omkhar Arasaratnam (19:03)
Why does Nano bring such shame? (Laughter) All right, tabs or spaces?

Mike Hanley (19:09)
I’m generally a tabs, tabs kind of guy. Keep it, keep it simple.

Omkhar Arasaratnam (19:12)
Awesome. Alright, closing things out, Mike, you’ve had a wonderful illustrious career so far. What advice do you have somebody for somebody entering our field today? Be it from a software engineering or security perspective?

Mike Hanley (19:26)
I think for either one, find an opportunity to meet people and get involved and do something, have something tangible. And the great thing about open source is this is actually one of the very best ways to build your resume because your work is easily visible. You can show people what you’ve done. You see a lot of resumes, a lot of experiences, a lot of schools.

But what can really differentiate, I think, is when you can say, like, here’s a thing that I did, that I built, and I learned something unique from that. And you don’t always necessarily get that from just going through things like coursework. When you’ve really had to, like, duct tape something together and deal with the messy reality of getting things to work the way you want them to work outside of a sandbox, I think there’s a lot of value and sort of real-world knowledge that comes from that that is impossible to…there’s no compression algorithm for experience is a way I’ve heard this put previously.

And just hacking on the weekends with some of those projects or finding some people who you want to work on was for the sole sake of just learning how to do something new is incredibly valuable and it’s a great way to stand out.

Omkhar Arasaratnam (20:25)
That’s great advice. A mentor of mine once said, well, you should never test in prod learning and prod is a, is a useful lesson.?last question for you. What’s your call to action for our listeners?

Mike Hanley (20:38)
I think it’s similar. It’s getting involved in some meaningful way. But I think going back to some of the things that we talked about earlier, Omkar, just to give a slightly different answer to that, would be ask some hard questions in your organization about your understanding of open source security, and particularly your supply chain. I do think when I think about 20-plus years in the security space, it is one of those things that stands out to me as unique in that many organizations in security still don’t do the basics. I mean, it is 2024, and we still have to tell people to turn on two -factor authentication. So that is what it is, I would say. 

But it’s also true that not every organization does a great job with inventory management and with configuration management, or even just sort of mapping out their broader ecosystem and infrastructure. And I think just going back and saying, like, do we really understand our supply chain? Do we really understand our dependencies? Do we really have, like, provenance of our assets, our inventory, our vulnerability management? 

So I think again, in the context of open source security, like really just going back and saying, like, do we really know how we use this stuff and challenge maybe what the assumptions have been in the previous weeks and months and years? I guarantee you that whatever you’re looking at is far too narrow. And I think that can be an important conversation. It can really help your organization up-level its supply chain because again you might find healthy initiatives out there that are low-hanging fruit that you can take advantage of, so that’d be maybe a call to action is to have that conversation in your next security team meeting.

Omkhar Arasaratnam (22:02)
Great advice from Mike Hanley, the CSO and SVP of engineering at GitHub. Mike, thanks so much for joining us on What’s in the SOSS? and we look forward to having you on again soon, perhaps.

Mike Hanley (22:13)
Thank you Omkhar, great to be here.

Announcer (22:15)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at OpenSSF.org/get involved. We’ll talk to you next time on What’s in the SOSS?

What’s in the SOSS? Podcast #12 – CISA’s Aeva Black and the Public Sector View of Open Source Security

By Podcast

Summary

In this episode, Omkhar Arasaratnam visits with Aeva Black, who currently serves as the Section Chief for Open Source Security at CISA, and is an open source hacker and international public speaker with 25 years of experience building open source software projects at large technology companies.

She previously led open source security strategy within the Microsoft Azure Office of the CTO, and served on the OpenSSF Technical Advisory Committee, the OpenStack Technical Committee, and the Kubernetes Code of Conduct Committee. In her spare time, Aeva enjoys riding motorcycles up and down the west coast.

Conversation Highlights

  • 01:37- Aeva describes a day in the life at CISA
  • 02:38 – Details on the use of open source in the public sector
  • 04:27 – Why open source needs corporate investment to maintain security
  • 06:20 – Aeva shares what their second year at CISA looks like
  • 07:58 – Aeva answers Omkhar’s rapid-fire questions
  • 09:28 – Advice for people entering the world of security
  • 10:16 – Certs are nice to have, but they aren’t everything
  • 10:42 – Aeva’s call to action for listeners

Transcript

Aeva Black soundbite (00:01)
The burden of securing open source — its ongoing maintenance, its testing, quality assurance, getting signing —  to make open source continue to be deserving of the trust we’ve all placed in it that can’t rest solely on unfunded volunteers. Companies have to participate, shoulder up and help.

Omkhar Arasaratnam (00:19)
Welcome to What’s in the SOSS? I’m your host Omkhar Arasaratnam. I am the general manager of the OpenSSF. And today we have my good friend Aeva Black joining us. Hi Aeva!

Aeva Black (00:32)
Hi, Omkhar, thanks so much for having me on today.

Omkhar Arasaratnam (00:34)
It’s a pleasure. Now, to start things off, why don’t you tell our listeners a little bit about your title and what you do?

Aeva Black (00:43)
Sure. So my official title is Section Chief for Open Source Security. Sounds kind of anime. I like it. I’m also a technical advisor here at CISA, the US Cybersecurity and Infrastructure Security Agency. We’re so enthusiastic about security, put it in our name twice. What I do day to day is just kind of work on solving open source security problems that I have been working on before, but now on this end of the fence.

Omkhar Arasaratnam (01:10)
Well, as I think I’ve told you in the past, my son is a huge anime fan. I literally had to bring a check bag back with me from Tokyo with all the various paraphernalia. But aside from indulging in my excitement about hearing CISA titles associated with anime, can you tell us a little bit more about the day-to-day? I mean, Section Chief sounds like a pretty cool role and you have been involved in the community for a while. What’s your day to day look like Aeva?

Aeva Black (01:37)
Honestly, you know, my previous careers, I often wrote code these days. Day-to-day looks more like answering emails, hopping on meetings, whether they’re internal meetings or interagency meetings, meetings with the open source communityies, but it’s a lot of talking and writing and speaking in public.

Omkhar Arasaratnam
When you announced new role at CISA and that you’d be joining CISA —  I think it was late last summer, I think about August, if memory serves — I was incredibly excited because I’ve seen CISA over the years take a stronger, better, more supportive approach when it comes to open source software. And I was really excited to see somebody like you that has had such a long history of open source support and advocacy join CISA. Can you talk to me about what it looks like on the inside, as everybody’s sitting back with their developer keyboard, clickety clacking, doing git commits all day? Has, has the government evolved into pure open source? How’s that going?

Aeva Black (02:38)
You and our listeners might be surprised to realize just how much both federal and state governments have always used open source. Our, our friend Deb Bryant — she’s been around, used to be at Red Hat, helped out in the open source initiative — used to actually run the open source programs office for the state of Oregon more than 10 years ago. So I think what it looks like today in CISA is pretty much what it has looked like. There’s more clearance, there’s more coverage, should we say, for folks who want to contribute to open source as part of their day job.

We’ve seen that get written down in sort of a guidance way, both in the DoD CIO’s memo a couple years ago, the DHS CIO memo for all DHS agencies includes groups like Coast Guard to use more open source, to contribute to open source, to be good participants in the community. So we’re seeing certainly more support for that. But again, folks across government have always used open sourcing. My first moment of realizing that, probably 2008, I saw some folks from the US Navy give a talk on using MySQL in a cluster running in their ships for battlefield awareness. It was the best database they could find at the time for what they needed. So it’s really nothing new.

Omkhar Arasaratnam (04:00)
Thanks for letting us know. I hadn’t realized that. And it’s very encouraging to hear that not only are we seeing broad adoption of open source within private sector, but also within the public sector. Now, security is a really important mission with a near infinite problem space, especially when it comes to open source security. You’ve been doing this for a while, where should we start? Because it seems like we could start just about anywhere and still have a life’s work ahead of us.

Aeva Black (04:27)
Yeah. Like you said, I’ve been doing this a while since the late 90s, and really as part of my job since the early 2000s. What hasn’t changed: the breadth and the diversity of open source communities is our strength, it is global participation in these communities. And so for today, in light of some of the recent threats against open source, and the pretty big compromises or vulnerabilities in open source that have affected products, we still need to recognize that open source is maintained mostly by volunteers in a participatory community-driven approach.

And yes, of course, companies have a big role to play too. But money isn’t always the solution, but research and common sense have shown that it usually is part of the solution. The burden of securing open source, its ongoing maintenance, its testing, quality assurance, getting signing all of those sorts of activities to make open source continue to be deserving of the trust we’ve all placed in it, that can’t rest solely on unfunded volunteers. Companies have to participate, shoulder up and help. that the transparency in open source, the promise that anyone can modify and study the source code, that transparency has to also be sort of dialed up for the amount of code that’s out there today. There’s so much more code than there used to be in open source, and the ratio of number of humans reviewing code to amount of code published has changed. That increases the risk a bit.

Omkhar Arasaratnam (05:57)
That’s some great advice as to where to start. Now we can slowly see over the horizon, the holiday season fast approaching. I know I’m, you’ve certainly had some great accomplishments. We’ve had some great shared work that we’ve done together. As you look to your second year in your role, what are your priorities? What’s in front of you and what would you like us to focus on?

Aeva Black (06:20)
Yeah, for myself and my team here at CISA, I’ll share that I knew things would be different in the public sector. It’s my first time in a public sector role. Hiring in any role is never as fast as we want it to be. We find a great candidate and the machinery of the organization, private sector or public sector, it’s always slower than we wish. So one of my priorities is continuing to grow my team and to bring more knowledge about open source and from the open source community into roles in the public sector, not just in my team, right, but across the agency and supporting other teams that don’t yet have as much knowledge about open source. Right? So a lot of internal awareness and training in terms of outward work. There’s been a lot that I find really encouraging with groups like FreeBSD’s attestation to the NIST secure software development framework.

A year ago, I had thought that there was no way to make the SSDF work for open source. And I was proven wrong and I’m delighted by that. And now I’m seeing a number of additional foundations and projects working towards a similar goal with their community and their funders working together to raise the bar on how and what secure assurances can be made about the process by which community-stewarded open source is developed. It’s not interesting who’s writing it, but how is it written? How is it tested? How is it assured? I’m really encouraged to see more of that and look forward to partnering with folks, including the OpenSSF towards more of that.

Omkhar Arasaratnam (07:58)
And we look forward to working with you, Aeva. So now is the time in the podcast in which we move to the rapid-fire section. I’m going to prompt you with a couple of different answers. There’s always a possibility that I’ve missed something, and you give me what you’d prefer your answer to be. Now I feel like I have some insight to the first question because we’ve eaten together several times,

Aeva Black (08:23)
That we have!

Omkhar Arasaratnam (8:24)
But spicy versus mild food, Aeva?

Aeva Black (08:27)
It depends if it’s Indian food, spicy, if it’s Mexican medium to mild.

Omkhar Arasaratnam (08:32)
And if it’s sushi, mild.

Aeva Black (08:34)
I mean, jalapenos on sushi can be really good.

Omkhar Arasaratnam (08:37)
Hmm. Yes. Yes, I agree. I take that back. Fair enough. Or a nice spicy salmon roll, perhaps.

Aeva Black (08:45)
True. Yeah.

Omkhar Arasaratnam (08:47)
Alright. Text editor of choice: Vi,  VS code, Emacs?

Aeva Black (08:52)
Easy, easy. Vim. I’ve always used Vim. I have my system set up, put me in Emacs, I usually have to shell, like use a different shell to kill it because I get stuck.

Omkhar Arasaratnam (09:00)
(Laughter) Well, I mean, Emacs is an operating system on its own, to be fair. (Laughter)

Aeva Black (09:04)
Yeah, just not one that I’m comfortable in.

Omkhar Arasaratnam (09:06)
I am also a Vim person, so shared, shared joy there. Tabs are spaces?

Aeva Black (09:13)
Spaces.

Omkhar Arasaratnam (09:14)
I knew it. Awesome. All right, Aeva, we’re wrapping up now. So in closing out, I have two final questions. The first one, what advice do you have for somebody entering our field today?

Aeva Black (09:28)
I wish I had an entire podcast on just this one, but really find your hyper-focus. For a lot of us, we can get stuck on things. Figuring out how to get stuck on the things that were good for my career helped me out early on. And building a T-shaped set of knowledge, so go deep first. Once you’ve gone as far as you want to go, then do it again on a different topic, and that builds breadth over time. Certs are nice to have to get past resume filters, but your network is everything. Maintain relationships across jobs. That’s the second big piece of advice I’d give.

Omkhar Arasaratnam (10:05)
I’ll let you in on a secret. I think the last cert that I got was as a Red Hat certified engineer in 2002. Do you want to share with the audience what last cert you got, if any?

Aeva Black (10:16)
It’s the if any part. Yeah. (Laughter) I considered a couple of certs back in the old MySQL days, early career. I never bothered with the Linux certs or the networking certs because I’ve just logged into a system and show that I knew my stuff.

Omkhar Arasaratnam (10:35)
Absolutely agree. Last question, Aeva. What’s your call to action for our listeners?

Aeva Black (10:42)
Well, for the listeners that are or work at a company, be a responsible consumer of open source. And that means participating in the project so you have insight. It means vetting the code and staging it appropriately locally. If you’re not a large corporation, but a member of a community, then my advice is make sure you’re building your community with stable governance and documented norms so that companies can understand how to work with you and that you behave as a group of a community in a predictable way. Predictable release cycles, predictable vulnerability management, all of those sorts of activities as an open source developer help to grow the project. And leave breadcrumbs, leave gaps for new contributors to fill and make sure you’re passing down the ladder to the next generation of contributors.

Omkhar Arasaratnam (11:38)
Excellent advice as always. Aeva Black, thank you so much for joining us on What’s in the SOSS?

Aeva Black (11:43)
Thanks so much for having me, Omkhar. See you around.

Announcer (11:46)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon, or wherever you get your podcasts. And to keep up to date on the open source security foundation community, join us online at openssf.org slash get involved. We’ll talk to you next time on What’s in the SOSS?

What’s in the SOSS? Podcast #11 – Google’s Andrew Pollock and Addressing Open Source Vulnerabilities

By Podcast

Summary

Andrew Pollock is a Senior Software Engineer at Google, currently working on https://osv.dev. With a background as an Enterprise Security Engineer, he has extensive experience in large-scale Linux Systems Administration and GCP Security. Andrew is passionate about the human factors in security, focusing on scalable solutions, great user experiences and self-service opportunities. He has primarily worked in Linux/Unix environments as a Site Reliability Engineer or Security Engineer, with a strong interest in process improvement and automation.

Conversation Highlights

  • 00:52 – Andrew shares his background as a “mid-90s data nerd”
  • 02:31 – Managing vulnerabilities in the open source ecosystem
  • 03:57 – How to navigate inconsistent metadata
  • 06:26 – The challenge of source attribution
  • 07:54 – The rapid-fire round
  • 09:15 – Andrew’s advice to open source developers
  • 10:22 – Andrew’s call to action to developers

Transcript

Andrew Pollock soundbite (00:01)
The beautiful thing about open source is it’s open to all, it’s accessible. You can play around with things, you can break it, you can fix it. It’s fairly approachable. Most of the larger projects have vibrant communities around them that are fairly welcoming and inclusive. 

CRob (00:18)
Hello everybody, I’m CRob. I do security stuff on the internet and I also am a community leader within the OpenSSF, the Open Source Security Foundation. One of the really cool things I get to do as part of the OpenSSF is to host What’s in the SOSS?  where I talk to amazing people from across the open source ecosystem. And today I have my friend Andrew Pollack from Google. G’day, sir.

Andrew Pollock (00:41)
G’day, CRob, how you doing?

CRob (00:43)
I’m doing wonderful. Thank you for asking. Andrew, could you maybe give the audience a little bit of your backstory, your origin? How did you get into open source and what are you doing today?

Andrew Pollock (00:52)
Yeah, so I’m a computer nerd of the mid-90s. I grew up in the MS-DOS era and out of high school, I started studying an information technology degree at uni and I was also working as a mainframe operator at the Brisbane City Council where I also encountered Unix and found Linux in its early existence to be just way cooler than DOS. My Linux distro of choice was Debian and I quite enjoyed using Debian and aspired to become part of that project, and so I joined Debian in the early noughties. I became a Debian developer and started participating in the Debian project proper. And that was sort of my ground level sort of involvement with open source. And I’m still a Debian project member today, but nowhere near as active as I would like to be.

CRob (01:47)
And what are you doing today within the open source ecosystem?

Andrew Pollock (01:50)
Today I work on OSV, which is a couple of different things, right? So the part that intersects with the OpenSSF is the OSV schema. And the part that I more actively work on is osv.dev, which is an open source implementation of a database using the OSV schema to aggregate and enrich those records.

CRob (02:16)
Very nice. Well, I know amongst other things, you’re a big data guy. So let’s talk about vulnerability data and why it’s important. Could you maybe explain some of the key kind of data points that we need to effectively manage vulnerabilities in this wacky ecosystem?

Andrew Pollock (02:31)
Yeah, you know, this is all about the data. So I really enjoy looking at the data in aggregate form and zooming out and looking at challenges with using that in bulk. So OSV provides vulnerability information about software packages at the source code level predominantly and it also provides Linux package of vulnerability information as well. 

And the thing that we need to be able to convey that information accurately is a good package name and good version information because we want to address the use case of vulnerability scanning, first and foremost, and then vulnerability remediation for things that are detected. So step one, to be able to identify what’s vulnerable, you need to know, you need to have a package name that’s meaningful within the ecosystem that you’re sort of wanting to operate on. And then you need to, at a minimum, know what version you need to be beyond to not be impacted by the vulnerability.

CRob (03:43)
I bet you see, let’s call it mildly, some inconsistencies across our amazing ecosystem. Could you maybe speak to some of the challenges that you see within vulnerability metadata today?

Andrew Pollock (03:57)
OSVs got multiple different data sources today, and a lot of them come from language ecosystems, which have some sort of curation within themselves so they’re fairly internally consistent with their packages because they know their own sort of backyard. Where I started looking more broadly was the problem space of C and C++ software, which doesn’t sort of have a centralized repository of vulnerability information. So we had to look at the CVE space for that, and we started pulling CVEs from the NVD to try and figure out which ones of them related to software that was not being covered by OSV-native vulnerability information.

And that’s where — me as a data nerd — just lost my mind because things were very, very inconsistent. So the challenges in that space are around naming. As I said, knowing what the package is to be able to identify it and, to a lesser degree, versioning as well because there’s no consistent versioning scheme when you go from one random open source project to another. And not all open source projects even follow any particular release practice or versioning scheme. So you don’t know anything about a string that is being called a version.

CRob (05:31)
Can you maybe just give us some insight to how you might try to handle some of those problems?

Andrew Pollock (05:35)
I would obviously advocate for projects as part of their maturation process to adopt release management practices that would include things like a formal versioning scheme. SemVer is the one that immediately springs to mind. It’s a standardized format. You can make some pretty clear assumptions about how that one walks and talks. Calva is another one that I know of. So that’s really, really helpful for reasoning about a project.

CRob (06:08)
So can you maybe talk to — you and the others in the OSP project — what you’re attempting to solve within the open source ecosystem? You know, how do you find these authoritative sources? Like how do you know what the right source is to try to make some of these attributions?

Andrew Pollock (06:26)
For the more formalized languages, we don’t have to find the source. The source sort of defines itself, right? So for your Pythons and your Gos and your Rusts and those sorts of things, they have a curated data source and they’ve chosen to supply that data natively in the OSD format and that’s great, right? So where we’re having to do that synthesis ourselves is where things get trickier. And so the challenge that we have is firstly determining what is the authoritative source for a particular piece of software. So that’s sort of 90% of the time that’s attributing it back to a GitHub repo. And then figuring out what the versions are in that repo. 

So we’ve got a real mix where there’s somebody in the business of providing accurate authoritative data, and then one where we’re having to do some inferences about it ourselves. And for the ones where we’re doing the inferences ourselves, we just have to look at the existing vulnerability data that’s available to us, so the CPE records and other data sources like the NVD CPE dictionary and look for hints as to what the what the repository might be. And that’s either metadata in the CPE dictionary or metadata on the CPE itself. So reference URLs typically.

CRob (07:54)
Well, I think it’s amazing work that you all are doing for the community. I think it’s very helpful for researchers and downstream and also community members. So I really appreciate it. Let’s move on to the rapid-fire part of our talk today. First off, spicy or  mild food.

Andrew Pollock (08:12)
I’m on the milder end of things. I value my taste buds and my sense of taste, so I don’t like to destroy them by too spicy stuff.

CRob (08:20)
Very nice. What’s your favorite whiskey?

Andrew Pollock (08:23)
Ooh, well funnily enough I just talked about taste bud destruction, but Laphroaig.

CRob (08:29)
Laphroaig. Very nice. Yummy. So being a developer from your background. Vi or Emacs?

Andrew Pollock (08:37)
Oh, Vi all the way.

CRob (08:39)
Yes! Another fan. And finally, tabs or spaces, sir?

Andrew Pollock (08:44)
Uhh, spaces.

CRob (08:46)
Spaces. All right. Any any rationale why?

Andrew Pollock (08:49)
I think I like my consistency, right? And so if you have tabs, you’re at the whims of what the editor’s tab spacing is, whereas if they’re spaces, they’re spaces. It’s unequivocal.

CRob (09:02)
Very nice. Well, and as we wrap up, what advice would you give somebody that’s kind of coming into this space? They want to become a new open source developer or contribute to a project, or they even want to get into cybersecurity. What advice do you have for those folks?

Andrew Pollock (09:15)
Well, my career background is I’m very self-taught, and I’d like to think that that’s still a feasible career path for people today. And the beautiful thing about open source is it’s open to all, it’s accessible. You can tinker with things as a hobbyist, you can tinker with things in your own time, you can play around with things, you can break it, you can fix it. It’s fairly approachable in a sort of incremental way. And most of the larger projects have vibrant communities around them that are fairly welcoming and inclusive. 

And so stay curious, experiment, learn by breaking things and putting them back together, I think that’s a great way of learning. I’m an experiential learner myself, so I think that’s a great way to learn. I think open source is a fabulous sort of ground level way to get involved.

CRob (10:08)
That’s awesome. I think that’s excellent advice for somebody looking to get into this crazy space we all live in. Closing out, do you have any call to action anything you want to try to inspire our listeners to get into or help out with?

Andrew Pollock (10:22)
Yeah, given that I’m spending a lot of time looking at vulnerabilities in the aggregate, my sort of call to action to developers is to think about the bigger picture when you take a dependency in code that you’re writing because that’s normally how known vulnerabilities come into your code that you’re working on. So the OpenSSF has some really awesome best practices guides around evaluating a dependency or a project before you might want to take it on as a dependency. 

And we’ve got some other teams in the Google open source security team that they’re doing a lot of dependency analysis type insights. So it’s very easy to just take a dependency on board to solve a problem. But if you don’t sort of look at the entire graph of dependencies that are behind that sometimes you’re actually sort of taking on quite a liability. So that would be my sort of piece of advice to sort of developing in the open source space is sometimes it might be better off just re implementing some functionality yourself rather than grabbing something that solves the need.

CRob (11:32)
Yeah, that’s unknown that you don’t know who how made it and what’s inside it.

Andrew Pollock (11:37)
Could be an iceberg.

CRob (11:39)
Exactly. Well, Andrew, I really thank you for your time, everything you do for the community, your time today. Thank you all and have a great day.

Announcer (11:47)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at OpenSSF.org/getinvolved. We’ll talk to you next time on What’s in the SOSS?

What’s in the SOSS? Podcast #10 – Rust Foundation’s Bec Rumbul and Succeeding as a “Non-Techie” in a Tech-Heavy Industry

By Podcast

Summary

Bec Rumbul is the Executive Director and CEO of the Rust Foundation, a global non-profit stewarding the Rust language, supporting maintainers, and ensuring that Rust is safe, secure, and sustainable for the future. She holds a PhD in Politics and Governance, and has worked as a consultant and researcher with governments, parliaments and development agencies all over the world, advocating for openness and transparency, and developing tools to improve digital participation.

Conversation Highlights

  • 02:57 Bec shares her day-to-day activities with the Rust Foundation
  • 04:53 Bec on her sometimes tricky responsibilities during her time at the U.N.
  • 06:35 How Bec communicates the importance of memory safety and Rust with stakeholders
  • 09:47 Surprises related to organizations that are adopting Rust
  • 11:50 Impediments to Rust adoption
  • 13:44 Bec answers Omkhar’s rapid-fire questions
  • 15:49 Advice Bec would give a non-technical person entering a technical field
  • 17:09 Bec’s call to action for listeners

Transcript

Soundbite (00:01)
Omkhar: VI, VS Code or Emacs — favorite text editor?

Bec: That’s a trap. In the Rust community we would never ,ever deign to tell anyone what their preference should be. We welcome all preferences in the Rust community.

Omkhar: Oh, well answered!

Bec: (laughter)

Omkhar: Alright!

 

Omkhar Arasaratnam (00:19)
Welcome to What’s in the SOSS? I’m your host Omkhar Arasaratnam, and with me today we have my good friend Rebecca Rumbul. 

Bec Rumbul (00:26)
Thank you very much for having me.

Omkhar Arasaratnam (00:28)
So we’ve known each other for a while, but for our audience, why don’t you introduce yourself, your title, and what is it that you do?

Bec Rumbul (00:36)
Ah, okay, so yeah, as you say, I’m Bec Rumbul, Executive Director and CEO of the Rust Foundation. And what do I do there? Well, I try and keep the wheels on the bus. I try and keep people happy. I try and support all of our wonderful maintainers. And I ask a lot of people for money so that we can keep on doing that.

Omkhar Arasaratnam (00:57)
So I’ve inferred you’re not cutting a lot of code, but as an example, what was your day today? What did you end up doing to give our audience an idea of what the day in the life of a CEO might be?

Bec Rumbul (01:10)
Sure, yep, no, I do not do any coding at all and I don’t recommend anyone ever ask me to try. That’s the surest way to get things to fall apart, I suspect. The great thing about the job is there are very few regular days actually. I get to talk to this wonderful wide spectrum of really just interesting and intelligent individuals. I get to speak to people inside Big Tech who are using Rust, who are thinking of adopting Rust, people that are maintainers and people that have been kind of building the language for years and years and years and are very personally invested in it, finding out from them how we can best support them and how we can make sure that they are able to write wickedly good code securely, for instance. 

I obviously have staff, which is great because they are the people that I’m people that do the real work, not me. So I spend a lot of time coordinating with them, trying to figure out what our priorities as a foundation should be. And I have a wonderful board as well, made up of the community and our corporate sponsors who, you know, help to provide strategic direction, oversight, potentials for funding, that kind of thing.

As I said, I’m always on the lookout to fundraise so that we can keep providing this wonderful language to everyone that wants to use it.

Omkhar Arasaratnam (02:28)
You’re also our associate member rep for the OpenSSF. So thank you for those contributions as well. Now, in talking before this and prepping for the podcast, we were discussing your history leading up to your current position. You’ve been at the Rust foundation for just over, what is it, like two-and-a-half years now? What led you to this path? It certainly wasn’t a long history of computer science. It’s quite an interesting past though.

Bec Rumbul (02:57)
I kind of Forrest Gumped my way into this. I’ve never been one of those people with a very straight, very focused career ladder. Before this I did a lot of consulting for the UN, a lot of digital democracy work, a lot of research, looking at how to kind of empower citizens of countries all over the world to hold their politicians to account, to make better laws, to enable parliaments themselves to support that with the politicians that sit inside them. 

So I did years of that and I really enjoyed obviously doing the digital aspect and finding new open source tools to help people with that but also working on the democracy side, you know, the kind of consensus-driven, decision-making side, figuring out how that can be done well.

And that was one of the aspects of the job at Rust that really kind of called to me. Yes, okay, technically I’m in the CEO’s seat, but actually, I have very little power. The power is really in the hands of the community, it’s in the hands of the board. There’s an awful lot of people that are involved in helping us to make the best possible decision, not just the one that’s most kind of expedient for me at the time because I’m the boss.

With this amazing new language that was just emerging when I came into the role, and I had this opportunity to nurture this thing that I don’t even think many people realized how important it was going to grow to be. So yeah, playing mum to the Rust programming language as well has been fascinating and a real privilege.

Omkhar Arasaratnam (04:35)
What a very interesting past and what impactful work you’ve done in the past. I’d love to delve into that a little more. Is there one particular aspect of the advocacy work you’ve done previously that you’re really proud of, maybe a little embarrassed by? Let’s give the audience something that some insight to Bec’s world prior to Rust.

Bec Rumbul (04:53)
I did some very random stuff and I did some stuff that was required politically but maybe wasn’t really embedded in the hearts and minds of people that I was working with. So I’m not going to name specific countries, but I have worked with some parliaments in some very authoritarian regimes, shall we say? So, yeah, I’m not going to name countries because I don’t want to upset anyone. But yeah, there were some times where I definitely had some, you know, towing the line, not really wanting to give people the kind of power that genuinely enables people to make democratic decisions. 

But that said, I did, you know, I did some amazing work with parliaments in Kenya, in South Africa, in Ghana where they were really invested in digitizing and really invested in trying to empower the local citizenry to help make laws better. 

Omkhar Arasaratnam (05:46)
You know, it’s an election year. I’m not going into what that means for us over here in the States. I’m going to leave that aside. Thank you for sharing that though. And you have done some amazing work and it’s really interesting to see how that work has now led you to where you are now. So speaking of where you are now, Rust. I hear it’s going to fix all of our memory safety problems, right?

Bec Rumbul (06:07)
Yeah, of course. We can take the next question now. (Laughs)

Omkhar Arasaratnam (06:09)
Done. Next. I mean, it’s interesting. I think what would be interesting for us to learn is from your perspective, as someone who admittedly isn’t a technologist and somebody that is focused on improving things, making the world a better place, how do you frame the rationale for using Rust and how do you touch on things like memory safety when it comes to the discussions you’re having with your stakeholders?

Bec Rumbul (06:35)
It’s so important to be able to pitch what Rust can do and the kind of memory safety feature at the right level so that people can genuinely understand. It’s really easy to bamboozle people really quickly when you start getting really techie. And whilst I don’t write code, obviously I’ve worked in the area long enough so that I understand how these things work. But I’m hyper-conscious that certainly when you’re dealing with big world people, not just techie, techie people, these things can get very very complex and, you know, you can see people’s eyes glaze over very quickly. 

So the way I try and explain memory safety is to kind of tell people about you know some of the big hacks that they’ve heard of and how actually, you know using, different kinds of code that operate in different ways might have prevented some of those things. Not every single one, every big vulnerability is slightly different. But memory safety is this one feature that means that actually it’s really, really difficult to just have like really low-level errors or really sort of small mistakes that are just human errors, they’re not computer errors most of the time, they’re human. So any kind of safety net like a memory-safe language means that that’s just not possible. 

Obviously, there are many other potential vulnerabilities out there that memory safety won’t fix. But it was really important to have organizations like Google for instance releasing their research on using Rust where they’ve come out publicly and said actually using breast means that 70% of their vulnerabilities are gone because Rust is memory safe, it’s just automatically clearing those. So in terms of an economic view, not just a security view, that’s a hell of a lot of people that are doing forward-facing code now, not trying to fix something and digging through code, trying to fix something that already exists. 

So that’s kind of the way I tend to approach it. It’s not perfect. It’s still an imperfect pitch, but I think because governments are now getting involved in security is suddenly after, you know, so very many years in the wilderness being seen as a bolt-on now it’s being given the attention it needs more people are actually, I think getting up to date on just the theory of memory safety if not the actual ability to code it.

Omkhar Arasaratnam (09:06)
The the angle that you took in terms of expressing the economic benefit as well as that safety net in my mind, I contrast this. We had Christoph Kern from Google on the podcast a few episodes ago, and you may imagine that Christoph had a very computer science point of view. So I love the fact that both of you have brought these, I’ll say, from  different perspectives, on the same topic. And it’s very interesting to hear that. Switching gears, where are you seeing interest in adoption of Rust that was surprising? Like who was trying to adopt Rust now that you were just like, huh, I didn’t think about that?

Bec Rumbul (09:47)
I think I’m most surprised and encouraged by how quickly the safety-critical industry has noticed and started to prepare the ground for Rust adoption. Because obviously, you know, safety-critical, it is the most important sort of sector for having really secure, really high quality, high performing software. The fact that that sector has been kind of the first off the blocks in looking at Rust and figuring out how it can be used, I think, was really interesting. 

Obviously, again, you know things like speed and performance of Rust appeals to that sector as well, but these are serious people building serious stuff, right? So it’s encouraging that that is a sector that’s looking really hard at this. That said, I love seeing Rust popping up in different places. Obviously, it’s kind of great in terms of Wasm. Rust embedded is growing and growing at the moment. But I love it when someone sort of pops up and says, my company is using this but I’m not allowed to say anything about it publicly. Damn, please talk about it publicly because that gives other people confidence as well. There’s loads of people I’d say that are, you know, loads of CTOs at the moment that are kind of rust curious.

And yeah, we’re having kind of quiet conversations, but they don’t, you know, they just want to dip their toe in at the moment and they’re looking around for other organizations to kind of see what they’re doing. But very few are willing to kind of stick their head up and say, actually, no, we’ve done this and this was good and this was bad and this is what you should think about. 

Omkhar Arasaratnam (11:32)
What do you see as the next major challenges for Rust? I mean, it seems like everybody’s all in and even those that are just Rust curious for right now are certainly dipping a toe in the water. Other than, you know, the who’s going to go first mentality? What are the other impediments we have to adopting Rust today?

Bec Rumbul (11:50)
One, Rust notoriously has a steep learning curve. I actually think that that is being flattened. Where we were two, two-and-a-half years ago in terms of teaching Rust is very different to where we are now. And there’s lots and lots of good quality training stuff out there. And large tech organizations are better set up now to migrate whole teams across to Rust. So I think there is still a bit of a hangover from that, but I don’t think it’s as much of a problem as it was before. 

I think one of, and what I’ve seen in some conversations, is that because Rust is so new and young, an awful lot of people in positions of responsibility don’t know it. They learned C++ when they were doing their comp sci degree or in the early days or Python, and even though we’re getting an awful lot of people at grassroots level, I do think there’s a reticence among people who are quite a bit higher up and who have to make these huge financial decisions about whether they’re going to invest that heavily in this because, obviously, they just don’t have that kind of personal firsthand experience of it. So I think there’s a little bit of that. 

The tech mini-slowdown last year didn’t help anyone, I don’t think. Certainly, if you’re kind of looking at doing iIf the whole sector is feeling a bit kind of sluggish, it’s probably not the time to invest. That said, I do think the momentum is there and I think we’ll be having a very different conversation in a couple of years’ time.

Omkhar Arasaratnam (13:33)
That makes a lot of sense. Alright, Ms. Rumbul, we are going to move into the rapid-fire round. Are you ready? 

Bec Rumbul (13:42)
As I’ll ever be.

Omkhar Arasaratnam (13:44)
Some of these, some of these questions may lean a bit technical. I will give you a choice of a set of answers. There’s always the, no, Omkhar, you didn’t get that right. But I think moreover, some of these questions lean very tech heavy. I would like your point of view as to how your community reasons over some of these questions, should you be privy to when they come up. 

Bec Rumbul (14:07)
Okay.

Omkhar Arasaratnam (14:08)
Now, the first one is not techy. Spicy or mild food? And I think I know the answer to this.

Bec Rumbul (14:13)
Spicy food. You only live once.

Omkhar Arasaratnam (14:15)
Yes, that’s why we’re friends. That’s why we’re friends. Now here, here come the techie ones. Vi, VS code or Emacs favorite text editor?

Bec Rumbul (14:27)
That’s a trap.

Omkhar Arasaratnam (14:29)
Hahaha!

Bec Rumbul (14:31)
The answer is, in the Rust community, we would never ever deign to tell anyone what their preference should be. We welcome all preferences in the Rust community.

Omkhar Arasaratnam (14:41)
Oh, well answered! All right. Let’s see how adeptly you dodge the next question. Tabs or spaces?

Bec Rumbul (14:50)
Oh, I don’t care. And I know that’s not the right answer. I’m supposed to choose a hill to die on here, but life’s too short. (Laughs)

Omkhar Arasaratnam (15:01)
Life is too short, let’s drink wine?

Bec Rumbul (15:03)
Life’s too short, lets drink wine. And you know, the previous answer also applies. We would never, ever suggest a preference to people. It’s whatever they’re comfortable with. 

Omkhar Arasaratnam (15:11)
You know, I recently took some time off personal vacation and I actually went through the Rustlings course. So I will let you know my thoughts once I complete it. Thus far, this old C programmer had to learn some new tricks, but it was very insightful. Closing things out. What advice do you have for somebody entering our field today? And normally the person I’m asking this, they’re normally somebody that spent multiple decades in security or multiple decades in software engineering. I’d like you to answer this question from the perspective of somebody that’s thinking about entering the field as a leader in a code-hosting nonprofit. 

Bec Rumbul (15:49)
I think there is room for everyone in open source. That’s the most amazing thing about this kind of community. And there are a lot of different skills that are really needed here. I think I might have been hired because the board was interested in bringing in some skills that don’t, there weren’t too many of those skills in the community because people who have mad coding skills don’t spend all of their time looking at spreadsheets and writing board agendas, right? And chasing people and trying to charm them out with their money. 

So I think, you know, my advice is it’s fine, it can be intimidating coming in and speaking with all these people that are so very much smarter than you. But you have things that they don’t. And the whole of open source is desperately in need of a whole kind of range of skills, from project management to administration bureaucracy, to event management, to moderation and community management, all of these things. It’s not just about the code. If it was just about the code, open source wouldn’t work. It’s all about creating that code together in a community of people that are just kind of pulling in the right direction with the same values.

Omkhar Arasaratnam (17:00)
What great advice. Last question for you, Bec. What’s your call to action for our listeners? What would you have them do after listening to this podcast?

Bec Rumbul (17:09)
It’s kind of building on my last point actually, you know, we’re always in need of people to help us do great stuff and to give us opinions that come from different places to where we are. My kind of call to action is get involved — even if you’re not a security professional or, you know, someone that’s going to bang out lines and lines and lines of code for fun of an evening — if you’re really interested in helping a community grow and developing amazing software and securing our shared online world, your skills helping to manage the community or do administrative things or management things are just invaluable. So turn up, join a community, have fun.

Omkhar Arasaratnam (17:48)
Bec Rubmul, thank you so much for joining us on What’s in the SOSS? And all the best in leading the Rust community to newer and greater heights. Thank you for all you do.

Bec Rumbul (17:58)
Thank you.

Announcer (17:59)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at openssf.org/getinvolved. We’ll talk to you next time on What’s in the SOSS?

What’s in the SOSS? Podcast #9 – Sonatype’s Brian Fox and the Perplexing Phenomenon of Downloading Known Vulnerabilities

By Podcast

Summary

Brian Fox is Co-founder and Chief Technology Officer at Sonatype, bringing over 28 years of hands-on experience driving software development for organizations of all sizes, from startups to large enterprises.

A recognized figure in the Apache Maven ecosystem and a longstanding member of the Apache Software Foundation, Brian has played a crucial role in creating popular plugins like the maven-dependency-plugin and maven-enforcer-plugin. His leadership includes overseeing Maven Central, the world’s largest repository of open-source Java components, which recently surpassed a trillion downloads annually.

As a Governing Board member for the Open Source Security Foundation, Brian actively contributes to advancing cybersecurity. Working with other industry leaders, he helped create The Open Source Consumption Manifesto, urging organizations to elevate their awareness of the Open Source Software (OSS) components they use.

Conversation Highlights

  • 00:57 Brian shares his background
  • 03:56 The confusing trend of downloading assets on Maven Central with known vulnerabilities
  • 08:16 How this trend continues in other repos
  • 11:08 Brian and CRob discuss Log4Shell
  • 16:54 Brian answers CRob’s rapid-fire questions
  • 18:46 Brian’s advice for up-and-coming security professionals
  • 19:50 Brian’s call to action

Transcript

Brian Fox soundbite (00:01)
The customer is not gonna accept as an excuse, like, why did you get hacked? Well, my direct dependencies were fine, it’s those indirect ones that were bad. Like, nobody cares, right? Like if you buy a pie from a bakery and you get sick, it’s not acceptable for them to go, well it was my sugar provider that did a bad job, here. 

CRob (00:18)
Hello everybody, welcome to What’s in the SOSS? I’m CRob. I do security stuff on the internet. I’m also a community leader within the Open Source Security Foundation, and I’m one of the hosts of this amazing podcast. Today I’ve got my friend Brian Fox. He’s the CTO and co-founder of Sonatype and he is an amazing open source contributor and he’s a great collaborator with us and a lot of industry efforts. So I want to say, Brian, welcome.

Brian Fox (00:49)
Yeah, thanks for having me.

CRob (00:50)
Could you maybe share a little bit about your origin story? How you got into open source and kind of the stuff you’re into today?

Brian Fox (00:57)
Oh, sure, my origin story. That’s a long one, but short version is I dabbled in open source before it was I think called open source in college actually, some PERL CGI open source stuff way, way back in the day. But I would say my first real introduction into like durable open source, let’s say — I had I dabbled with a JSP library at SourceForge. And I don’t really count that, but you can see they’re all connected in a straight line. I got involved with Apache Maven super early

in the 2.0 alpha days. I wrote some plugins. I was basically doing development management during the day, had some folks working for me, and we were trying to transform our builds from Ant to Maven and move from CVS, I guess it was, to Subversion. 

Yeah, I’m dating myself a little bit. And we were running into some issues, and so because I didn’t have much opportunity to code during the day, I was coding at night. So I would go home and start working on fixing bugs and writing plugins that the folks working for me during the day the next day would then use to move forward. And so I wrote some pretty popular plugins, the Dependency plugin and the Enforcer plugin that later came from, the Code Haas Project — Code Haas was sort of an adjacent open SourceForge, if you will, that eventually got pulled into Apache Maven proper. And I came along with it as a committer, was later a project management committee member, and for a while after we started Sonotype was even the chair of that project. 

And, and for, for historical reasons that, you know, we could have a whole podcast on, you know, the Maven central repository has always been a separate project from the Apache Maven software base. And basically, a handful of us, and then later Sonatype, have basically been the stewards of that all along. So, I know where all the bodies are buried and have lots of war stories from, from open source Java and Maven Central in general, from, for the last 20-plus years. I suppose.

CRob (03:03)
So I’m a little bit of a data nerd and I know you share that kind of passion for data and numbers. Your organization, Sonatype, puts out an annual report, well many of annual reports, but the one I’m most interested in is the State of Open Source Supply Chain Report. That’s one, I’ve referenced that many, many years. It’s pretty amazing. And I want to kind of talk about some of your findings from the most recent one. Maybe we can kind of, that’ll get us into this topic. But you know, when I was looking at the 2023 report, I noticed that you had many statements, one of which was you noted that 96% of all vulnerable downloads from Maven Central had known fixes available. What’s up with that? Why are folks still downloading known vulnerable packages when there’s a fix available?

Brian Fox (03:56)
Yeah, yeah, this has been my soapbox, as you know, for a couple of years. 2022 was the first year we published that stat. Sadly, it was unchanged in 2023. It did not get better. What does this stat mean exactly? At a point in time, when a thing that is in Maven Central, and I think off the top of my head, I’m not certain. I think around 12% of the things in central have a known vulnerability. But they’re skewed, obviously, towards more popular versions of it. So when those things are downloaded, looking at the point in time that it was downloaded, was there already a fix for that vulnerability available? So in other words, it’s not a case of this vulnerability is out there and people are using it because it’s not fixed.

After Log4Shell, which I’m sure we’ll get into a bit more, you know, we saw a lot of people talking about like open source should do a better job of fixing their stuff. And it’s like, well, when you sit where I am and you look at that and you go, well, wait a minute, when these things are being consumed from the repository, 96% of the time, the fix already is available. So what does that tell you? It tells you that the consuming organizations are not choosing to update for the fix. It shouldn’t be a 0% stat, right? There’s always going to be vulnerabilities that in certain contexts just don’t apply, and so you can continue to use the thing, or you have other mitigating controls.

But 96% is crazy. And the fact that it doesn’t change. And so why does that happen? There’s lots of reasons. And I’ve been recently in blog posts and articles exploring more the psychological side of things. I think there’s, humans are wired to procrastinate and hope that the future will be better. And I think there’s an element of that, that people look at it and go, well, you know, we’ve lived with these things so long, you know, I’m afraid to do an update. Dr. Wheeler and I have kind of toyed with the idea that API changes introduce a bunch of these problems, or at least the fear and the history of API breakages have caused people to be afraid to make an update. 

And so there’s lots of little reasons that cause organizations to just sit there and not update and therefore continue to consume these known vulnerable things. And so I’ll ask the obvious question because when I point this stat out, everybody turns around and asks the same question, which is, Brian, why do you make vulnerable versions available for download in Maven Central at all? Right? And so, you know, part of that is precedence in history that Maven Central is known for its stability, that we don’t allow authors to just up and decide to unpublish something. For those of you that remember left-pad and NPM years ago, it was a little bit of a tit-for-tat, and a maintainer removed a package and it broke like the internet, right? And so for reasons like that, we don’t allow things to just up and disappear. 

Most of the time, like I said, not everything is universally applicable. So I use an analogy. For some people, peanut butter can kill them. They are deathly allergic to peanut butter. I can go into the store right now, I buy peanuts, buy peanut butter, buy things with peanut butter in them. Why? Because I happen to, fortunately, not be allergic to peanut butter. I do not have that vulnerability, or at least that vulnerability does not apply to me. So like that analogy, why should we take every single component down just because it has a vulnerability and make it impossible to reproduce old things, break things that don’t need to be broken? 

And I draw a distinct line between a vulnerability and a known malicious package. A known malicious package is like saying we’re going to continue to sell salmonella-tainted  food because some people luckily don’t get affected by it. Like, no, that’s very, very different, right? So salmonella components, yeah, they’re coming out immediately. Peanut butter, they should be labeled, they should be understood so that people that have vulnerabilities can know about it, right? And so that’s why we don’t just disappear components merely because there’s a vulnerability. 

CRob (08:04)
You have a lot of observability into Maven Central. Do you feel that you know the pattern you’re seeing does that probably exist in other repositories as well? Do you think it’s similar? 

Brian Fox (08:16)
I know it does. Yeah, I know it does. How do I wanna phrase this? There are similar problems. They don’t have the same root in the origin of it. So, for example, Maven has a strong namespace in the group ID, right? So typically that would be the reverse DNS of your company, just like Java package standards. That’s where we, we didn’t invent it. We just followed the Java standard. And when, when somebody comes to Maven Central, we validate that they control that domain and that namespace, or alternatively they can use their project URL at GitHub as an example, right? And, and we do the validation and that’s so somebody can’t show up to the repository and pretend to be Eclipse and start publicizing things. You can’t pretend to be Apache and start publishing things. 

That’s an important piece of this. The other piece of it is that Maven prefers stability over auto-updates. So it prefers staying on a version number. So it’s sort of an anti-pattern in Maven land to say, just get me the latest version of this thing all the time. So that choice, that design choice, has unintentionally created the issue that I talked about, that people aren’t upgrading, right? That’s an unintended side effect of that. But now let’s look at what’s happening on ecosystems like NPM, Python, Ruby, where the tool has made the choice that we are always gonna check and fetch the latest version unless I’m told not to, right? 

That’s why you have the concept of a lock file to lock it down because if you don’t lock it, it’s going to fetch it. And also, unfortunately, those ecosystems also don’t have a strong namespace enforcement. So what happened starting around 2017, the attackers figured this out and they start publishing components into the repository that have confusingly similar names, basically a typosquat of a name. And since there’s no namespace enforcement, it’s very hard for consumers to tell the difference between am I getting the legit component or not?

And you couple that with the fact that the tool is going to auto-update these versions all the time, which means if somebody were to compromise an actual legitimate JavaScript project and put a fake component up there — and this has happened many times — the consumers will fetch it almost immediately. So you’ve created this situation where it’s easy for the attackers to put stuff in the repo and everybody will consume it almost immediately so you have a ready willing audience, which means you’re seeing on those ecosystems this massive stat we talk about, 350,000 known malicious component attacks in the last couple of years and it’s been doubling year over year. 

That’s only happening in those ecosystems. So we don’t have this problem in Maven because there’s not the auto-update and there is the namespace. But we’re having the massive attacks on these other ones because they do, right? So it’s sort of like these design decisions lead to different unintended consequences, I guess I would say.

CRob (11:08)
So let’s let’s talk about a specific example. Our friend Log4Shell that ruined many, many IT folks holidays in December a year or two back. I have an old stat: there were almost 250,000 known downloads of the malicious packages of Log4j which was about 29% of all the downloads at that time.  How is it that people are still grabbing that known malicious package? Why is that with such a widely known vulnerability?

Brian Fox (11:45)
(Laughs)  Yeah, I wish I knew, honestly. So I’m looking at the latest stats and anybody listening to the podcast, you can see them yourself. We have a resource center that’s been up since 2021. It’s at sonatype.com/log4j. So you can see those stats yourself. As we sit here right now, we’re looking at 405 million downloads since it was announced and worse the last seven-day average is 35% of those are of those non-vulnerable versions. And so it’s actually gone backwards in the last year. We were down at one point to, I think it was in October when we published the report, it was in the twenties and it took multiple years to get there, which was really disappointing, but it slid backwards for reasons that I have not been able to explain. 

And so, I also use this one sort of as the perfect bellwether for the reasons that you outlined, right? That it’s fairly easy to exploit. It’s fairly publicized. Everybody knows about it. And it was sort of one of these situations very early on that every vendor was getting asked by their customers, did you remediate this? And they would have to explain why. 

And so it created this situation that it was easier to just upgrade than it was to explain why you weren’t upgrading. So like I said before, I wouldn’t expect the uptake of every vulnerability to be 100% updates. In Log4Shell,  I think that is closer to true, and so we should expect to see the uptake here to be you know closer to, you know, 80, 90, 95% I would expect. I’ve done some research recently to look into the origin of this because you know people will often try to justify like, it’s just a few people with broken builds that are running all the time, right? Because it does seem incredulous. 

I’ve looked into the vulnerable downloads within the last month and they’re coming from millions of IPs worldwide. You can’t pin it down to, this is like a provisioning script that’s running on EC2 or something like this, right? Or some serverless configuration that might be happening in a Lambda, you know, weird things like that. No, it’s all over the map. 

And when I’ve looked at like the cohort of dependencies when I’ve taken the IP numbers that are fetching these vulnerable versions and I look at the cohort of dependencies to see like, is it one application everybody’s built building or something weird. Is it one place that’s causing this as a transit of dependency? I’ve not been able to put my finger on it. It is all over the map, which just tells me it’s kind of what I suspected in the beginning. It’s just average usage and folks for whatever reason just freaking haven’t upgraded. (Laughs) 

So it’s really disappointing because if it were any of the other things I mentioned, we could go attack that at its source and have a big impact. Instead, it’s messaging like this to get people to pay attention. And this is, it kind of intersects the SBOM area. If you can’t produce an SBOM, kind of implies you don’t know what’s inside your software. If you don’t know what’s inside your software, why should we expect that you’re doing a good job of updating it?

CRob (15:493)
So thinking about solutioning this a bit, do you have any advice for what developers or downstream consumers can do as they’re ingesting open source components to avoid this continual downloading of known vulnerable packages?

Brian Fox (15:15)
Yeah, I mean, tooling has existed for a long time to help you understand your entire transitive hull of your application. You know, Sonatype’s been providing this for, what year is it now? 14 years. (Laughs)So this is not a new thing. And you know, in the world, the regulated world, we’re seeing legislation all over the place from the US government, from European Union, PCI standards, everybody’s pushing towards, you need to be able to produce an SBOM. And this is part of the reason why, that it’s no longer acceptable to just blindly ignore what’s inside your software. And we saw for years organizations were only focused on the direct dependencies, the things their developers use, and ignored the transitive dependencies. 

But there’s more transitive dependencies than direct ones. So your odds are of pulling in something bad are even higher further down. It’s quite literally the iceberg. 70% of it is coming from these open source transitive dependencies. You need to have visibility in that because your customer is not going to accept as an excuse, like, why did you get hacked? Well, my direct dependencies were fine. It’s those indirect ones that were bad. Nobody cares. If you buy a pie from a bakery and you get sick, it’s not acceptable for them to go, well, it was my sugar provider that did a bad job here. Like I’m sorry like you know you still created this thing and sold it to me you’re still responsible. 

And I think that ultimately that’s what it’s gonna take that some form of liability reform to the point where organizations are actually responsible for the outcomes is needed to change this behavior. 

CRob (16:54)
Well, I think this is gonna be the first of an intermediary step in an ongoing conversation. And hopefully we can help raise th at awareness and get folks focused in on this unique problem. Let’s move on to the rapid fire section of the interview here. Got a couple questions and we’re gonna see what your thoughts are. First question, Brian, spicy or mild food?

Brian Fox (17:20)
Depends on the day, but let’s go with spicy today.

CRob (17:23)
(Sound effect “Oh, that’s spicy) Nice. Being a developerologist as your background, what’s your preference? Vi or Emacs?

Brian Fox (17:34)
Oh, Vi.

CRob (17:35)
Huzzah! What’s your favorite type of whiskey?

Brian Fox (17:41)
Ooh, ooh. I don’t know. I like variety. How’s that? I like to explore new ones. I have one that they make here — actually, it’s in Vermont, just over the border — they make it from maple syrup. And that one is really unique. So I’m gonna go with that. How’s that?

CRob (17:58)
All right, that sounds like a delight. And our final,  most controversial question, tabs or spaces?

Brian Fox (18:06)
(Sighs)  Spaces.

CRob (18:09)
Spaces, very good. There are no wrong answers, but that’s interesting how that causes a lot of controversy.

Brian Fox (18:17)
Yeah, you’re not going to ask about, you know, Alman versus K&R? I mean, that that always is related to tabs and spaces.

CRob (18:24)
(Laughter) Maybe in season two.

Brian Fox (18:28)
Yeah!

CRob (18:30)
Well, thanks for playing along. (Sound effect: That’s so sweet!) As we close out, what advice do you have for  someone that’s thinking about entering this field, whether it’s being an open source developer or getting into the field of cybersecurity? What advice do you have for newcomers?

Brian Fox (18:46)
I think my advice is always the same. Pick something that you’re interested in, whether it’s robotics or build software, whatever, and go find an open source project and try to get involved. It’s a great way to learn a whole bunch of skills. I mean, to be able to learn how to write better code, but also how to navigate, you know, the inevitable politics when you have more than, you know, two humans involved. The communication skills, the politics, the collaboration. 

I think you can learn a lot from open source, especially if you’re, you know, let’s say in high school or college and you don’t necessarily have the ability to get a job here. You can go get some real-world experience through open source projects and there’s open source for basically everything. So you know if you’re into rockets or planes whatever go find something it’s out there. It’s even easier today than it was, you know, 20 years ago, right? And and that would be my advice. 

CRob (19:44)
And finally, do you have a call to action for our listeners to help kind of inspire them?

Brian Fox (19:50)
If your organization can’t immediately assess — if I were to tell you about a new vulnerability right now that you never heard of, if you can’t immediately assess — if you’re even using that component anywhere in your organization or further, you can’t quickly produce the list of applications that are using that, then you’re basically powerless to respond to this next problem, right? That situation I just described is what most of the world went through in, what, December 9th, 2021, when Log4Shell dropped on them. 

We have studies, it was in the 2022 report, and I think we probably repeated it in 23, that showed organizations that had tooling in place were mediated their portfolio of thousands of applications within days versus other organizations that spent six months doing triage. So if you can’t immediately have a system that can tell you, are you using this component anywhere, any version of it, and you can’t get to the point of saying, we are using this precise version in these applications, then you need to solve that problem immediately. If only to prepare for the inevitable next thing than to prepare for the legislations that are going to require you to have the SBOMs.

And I would add, if you have solved that, then you need to be looking at these intentionally malicious problems because those require different solutions. They’re not going to show up in SBOMS. They’re trickier because they’re attacking the developer as soon as they download them. So if you think you have your inventory under control, you need to ask yourselves, how would I know if a developer downloaded one of these typosquatted components that may have dropped a backdoor or might have had custom code that simply exfiltrated data directly in the open source? Your traditional scanners are not going to pick this up. So I guess that’s two things depending on where you sit on that spectrum.

CRob (21:39)
Well, excellent. I appreciate you have some amazing advice and those are some interesting things to think about and act on. As always, I really appreciate your partnership and your ongoing contributions to help make the whole ecosystem better, Brian. You’re an amazing partner.

Brian Fox (21:53)
Yeah. Likewise. Thanks, CRob, for inviting me.

CRob (21:55)
Cheers!

Announcer (21:56)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at OpenSSF.org/get involved. We’ll talk to you next time on What’s in the SOSS?

What’s in the SOSS? Podcast #8 – Intel’s Arun Gupta and Giving Back to Security Communities

By Podcast

Summary

Arun Gupta is vice president and general manager of Open Ecosystem Initiatives at Intel Corporation and the OpenSSF Governing Board Chair. Arun has been an open source strategist, advocate, and practitioner for nearly two decades. He has taken companies such as Apple, Amazon, and Sun Microsystems through systemic changes to embrace open source principles, contribute, and collaborate effectively.

On July 9-10, the OpenSSF will attend the 2024 OSPOs for Good symposium hosted by the UN. Arun and What’s in the SOSS? co-host Omkhar Arasaratnam will lead a session called “Engaging the Open Source Community.”

Following the symposium on July 11, attendees are invited to come to a secondary event, What’s Next for Open Source? It will feature a collection of curated workshops to discover how to build and gather the skills you need to move forward with open source. Omkhar is coordinating the security track and presenting opening remarks. Arun will offer closing remarks. 

Conversation Highlights

  • 02:13 – Arun’s general outlook on security and life
  • 03:39 – Arun shares his personal background and illustrious career history
  • 09:04 – Comparing the OpenSSF and the Cloud Native Computing Foundation (CNCF)
  • 13:30 – Arun details his work with the United Nations
  • 16:42 – Areas that a lot of security professionals are getting wrong
  • 18:20 – Arun answers Omkhar’s rapid-fire questions
  • 19:08 – Advice Arun would give to aspiring security professionals
  • 20:40 – Arun’s call to action for listeners

Transcript

Announcer (00:01)
A quick programming note: On July 9th and 10th, the OpenSSF will attend the 2024 OSPOs for Good symposium hosted by the UN. What’s in the SOSS? co-host Omkhar Arasaratnam and today’s guest Arun Gupta of Intel will lead a session called “Engaging the Open Source Community.”

Following the symposium on July 11th, attendees are invited to attend a secondary event, What’s Next for Open Source? It will feature a collection of curated workshops to discover how to build and gather the skills you need to move forward with Open Source. Omkhar is coordinating the security track and presenting opening remarks. Arun will offer closing remarks. 

For more information, check out the links in this podcast’s episode description.

Arun Gupta soundbite (00:45)
Sometimes security folks focus too much on the technology. Take a step back. Have that empathy for the customer. Does the customer understand that language? Are you talking in their language? Is the intent of your dialog landing the impact on the customer who’s listening to that discussion? 

Omkhar Arasaratnam (01:03)
Welcome to What’s in the SOSS? I am your host and the general manager of the OpenSSF Omkhar Arsaratnam. And with us today, we have Arun Gupta. Arun, tell us what you do.

Arun Gupta (01:18)
Omkhar, thank you for having me here. I’m really happy and excited to be here. I am the Vice President and General Manager for Open Ecosystem Team at Intel. And that’s my day job. As part of that, I coordinate open source strategy across the entire company, whether it’s software, hardware, all through the stack, why we contribute, how we contribute, how do we bring alignment across different business units.

So that’s quite an exciting venture actually. In addition, because of Intel’s legacy, it allows me to do a lot of chop wood, carry water kind of work in the community. So I’m really fortunate and very grateful to be the chair of the OpenSSF governing board, in addition to the chair of the Cloud Native Computing Foundation governing board as well.

Omkhar Arasaratnam (02:07)
Holy cow, where do you find time to sleep? And you run as well, you’re a runner, is that right?

Arun Gupta (02:13)
I like to run. I think the running is what gives me… I was listening to a podcast this morning and it talks about self-compassion. And I think that’s something that I’m really big on. So it’s very important to be compassionate to yourself. Make sure you’re taking care of yourself so that you can do all of these other things. 

I must say I’m really blessed and fortunate in that sense that people like the way I think, like the way I operate, like the way I treat them, going back to Maya Angelou’s quote, really. So, and I think that’s what has helped me get into the leadership position. There are a lot of wonderful people in this world, but you know, making sure you are listening to people, engaging with people, taking care of them, being empathetic to them. Those are some of the traits that you really need to be in this leadership position. But it really, gives me a satisfactory feeling at the end of the day, being the governing chair of the two of the largest Linux Foundation foundations essentially, and drive them forward.

Omkhar Arasaratnam (03:15)
Your contributions to the community have been numerous and this certainly isn’t your first first day in open source. And I think your numerous contributions to the community is part of the reason why you’ve been elected to such prestigious positions within these two foundations. Can you talk to us a little bit about your history in open source? How long have you been doing it? How’d you get your start?

Arun Gupta (03:39)
Yeah, I grew up in India. I moved to the United States. I moved to the United States back in ‘98. And I was very fortunate to literally go to sun.com/jobs and apply for a job. And I was one of the original JDK team members. And gosh, over two decades ago, we started changing the culture at Sun Microsystems at that point of time. It was a very close source company, Solaris, Netscape application server, all that. 

And then that’s when we started changing the culture at Sun. How do we take this closed source application server and make it an open source application server? And we realized it’s not just about putting the source code over the firewall, but it’s really bringing that people process, culture change, essentially, all of that kind of coming together, essentially. And that sort of…so over 20 years ago is when that bug got into me and I found it very exciting. It’s like, wow, you know, this is core competency of the company and you’re putting that out in the open, but yet that allows you to collaborate with your partner and be able to compete with them as well. That was quite exciting. So back in 2003, 2004 timeframe is when I started getting into that movement and it was still new at that point of time. 

But then, over the last 20 years, that’s the only way I’ve lived and operated exclusively. From Sun, I went to Red Hat, where you will see on their walls of their offices, “First they laugh at you, then they fight with you, and then you win.” And that kind of mantra kind of gets into your blood because that’s the open source philosophy, right? Then I was at CouchBase, then I was at Amazon, part of the open source strategy team, where I was on loan to multiple service teams crafting their open source strategy. 

I remember launching Amazon EKS, Amazon’s managed Kubernetes service back in 2017, and educating the service team that, hey, how do you participate in the open source community? What does it mean? There’s a concept of social dynamics, social engineering that you need to understand. You can’t just submit a pull request and expected to be accepted. So I think that’s the norm that I taught. And then I was on loan to multiple service teams. 

After Amazon, I spent a couple of years at Apple and I was fortunate enough to craft their first open source program office. So I built their first open source program office, went all the way up to the multiple executives, building that case, why Apple should contribute to open source, and a lot of fun over there.

But over the last couple of years, Greg Lavender, our CTO reached out and he says, “Arun, we would like to build open ecosystem culture back at Intel.” And so I’m very fortunate enough here. After a very long time, I feel very happy and excited that all through my management chain to Pat Gelsinger, I don’t have to explain what open ecosystem is. They are the ones that are really pushing the boundary and the entire company is built on…we believe walled gardens prohibit innovation. We believe open ecosystem creates an equitable playground for multiple players to collaborate and also increase the total addressable market so that you can do more fun things on top of that. So I think in that sense, very fortunate to be working at Intel and very fortunate and blessed to be working in this open source movement for the last couple of decades.

Omkhar Arasaratnam (07:07)
What an inspirational story. And it’s, I will second that Intel is definitely one of the examples of an organization that really gets open source. As an old kernel guy, it always used to make me smile to see that the new bits for whatever the new processor was would hit the kernel well ahead of the Silicon being released to the street. And there was a big focus on upstream as well as maintaining the ecosystem that we all enjoy. So thank you Intel and thank you for the work that you do there Arun. 

Arun Gupta (07:41)
It keeps it sustainable. The reason we contribute is because, as you said, Intel has been the largest corporate contributor to Linux kernel for 15 plus years. We contribute there because our customers, when they buy a laptop from Fry’s or Best Buy or an online retail store, they expect when they download Ubuntu or whatever operating system of their choice, it would work out of the box and be able to leverage the latest processors.

And that’s the reason, honestly, we contribute to 300 plus open source projects, whether it’s Linux kernel, PyTorch, TensorFlow, Kubernetes, OpenJDK, and a wide range of projects, because it’s a customer obsession that truly gets us there. And that’s what makes open source sustainable as well.

Omkhar Arasaratnam (08:24)
See, I know you’ve been doing this a long time because you mentioned Fry’s and they’ve been defunct for three years.

Arun Gupta (08:30)
(Laughter) I still love that place. It’s funny because in our neighborhood, Fry’s have been converted into a pickleball court now here.

Omkhar Arasaratnam (08:38)
(Laughter) No kidding. We’ll have to play pickleball the next time I see you. 

Arun Gupta (08:42)
That’s right, yeah!

Omkhar Arasaratnam (08:43)
Switching gears slightly, let’s talk a little bit about the work that you do within Linux Foundation as the board chair for both CNCF as well as the OpenSSF. These are big tasks. I’d love to understand what similarities you see between the security community at the OpenSSF and the cloud native community at CNCF.

Arun Gupta (09:04)
A lot of commonality. They are both, as at Intel we call as, BHAG. Big Hairy Audacious Goals. Both these foundations have those BHAGs essentially. I mean, if you think about CNCF is about how do we make cloud native computing ubiquitous, no matter where you are? And similarly, OSSF, Open Source Security Foundation, talks about how do we secure open source software for the greater public good? 

But there is definitely a lot of similarity between the two foundations. They’re both Linux foundation sub-foundations. They both have a governing board. There are 28 members in CNCF and 23 in OpenSSF per my count this morning. They both have a technical body like CNCF has the technical oversight committee, and OpenSSF has technical advisory council. So both have that element. Now, CNCF also has a technical advisory group, which is about security, where they dig into the details of how do you secure cloud native infrastructure? Security is the most boring thing, right? I mean, it works until it doesn’t work and then everything breaks. So I think that’s a super important element. So you could…

Omkhar Arasaratnam (10:13)
When it’s done well, it’s very boring.

Arun Gupta (10:15)
(Laughter) Right exactly. (Laughter) So I think it’s very important that security is job number one, even in cloud native computing. You can make it ubiquitous, but if it’s not secure, it’s absolutely useless in that sense. So I think that’s the way they think about it. There is a tag security where there is deep focus on how do we make sure that we are making this secure? But so far, that focus has been only on the cloud native computing. And I think that’s exactly where OpenSSF shines up. 

OpenSSF is fulfilling a gap. which is looking at a bigger, broader landscape to identify how do we secure the broader open source software? That’s where tools like OpenSSF Scorecard, Salsa, Sigstore, these are the tools. There is no need for CNCF or any other foundation to create those. That’s where OpenSSF is bringing out these tools that will plug in right there the gaps that CNCF is feeling and any other foundation is feeling.

Within OpenSSF and CNCF, of course, there is a lot of collaboration, but the tools that OpenSSF are creating are available for the broader open source community. So whether you are Apache or Eclipse or in any other community for that sake, those tools are widely available. And let’s be deliberate, let’s be conscious about what kind of interactions can be done to make the cloud native computing more secure so that it fulfills both of our joint agendas and win -win situation. 

And honestly, the way OpenSSF looks at it is as we are creating tools, we can create the tools in silo, but if those tools are not implemented or agreed upon by other communities, again, they’re going to be meaningless. So really making sure that as we are creating this OpenSSF scorecard, how they could be adopted across a wide range of CNCF projects, whatever specifications we come up with, we created secure software development guiding principles. Like, how do you make sure that your software is built using a secure covenant? Now we could come up with a covenant, but really working with CNCF saying that, okay folks, as you are building your project, here are these guiding principles that you should be following. 

So I think in that sense, there’s a very strong cohesion between, the stuff that is being done by OpenSSF and then implemented by CNCF. And again, the idea is if there are gaps identified, there is a clear communication channel, which is more important so that they can give feedback to us. There is of course a public channel, but there is a strong backend channel as well, which enables that high bandwidth communication for the leaders to communicate and share details.

Omkhar Arasaratnam (12:54)
Absolutely, and we have definitely benefited from that back channel and I think the community has definitely benefited from the cohesion, as you put it, that’s been brought together. One of the reasons that many of us get involved with open source and a lot of us are passionate about open source is due to the fact that it’s a public good. I know you’ve done a lot of work with the UN as well and would love to hear your thoughts on the intersection of open source as a public good and what the UN envisages how open source can help the globe.

Arun Gupta (13:30)
Yeah, when the United Nations created these Millennium Development Goals — what they used to call as MDGs at the turn of the millennium, smack at the beginning of the century — those goals were, again, BHAGs, you know, big hairy audacious goals. No poverty, no hunger, no crime, racial, you know, minimize racial injustice, gender equality, beautiful climate policies, you know, policies and all of really wonderful audacious goals. 

And as I’ve been involved with the UN for the last year or so, it’s been really exciting and very humbling experience, because it’s very clear, you have these goals, but the way to solve these goals, of course, is a human element. But a large part of it is a technology element. So last year, I was involved with TED AI, which is a brand new conference, which is again a section of TED, a type of a TED conference that was started in San Francisco last year. 

So last year we worked with TED and the UN to run a hackathon. And the hackathon basically had about 130 participants from all over the country, which basically took a shot at how can we solve this UN sustainable development goals using open source technologies, leveraging AI and cloud native technologies, essentially? vSo that was pretty exciting. 

A couple of months ago, we had KubeCon Paris, and that’s where we had again a very tight collaboration with the United Nations and the Office of Technology within the UN. Really, really good discussion. There were folks from the United Nations who came to the cloud native hacks, which is basically the hackathon that we did at KubeCon, where they talked about the importance and the relevance of the Sustainable Development Goals. These were started at Millennium Development Goals, but 2015 they realized it’s not just about the Millennium, it’s about the sustainability of the humankind. So the name was changed from MDGs to SDGs. 

A very beautiful, a very humbling effort. And I’m very excited to continue that partnership with the UN going forward. Looking forward, we are going to KubeCon Salt Lake City. So we’re going to have a cloud native hacks over there. Highly, highly encourage to bring more and more such places where we can bring that UN hackathon to different events and make an impact to the SDG, essentially making the world a bit more sustainable.

Omkhar Arasaratnam (15:55)
Those are definitely some big, hairy, audacious goals, but also, I think, goals that are good for humankind. And it’s very encouraging to hear this kind of collaboration. I’ve been doing security for a long time. I’ve been doing security for about 20 years. But I always self-identify as a software engineer first that happens to have been doing security for a very long time. 

With that perspective, I personally find there’s a lot of things that security folks just, I guess in their intent of being incredibly security-oriented, that they miss from your perspective. As a software engineer for a very long time. What are security folks getting wrong? 

Arun Gupta (16:42)
Yeah, I think when I think about a conversation, I always think in terms of empathy, that what is my end customer? What do they want? What is the problem that I’m solving for them? That’s super important. Sometimes the security folks focus too much on the technology. Take a step back. Have that empathy for the customer. Does the customer understand that language? Are you talking in their language? Is the intent of your dialogue landing the impact on the customer who’s listening to that discussion? 

The second problem, which is funny enough, is not the technology. Humans are often the weakest link in security. So as security professionals, we sometimes overlook the importance of training and awareness programs for employees. Or we underestimate the potential impact of social engineering attacks. How we could have people just maneuver their way, particularly given how prevalent open source is, how 90 to 9 % of the infrastructure is relying upon open source. For two years, somebody could just social engineer their way into it and then plant something in the software is pretty dynamic. So I think how do we understand the social engineering part of it?

And I guess the last part really is the comms part of it. We need to work very closely with other departments — IT, legal management, developers — making sure the comms are being sent out on a regular basis, the trainings are being done regularly. So focusing on these elements would only make it that much more impactful.

Omkhar Arasaratnam (18:20)
Valuable insight is always Arun. We’re gonna move into the rapid-fire section now.  Okay, spicy or mild food?

Arun Gupta (18:29)
I would say spicy. I’ve always been a spicy person. I like that.

Omkhar Arasaratnam (18:32)
All right, text editors, Vi, VS Code or Emacs?

Arun Gupta (18:36)
Vim, actually.

Omkhar Arasaratnam (18:38)
Vim is the winner! Now this is a highly controversial question. Tabs versus spaces? 

Arun Gupta (18:44)
Oh, yeah, spaces, baby spaces. 

Omkhar Arasaratnam (18:47)
Spaces, all right!

Arun Gupta (18:48)
Yeah, I’m not gonna lose a relationship over it, but spaces it is.

Omkhar Arasaratnam (18:50)
(Laughter) All right, to close us out Arun, for somebody that’s entering our field today, maybe somebody that just graduated from an undergrad in comp sci or somebody that’s making a career change to move into our field, what advice would you have for them?

Arun Gupta (19:08)
Yeah, I was talking to a friend’s son actually, you know, this kid is in high school and up until now he wanted to be a lawyer. And then one day he just comes to the house and he says, I want to be a cyber security professional. And my eyes immediately lit up. I said, “Oh, that’s fantastic! What do you want to do?” And like, I had a very interesting conversation with him. And of course I pointed him to all the training and the certifications and the courses that are offered by OpenSSF. 

My general advice is with ChatGPT with so much of internet resources available, which were not available when I was in college or when I was growing up initially, there is no lack of knowledge. Have that genuine curiosity, dig into it. Don’t be afraid of AI. Embrace it, use tools like ChatGPT to bounce your ideas, build that prompt engineering skill. 

What do you want to really do? Dig into the why of it. Look under the hood, see what’s going on and what could you do? And most importantly, if you find there is a place where you can scratch your itch, do it, contribute. And the more you contribute, the more you collaborate, the more you get your name out there, the more you build the credibility. And, remember, it’s a marathon, it’s not a sprint. So be in it for the long haul.

Omkhar Arasaratnam (20:35)
That’s great advice, Arun. What’s your call to action for our listeners? What would you have them do following this episode?

Arun Gupta (20:40)
I would really encourage them, again, seems to be self-serving, but I would really encourage them to take a look at openssf.org. Look at all the wonderful resources, training, education, certifications that we provide over there. Take a look at that. Come to an event. Go to your local meetup. And the last one, which is very important that I’ve seen particularly people who are graduating out of college don’t have that imposter syndrome. You know, I was there exactly where you are right now 25, 30 years ago, and all it takes is perseverance, grit, and resilience. So just have that in you and roll with it.

Omkhar Arasaratnam (21:22)
Thank you so much, Arun. It’s been a pleasure having you and hope to speak to you again very soon.

Arun (20:21:26)
Thank you so much.

Announcer (22:27)
Once again, for more information about OpenSSF’s activities at the OSPOs for Good symposium and the follow-up event, What’s Next for Open Source, check out the links in the episode description of this podcast. And be sure to catch every episode of What’s in the SOSS by subscribing to the podcast on Spotify, Apple, Amazon or wherever you get your podcasts. And to learn more about the OpenSSF community, visit openssf.org/getinvolved. We’ll talk to you next time on What’s in the SOSS?

What’s in the SOSS? Podcast #7 – Stacklok’s Adolfo García Veytia Digs Into SBOMs and VEX

By Podcast

Summary

The world of software bill of materials (SBOMs) is both complex and fascinating. And few people know the SBOM community better than Adolfo García Veytia — aka Puerco — Staff Software Engineer at Stacklok. Puerco is also a Technical Lead with Kubernetes SIG Release specializing in supply chain improvements to the software that drives the automation behind the release process.

He’s also one of the original authors of OpenVEX, an OpenSSF project working towards a minimal implementation of VEX that can be easily embedded and attested. Puerco is also a contributor to the SPDX project and a maintainer of several SBOM OSS tools. He’s passionate about writing software with friends, helping new contributors and amplifying the Latinx presence in the cloud-native community.

Conversation Highlights

  • 01:04 – Puerco shares his background
  • 02:21 – What SBOMs are and why they’re so important
  • 06:42 – An overview of standards in the SBOM space
  • 09:58 – Puerco details his work on VEX projects
  • 14:05 – Puerco enters the rapid-fire portion of the interview
  • 15:06 – Advice Puerco would offer aspiring open source or security professionals
  • 16:12 – Puerco’s call to action for listeners

Transcript

Adolfo García Veytia soundbite (00:01)
So imagine if you were looking at the video and you see the cook not washing their hands when they cook. That would suck, right? We see a transparent supply chain kind of in the same spirit. The more information you have about your supper, you may be able to do better decisions on whether or not to consume it.

CRob (00:18)
Hello everyone, I’m CRob. I do security stuff on the internet and I’m also a community leader at the OpenSSF. And one of the cool things I get to do as part of the OpenSSF is I get to co-host What’s in the SOSS podcast. With us this week, we have my friend Adolfo, who goes by the handle Puerco out there on the internet. Puerco, bienvenido, al show.

Adolfo García Veytia (00:41)
Gracias, CRob. It’s super exciting to be in a podcast, but also in a podcast with one of my favorite people in the world. So thank you.

CRob (00:50)
I know, right? For those uninitiated in the audience, they might not be aware of the origin story of yourself. Could you maybe just explain a little bit of like what you do with open source and upstream and just kind of maybe some of the projects you’ve worked on?

Adolfo García Veytia (01:04)
Yeah, for sure. I’ve been working on open source projects probably over 10 years or so. I started contributing back in the era of Perl, writing, you know, filing bug reports and documentation for Perl modules. Then did some contributions for PHP. And then when I really started doing more contributions was when I joined the Kubernetes project.

I started up going up the ladder and I became one of the technical leads for Kubernetes Secret release where I specialized on the release process and working on the security features that we have in our releases. And then from then, I started creating lots of different tools that we needed to secure Kubernetes itself, which some of them became projects of their own. And now I’m working on some of the same stuff here in the OpenSSF.

CRob (01:59)
Nice, excellent. So I have a very important topic that you and I get to talk about all the time, but the audience might not be as familiar with. Let’s talk a little bit about software bills of materials, SBOM. Could you maybe describe why SBOMs are important for both developers and also downstream consumers?

Adolfo García Veytia (02:21)
Yeah, for sure. So SBOM, the software bill of materials, to give it a description of what it is in a short sentence, it’s just a list of components that make up your software. That’s the most basic definition of it. Some people may be familiar with SBOM or if not what it is with a term because of some legal requirements and regulation that has come up.

But the fact is that SBOM is kind of the base of the transparent supply chain. So if you’ve seen the news in the past couple of years, there’s a big push to make our software supply chain more secure. And that means can I do good decisions on the risk I’m taking when I’m ingesting third-party software? And to me and to some other SBOM enthusiasts, SBOM is kind of the base of that transparent supply chain. So the way we’re trying to make the supply chain more secure is combating it with information.

So whenever, imagine if you went to a restaurant and before you tried your dinner, imagine you could know exactly the ingredients that went to it, who cooked it. Imagine if you could see a video when they were cooking it. That would give you the ultimate assurance of your plate, right? Of your dinner plate. So imagine if you were looking at the video and you see the cook not washing their hands when they cook. That would suck, right? So we see a transparent supply chain kind of in the same spirit. So the more information you have about your software, you may be able to do better decisions on whether or not to consume it.

And this one is kind of the first layer of that transparent supply chain. As a developer, when you have an SBOM about your project, you kind of have a key to go to a lot of different services that are starting to come up to ask information about your dependencies. So for example, I think the most basic use case is you go to a security scanner and you present an SBOM and say, okay, scanner, give me all of the vulnerabilities that you know are present in this SBOM. And based on the information on your SBOM, the scanner replies back. So that’s kind of the basic use case I see for it.

CRob (04:38)
That’s pretty cool. And I’m correct in remembering there are different types of SBOM. SBOM isn’t just one monolithic thing. You might issue or create an SBOM at different points within the development process, right?

Adolfo García Veytia (04:5:0)
Yeah, exactly. So as the software lifecycle moves forward from idea to software repository or code base to builds and deployment, more information becomes available. And some of the information that goes into your SBOM may not be, it may not be possible to know it at the different stages of the software lifecycle.

So to give an example, if your project requires OpenSSL and it’s dynamically linked, you will not know the effective version until you deploy that binary and it links against your system binaries. So based on that idea that information becomes available as the software moves forward, different kinds of SBOMs have been developed. So there’s the design SBOM, which captures more or less the plan that you want to do.

There’s the source SBOM that looks that a generator looks at your code base, extracts the information that it can and gives it back to you. And then there’s a build SBOM where once you run the build, your compiler or interpreter may do the decision on which version of the dependencies it’s gonna pull down. And even the dependencies of the dependencies, because those may change as your dependencies get new releases. And that gets captured.

And then there’s the, I think the next one is analyzed where basically you take something like an SCA scanner and then point it at your artifact, make some deductions by looking at it from the outside. Gives you that, gives you another kind of SBOM. And finally, there’s the deploy SBOM, which looks at your software once it’s installed and running in a system.

CRob (06:32)
Wow. It’s a lot to keep track of. What types of tools or what are some of the standards that people might bump into in this SBOM space?

Adolfo García Veytia (06:42)
Yeah, so there are two main standards of SBOM. One is SPDX from the Linux Foundation, and the other one is CycloneDX, which is hosted on OWASP, currently undergoing standardization as well. Both standards are more than enough to capture that list of materials. Both standards share more or less the same abstractions when regarding that list of components. And both standards have also grown to capture much more than just a list of dependencies. They can capture things like build provenance and information about machine learning and AI workloads and others.

CRob (07:21 )
And I know that there’s a couple tools that you’re personally involved with. Can you talk about your project, Protobom, and then the bomctl?

Adolfo García Veytia (07:30)
Protobom was born out of a contract or yeah, I think the Radware’s contract from DHS and CISA. They put out like a call for to design a way to exchange information between those formats, and then the company I was working on back at the time, we looked at it and decided that it was a good opportunity to create one abstraction that can handle any SBOM data so that you could basically work with any kind of present or future SBOM formats and without having to care about the implementations. There are a bunch of reasons why. I could happily go, but probably it’s too boring for non-SBOM nerds like me.

CRob (08:19)
No, I think that’s really cool that such a thing exists. Pretty awesome.

Adolfo García Veytia (08:23)
If you think about SBOM tooling as a stack, at the very bottom you have the very strong foundations of both formats, CycloneDX and SPDX, but then Protobom is kind of the next layer in the stack. So that gives you like a universal IO layer to write and read between two formats in your application. That sits on top of Protobom.

And on top of Protobom, we’ve seen a number of tools starting to use it to interact with the formats, but also work with SBOM data. One of those is a bomctl. So full disclosure, I’m not yet part of the bomctl project. I work closely with them because it’s based on Protobom. And the idea of bomctl is that it will be a CLI tool to basically do the most basic operations that most people need to do with SBOMs. Things like updating data in your SBOMs, mixing them, changing formats, those basic operations that most people need to do when they get an SBOM, process an SBOM or share an SBOM are going to be handled by bomctl.

The aim is that bomctl, will provide that great user experience in the CLI, but also the idea is that Protobom will house the required functionality to perform those operations.

CRob (9:43)
So let’s talk about another SBOM-adjacent effort that you and I get to collaborate on together. VEX, the vulnerability exchange. Could you talk about what VEX is and how it kind of plugs into or complements an SBOM?

Adolfo García Veytia (9:58)
Yeah, for sure. So VEX, the way I see VEX helping the overall situation of the secure supply chain is that its main goal is to reduce noise. So part of the work that anybody trying to assess the risk in their supply chain involves triaging vulnerabilities. So when you have a super transparent supply chain as enabled by SBOM and other technologies, you start to get more information.

And with that information, you get things like false positives in scanners. And when your SBOM starts to capture things like your build environment or your build tooling and the dependencies in our container image, you start getting more and more components, which leads to more and more false positives. So to combat this, the idea of VEX came up in the SBOM circles organized by mainly CISA. So VEX, the Vulnerability Exploitability Exchange, is a way for software producers or I hate the word producers, but maybe software authors or maintainers to communicate the impact that vulnerabilities and their components have on their software.

So to give you an idea, if I share a container image and it has some old operating system package that I’m not using, it cannot be triggered in any way, that vulnerability may show up in my user scanners when they scan my container image, but they may not be affected. So VEX is a mean for me as a software publisher to create a small bit of information that gets communicated to my consumers, ideally to their scanners, so that those warnings can be, if not turned off, given more context so that they can make better decisions, and especially to help them triage those vulnerabilities more in a more efficient way.

CRob (12:00)
And when folks are issuing VEX statements, there’s a couple different types, a couple diffrent states that that statement can represent. And what are those?

Adolfo García Veytia (12:10)
Well we think about VEX as a one-shot message that turns off the lights in my security scanner, so to speak. But in reality, VEX is designed to be a communications channel to inform downstream consumers of the whole life cycle of the assessment of vulnerability in my project. So when a new vulnerability gets discovered or reported in one of my dependencies, VEX can give me different statuses that I can communicate to inform them about the evolution of the assessment. So you start by issuing a VEX statement that says that the vulnerability is under investigation, letting them know that you’re aware of it and they’re looking at it. So it’s not getting ignored.

Then the next one, once you have an assessment, you can send another message telling them you’re affected. So if it pops up in their scanner, it’s a true positive, but more importantly, you can send through the VEX channel some extra information about how to mitigate or other information. Or you can also let them know that it’s not affected and then you can inform them why not and that message can potentially turn off some lights or warnings in scanners and alerts. And the last one is fixed, right? So if I got a new release but that new release is showing up as vulnerable, you can send a fixed message.to let them know that this new release is not affected.

CRob (13:35)
It sounds like a really useful kind of emerging tool. I’m looking forward to watching this develop.

Adolfo García Veytia (13:42)
Yeah, I mean, we’re excited on how this is evolving and because it’s a really simple communications channel.

CRob (13:50)
Excellent. Well, let’s move on to the rapid-fire part of our questions. I’m gonna have a couple questions, and generally they’re binary, but if you want to add a little embellishment, please do. First question, spicy or mild food?

Adolfo García Veytia (14:05)
Oh, spicy, of course. I’m Mexican, what else?

CRob (14:12)
(Laughter) Well played, sir. Next question, VI or Emacs?

Adolfo García Veytia (14:18)
VI but not by choice, just by default on my distro.

CRob (14:23)
Do you have an alternative, better alternative?

Adolfo García Veytia (14:25)
Yes, I use JOE.

CRob (14:27)
I haven’t heard
of that one. I’ll have to look that up. Very nice. And our last question, very controversial out there in the ecosystem, tabs or spaces?

Adolfo García Veytia (14:37)
So my thinking is tabs, but I’ve been finding out that spaces plays better with others. So I like tabs because you get control of the indentation visually, but most everywhere it doesn’t work as expected. So I end up defaulting to spaces.

CRob (14:57)
Excellent, excellent. So now as we wind down, do you have any advice to someone? A young developer or someone getting into open source or cybersecurity that any advice for these newcomers to our field?

Adolfo García Veytia (15:06)
Oh yeah. So first of all, the two most important pieces of advice that I can give: one, do not be afraid to take on projects, to ask questions, most importantly, ask your questions. You’ll find that most open source nowadays is very friendly. And the other is show up. Most of those communities are built by people who recognize each other. Even just showing up, showing your face, hearing about the problems, giving simple or complex opinions, everything is super valid. Sometimes just listening to others rant is super valuable. And that’s how you find yourself super quickly on a track to become a maintainer of one of some of the most important projects out there. Yeah.

CRob (15:59)
That’s awesome. Thank you. That’s good advice for newbies. And final question here. Do you have some kind of call to action? Are you looking to inspire our listeners to maybe take up some causes or help out somewhere?

Adolfo García Veytia (16:12)
Yeah, for sure. So I probably could have some calls to action for both projects. So for Protobom, I think we’re looking for folks who maintain SBOM tools. So right now, the strongest implementation is in Go. So if you have an SBOM tool in Go and you want to or you’re planning to start a new SBOM project in Go, come talk to us or look at our repos in github.com slash Protobom.

We hope that you’ll find the project very compelling and helpful for your new project or existing project. So let us know if something is missing or whatever. Also, if you’re familiar with SBOM and in another language, we would like to see more implementations of Protobom in other languages. That’s one.

And for OpenVEX, help us bootstrap the ecosystem. So we’re trying to spread little VEX feeds wherever we can so that when you build artifacts, we can start recognizing those VEX feeds and trying to issue more accurate vulnerability scans. So if you want to help out, let us know and we can help you kick off your your VEX stream.

CRob (17:29)
Excellent. Well, thank you so much for joining us, Adolfo. I really appreciate your collaboration and your leadership in the upstream ecosystem. Thank you for joining What’s in the SOSS? today.

Adolfo García Veytia (17:39)
No, thank you for inviting me, CRob. I’m always happy to chat with you.

CRob (17:43)
Excellent.

Announcer (17:44)

Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at OpenSSF.org/getinvolved. We’ll talk to you next time on What’s in the SOSS?