

Organization: Open Source Technology Improvement Fund, Inc. (OSTIF)
Contributor: Amir Montazery, Managing Director
Website: ostif.org
Critical open source software (OSS) projects—especially those that are long-standing and widely adopted—often lack the resources and systematic support needed to regularly review and improve their security posture. Many of these projects are maintained by small teams with limited bandwidth, making it challenging to conduct comprehensive security audits and implement best practices. The risk of undetected vulnerabilities in these projects presents a growing concern for the broader software ecosystem.
To address this gap, OSTIF leverages its OpenSSF membership to conduct rigorous security audits of critical OSS projects. Using a curated process rooted in industry best practices, OSTIF delivers structured security engagements that improve real-world outcomes for maintainers and users alike.
Through active participation in OpenSSF’s Securing Critical Projects working group and Alpha-Omega initiatives since their inception, and through strategic partnership with organizations like Eclipse Foundation, OSTIF receives targeted funding and support to carry out its mission. These collaborations help prioritize high-impact projects and streamline audit administration—despite the inherent complexity of managing funding approvals and coordination.
It’s pivotal that these important projects receive customized work. Each open source project is unique and so are its security needs, making standardization of audits difficult. OSTIF is able to invest time and expertise in scoping and organizing engagements to be tailored to the project’s best interests, necessities, and budget to generate effective investment in open source security.
OSTIF also incorporates other OpenSSF tools and services such as the OpenSSF Scorecard and the broader Securing Critical Projects Set, which complement its robust audit methodology and offer additional layers of insight into project health. In an ecosystem that is varied and complex, having security resources that can be applied to all projects contextually to generate impactful and sustainable security outcomes is incredibly valuable to all stakeholders, especially OSTIF.
OSTIF’s work has demonstrated the effectiveness of formal security audits in strengthening OSS project resilience. As a member of OpenSSF, OSTIF has been able to expand its reach, increase audit throughput, and reinforce the security practices of some of the open source community’s most essential projects. Since 2021, OSTIF has facilitated numerous engagements funded by OpenSSF. In March of 2025, OSTIF published the results of the audit of RSTUF with OpenSSF’s funding and support. Additionally, 2 more Alpha-Omega funded engagements will be published later this year.
“OSTIF is grateful for the support from OpenSSF, particularly for funding security audits both directly and via Project Alpha-Omega, to help improve the security of critical OSS projects.”
— Amir Montazery, Managing Director, OSTIF
In addition to the technical improvements achieved through audits, OSTIF’s OpenSSF membership has fostered valuable connections with project maintainers, security experts, and funders—creating a collaborative ecosystem dedicated to open source security. Building a community around security audits is a goal of OSTIFs; by sharing resources and providing a platform for researchers to present audit findings through meetups, their goal is to grow expertise and access to security knowledge of the average open source user.
To learn more about OSTIF’s work, visit their 2024 Annual Report. Visit their website at ostif.org or follow them on LinkedIn to stay up to date with audit releases.
In this enlightening and entertaining episode of What’s in the SOSS, host Yesenia Yser sits down with DEI strategist, social psychologist, and Star Wars superfan Dr. Eden-Reneé Hayes. From her academic roots to her entrepreneurial journey, Dr. Hayes shares how diversity, equity, inclusion, and accessibility (DEIA) drive sustainable growth—and how she found inspiration for her TED Talk in the wisdom of Yoda. The two discuss the myths around DEIA, how the Jedi Council reflects ideal collaboration, and why unlearning old beliefs is key to progress. Plus, stay for the rapid-fire questions and discover if Dr. Hayes is more Marvel or DC.
00:00 – Introduction
01:30 – Career Journey
03:10 – Navigating DEIA in Today’s Landscape
07:49 – TED Talk Inspiration: Star Wars & DEI
11:31 – The TED Experience
13:12 – The TED Talk Message
14:38 – Favorite Yoda Quote
16:34 – Rapid Fire Round
18:37 – Final Thoughts
19:10 – Outro
00:18 Yesenia Yser:
Hello and welcome to this podcast where we talk to interesting people throughout the open source ecosystem. My name is Yesenia Yser, I’m one of your hosts, and today we have an amazing treat. I’m talking to a very, very dear friend of mine and someone that comes from a galaxy far, far away, Dr. Eden-Renee Hayes. Eden-Renee, please introduce yourself to the audience and tell us a little bit about yourself.
00:45 Dr. Eden-Reneé Hayes:
I just have to say how fun it is to be announced as an amazing treat and from a galaxy far, far away. Not taken from your TED Talk, was it? So again, I’m Eden-Renee, or Dr. E is also totally fine. But basically, I’m in that dirty little acronym, DEI, diversity, equity, and inclusion. But I basically help companies to drive sustainable growth through inclusive strategies, aligning people, purpose, and performance, which basically leads to them keeping their employees longer.
01:20 Yesenia Yser:
Nice. And then we’ll start with the first question. I’ll continue on from that. For those who may not be familiar with the background, can you share your career journey with us?
01:30 Dr. Eden-Reneé Hayes:
Sure. I have been in academia for a really long time, but now I am an entrepreneur, so I’ll fill in the gaps. So I was a tenured professor. My area within psychology is social psychology. So I’m not a clinician. I’m more studying the research. I’m working in research and understandings around what happens with people in different situations. And with that, I always focused on the ideas related to diversity, equity, and inclusion. So from academia, I moved into administration, but still in colleges. And I liked doing that because I had a much greater impact on what was going on at each school. I was also the director of a multicultural center, but then I decided to branch out and become a solo. entrepreneur, where I have that opportunity to help companies to be able to use my vast knowledge within social psychology to be able to figure out what they need to do in order to have more equitable hiring practices that are fair for everybody, to be able to keep their employees with inclusive practices and lots of other things in between.
02:38 Yesenia Yser:
Nice. And that brings you here to today. I believe you own your own, you run your own consulting business, if that’s what I understood. That’s right. Nice. Given that, and with the recent shifts in the U.S., I’m sure that’s kind of taken a little change in the way you approach now, especially with the U.S. administration stance on DEIA, diversity, equity, inclusion, accessibility. What challenges have you observed in the industry?
03:10 Dr. Eden-Reneé Hayes:
And if you want to speak more on that. course. Yeah, no, it feels like a lot of people are worried. Yeah, absolutely. I mean, I think it’s important to think about all of the things that they were doing previously, and is that consistent with the legal landscape? And actually, it is. DEIA is not illegal. As stated by 16 different attorney generals, and to make it very, very clear that all of those best practices are still 100% legal because they’re consistent with the things that have been placed into law that are much harder to overturn than with just an executive order. What’s also very interesting to me is the executive order’s focus on merit and fairness, and so does DEIA. So that is one of the wonderful things is just really reiterating to people, this is what’s going on. We were always about fairness. We were always about ensuring that the person that has the greatest merit gets the position. But DEIA is not just about hiring and just about, like, talent acquisition. There’s more to it, because DEIA also focuses on those external things, like the way that we present our companies to the masses. So how is it that we can do that in a way that is inclusive, that is reaching all of our potential clients? Because we have a very, very diverse world, and it’s getting more and more diverse by the minute. Literally, each, you know, like, there’s a new baby born every minute. A lot of those babies, they’re all people of color. And what we see now is, what is it? I think something like 46, 49% of Generation Z are people of color. So Generation Alpha, who are currently in elementary school, are even more diverse ethnically. But that’s not the only diversity we can have. DEIA is also not just about what’s going on with ethnic groups. It’s also gender. It’s gender identity and expression. So that’s a big part of it. And so I think that’s a big part of it. And I think that’s thinking about our trans and non-binary friends. It’s also disability. What about neurodiversity in the workplace? What about well-being in the workplace? It’s also about different people and their needs regarding the different languages that we speak, the different passports that we may hold. It’s so many different, of course, sexualities, so LGBTQ. And there’s so many different demographics to be thinking about. If you were actually to try to put everybody in a demographic, it’d be a minority of people that basically don’t fit within one of those, what we call underprivileged or minoritized or basically what tends to be undervalued groups. So it’s a lot more likely that we are going to be thinking a lot about the full human being in all the demographics that we inhabit and what that great benefit is. So I think that’s a big part of it. And I think that’s a big part of it. is to our various workplaces. So the changes that I’m seeing is really more helping people to understand that to be the truth instead of those myths that people believe about DEI not being about fairness and about having quotas, which aren’t actually legal and weren’t before, about trying to hire people because of their demographics instead of their skills and experience. So it’s a lot more likely that we’re going to be thinking about that. So a lot of the changes that I’m seeing is really just making DEI more clear so that people know that this is what it is. And that’s one of the reasons why I did my TED Talk.
06:59 Yesenia Yser:
Oh, there you go. You’re ready for the next one. I wonder why. But yeah, it just sounds like for DEI, I’m used to saying DEI. So just like my brain’s like, there’s an A. It’s just an umbrella of things because you said it very nicely. It’s the human aspect. And as a human, we identify in different aspects from our gender, from where we live, from the culture’s experiences. But moving on to the next question, you and I actually met at a TED Talk cohort that has continued into this fabulous group. And you recently delivered your TED Talk. Congratulations. It’s one of my favorites. Share with the audience what inspired you to speak on that particular idea. Share what the idea is. And what was the overall experience like?
07:49 Dr. Eden-Reneé Hayes:
Okay, so this is an unexpected answer about what inspired me. What inspired me was actually the failure of my partner to watch Star Wars as a child.
08:04 Yesenia Yser:
Tell us more. I still remember in like college, my first, I’m going to sidetrack real quick. My first job, I was there for like a couple months. They found out that I didn’t watch Star Wars. So they’re like, you cannot work until you watch Star Wars. I spent literally a whole week at work. They paid me just to watch Star Wars. And they’re like, okay, now we’ll give you IT tickets. And I was like, sure. I’m educated now.
08:25 Dr. Eden-Reneé Hayes:
I love that they paid you to do it. And yes, you are educated now. So by the time I, it’s pretty funny. I’m such a Star Wars geek that immediately when my friends found out that he didn’t watch Star Wars, they’re like, oh my gosh, are you going to break up with him now? And it’s like, no, they’re just movies. You just have to sit down and watch them. So we finally did like sit down and start watching. And for the Star Wars geeks out there, we watched in episode order, not chronological release order. That’s a general question that many people will ask. So we start with episode one. So not when they were released, but basically when you’re starting with Baby Anakin. So just watching the movies again in the, the climate that we’re in, in, uh, in being an entrepreneur and trying to help people to understand what DEI is and how it’s valuable. And just being in that space, like while watching it next to someone who’s never seen these before and only has like cursory idea of what might happen. And I just starting putting two and two together. It’s just like, oh my goodness. I knew that I’m in DEI because like, and I start my, Ted talk this way. My mom sat me down and like Yoda was my babysitter. So that, that is how I learned in the first place. And of course I get the education. I literally have a PhD in DEI. I, I really do have the, like both the lived experience, the, um, the sci-fi knowledge as, as well as the, the educational academic background that comes all together in one, but watching it with him, like I had to go grab my phone and pull up the notes app. And start like really typing in that. There’s all of these different ideas and quotes that just like, of course, this is where I am now because this seed in star Wars, all the diversity that we see. I mean, even look at the Jedi high council. It’s like, everybody’s from a completely different species and what are they doing? They are working together. Think about a boardrooms look like that. You know, if everyone’s coming in from a different angle of their upbringing and of their educational experience, and then, like they’re in the same space, trying to reach the same goals, you’re able to attack that problem with those angles that you need in order to figure out, okay, how can we get to the best place? And most efficiently in with as few hiccups as possible, because you don’t want something to be unrolled. And then it’s like, oh my goodness, we forgot this. And we didn’t think about the impact on this group. And now we’re getting a lot of negative press that you want to think about all those things and ensure that that’s not like, oh, we’re not going to be able to do this. That’s not likely to be the problem. And that you’re not likely to waste time, like trying to go and fix something that shouldn’t have been an issue in the first place. If you had more voices in the room.
11:31 Yesenia Yser:
Yeah, it’s really great. And then what was your experience like with the TED talk?
11:35 Dr. Eden-Reneé Hayes:
Oh my gosh, it was so much fun. For me, it was the epitome of that thing people say about enjoying the journey just as much as the destination. I enjoyed every minute of sitting and writing down, like practicing it and talking about ideas with our TED cohort, with practicing – because one of the things about TED that’s less likely known is that it’s not like, oh, I write down what I want to say. And I get up on the stage and I say it’s like, no, there’s, there’s training, there’s editing, there’s, there’s time, there’s a pretty long runway from you’re going to have a TED to actually being on the stage. It’s not like three days and you’re on the stage. It’s people helping you to figure out how to really, like kind of, act it out a little bit. So that, that was one of the wonderful things. Like I had like a speech coach to help me to make sure that I’m bringing my best self out there. And that’s the great thing, because it’s like, of course, being a professor, I was on plenty of stages, but TED stage is a completely different place than a classroom. So it, there’s a different way to impart information. And it’s still also about kind of like, how you find your writer’s voice. Like you find your, it’s your voice on the stage as well. So that’s totally fun.
12:58 Yesenia Yser:
It’s, it’s a big journey. I can’t wait for mine. I’m so excited, but I’m so glad yours was one of the first, would you like to share with the audience for those that haven’t seen it yet a little bit about what your TED, your TED talk idea was?
13:12 Dr. Eden-Reneé Hayes:
Sure. Of course. So if you haven’t placed two and two together, I talked about Star Wars and DEI at the same time. So what I did was, I specifically focused on quotes from Yoda, because there’s a lot of things you can draw from, but TED, technically you’re allowed to go 18 minutes, but we all know what attention spans look like. So the best case scenario, yeah, best case scenario is your TED talk is in the neighborhood of 10 minutes. So I organized it using Yoda’s quotes, but basically I highlighted, this is what DEI really is, dispel all those myths. I didn’t spend time on like, this is how you define each letter of DEI. Instead, I just, I decided to be a little bit more like fun and animated and like make it not like, no, it’s, it’s TED. It’s, it’s not my class. I’m not going to give you a, like a paper that I’m grading or quiz afterwards. I’m trying to give you all the information that is really applicable in a way that’s also entertaining so that you can see it all there. And, and know that, no, this is really about respect and fairness and being the human being that I know that you want to be too.
14:31 Yesenia Yser:
That’s great. I love your TED talk. And with our last question, what’s your favorite Yoda quote and why did it resonate with you?
14:38 Dr. Eden-Reneé Hayes:
Oh my gosh. There are so many great ones to choose from. I feel like I should refuse to answer. Um, but basically, um, no, my favorite one is, uh, Yoda is training Luke. And and Yoda says to Luke, he’s like, Luke kind of gets really frustrated. And Yoda says like, no, like “only different in your mind, you must unlearn what you have learned.” And that’s one of the most fundamental things that we all really need to be doing a better job of is in an unlearning and trying to figure out, okay, what are these messages that I keep receiving that are not satisfying? And I think that’s one of the most fundamental things that I keep receiving. And are not helping me to be the human being that I want to be. And instead are moving us into a place where we have greater division.
15:31 Yesenia Yser:
Nice. I’m going to butcher this one, but you can, you can fix it. You can fix it. “Luminous, luminous beings, are we” that one is one of my favorites, especially the way you delivered it. Um, and then I forgot what the ending of that was.
15:47 Dr. Eden-Reneé Hayes:
Not this crude matter.
15:48 Yesenia Yser:
Not this crude matter. That was one of my favorites.
15:50 Dr. Eden-Reneé Hayes:
Yes. “Luminous beings are we. Not this crude matter.” And yeah, that’s, I use that one to help us to think about how we are, we’re focused on, on ourselves and we’re focused on someone else fitting into a box unless we already know that person and not focused even on ourselves being luminous. And that’s part of DEI too, is stopping and thinking like, no, you are amazing. You are worthy. You are valuable. And you bring value to this space. And so does everybody else that you are encountering. So luminous beings, are we not this crude matter.
16:34 Yesenia Yser:
Love it. I got goosebumps all over again. And with that, we’re going to move over to our rapid fire interview part. So hold your breaks. Don’t get off on your millennium Falcon just yet. All right. First question. This one, this one might be an easy one. Marvel. Marvel or DC?
16:53 Dr. Eden-Reneé Hayes:
Marvel, but no, no, I’m just going to double down on Marvel, but I, but I do love them both. We go to all, all the movies, except for Venom.
17:05 Yesenia Yser:
All right. For you Venom fans. I’m sorry. Sorry. Next question. Coke or Pepsi?
17:13 Dr. Eden-Reneé Hayes:
Pepsi.
17:15 Yesenia Yser:
Okay.
17: 16 Dr. Eden-Reneé Hayes:
More delicious.
17:18 Yesenia Yser:
Okay. We’re a little different there.
17:22 Dr. Eden-Reneé Hayes:
Specifically cherry.
17:23 Yesenia Yser:
I do love the cherry. I’ll give you that one. Books or podcasts?
17:30 Dr. Eden-Reneé Hayes:
Books. I’m an audio book lover.
17:32 Yesenia Yser:
Yeah. I like the physical. I’ll have to listen to like audio books, like self-development audio books, but I just, there’s something about physically holding it and the smell. I don’t know.
17:42 Dr. Eden-Reneé Hayes:
No, I’ll never get through a book if it’s physically there, unless. No, I need audio because I need to read it while I’m like driving and I’m totally destroying the rapid fire-ness of this. You know, while I’m like cutting vegetables or anything, oh, that’s, that’s mindless. So I need the audio books.
18:02 Yesenia Yser:
That’s fine. We’re making this rapid the way we are. Spicy or mild food?
18:06 Dr. Eden-Reneé Hayes:
Oh my gosh. Spicy. Who would go with mild? I mean, like.
18:11 Yesenia Yser:
<Laughs> You didn’t listen to mine then. I said neither, just seasoned.
18:17 Dr. Eden-Reneé Hayes:
No, it needs to be spicy. Yes. No.
18:21 Yesenia Yser:
Must be spicy. Well, thank you for giving us a lovely rapid conversational fire interview. This is, you know, towards the end. Do you want to leave the audience with any last minute words before we close out?
18:37 Dr. Eden-Reneé Hayes:
Oh, just that we really do all need to foster that wonder and curiosity. Instead of believing the things that we already believe, we need to do a better job of venturing outside of our comfort zone and venturing into that learning zone instead.
18:58 Yesenia Yser:
Beautifully said. Well, thank you, Eden-Reneé, for joining us. Thank you for those listening. We’ll catch you on the next episode.
19:10
Like what you’re hearing? Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, AntennaPod, Pocket Cast, or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it. Check out the newsletter for open source news, upcoming events, and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight, and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS.
Trail of Bits is a leading cybersecurity research, engineering, and consulting firm that works with some of the most security-conscious organizations in the world—including Facebook, government agencies like DARPA, and prominent cryptocurrency protocols. Founded in 2012, each part of the company focused on open sourcing their work- tools,research, and audits wherever possible. Trail of Bits also maintains a dedicated research division focused on advancing industry-wide security practices, with specialized teams focused on securing open source infrastructure that both their clients and the broader technology ecosystem depend upon.
Trail of Bits’ work spans both policy and practice, often bridging emerging security needs with real-world implementation. Here are a few of the ways they’ve made an impact:
As open source continues to serve as the backbone of digital infrastructure, organizations like Trail of Bits play a vital role in making it more secure, reliable, and transparent. Their ability to influence both upstream policy (like PEPs) and downstream implementation (like OpenSSF Scorecard and Sigstore) helps move the entire ecosystem forward.
Trail of Bits remains actively engaged in exploring new opportunities for impact—whether that’s contributing technical guidance, launching prototypes, or leading standards discussions. Their work reflects the spirit of OpenSSF collaboration: practical, community-oriented, and always evolving.
Visit trailofbits.com to explore their research and tooling.
To get involved in OpenSSF projects or working groups, visit openssf.org.
Welcome to the May 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.
Here’s a quick summary of this month’s highlights: the OpenSSF Tech Talk showed how the Security Baseline helps projects enhance compliance and resilience; the Best Practices WG released the guide “Simplifying Software Component Updates” to prevent API‐compatibility vulnerabilities; the CFP for Community Day Europe (Amsterdam, August 28) closes May 26; the Cybersecurity Skills Framework offers a free, customizable way to align job roles with practical security skills (webinar June 11); Ericsson’s C/C++ Compiler Hardening Guide, now jointly maintained with OpenSSF, demonstrates the power of community-driven security practices; three fresh podcast episodes are live (#29 Stacey Potter, #30 GitHub’s SOS Fund, and #31 Cybersecurity Framework Launch); and our community continues to buzz with WG updates, upcoming Community Days in Tokyo, Denver, Hyderabad, Amsterdam and Seoul, and CFP for Open Source SecurityCon.
The Linux Foundation and OpenSSF have released the Cybersecurity Skills Framework, a customizable global reference guide that aligns IT job roles with practical cybersecurity competencies. The framework defines foundational, intermediate, and advanced proficiency levels mapped to standards like DoD 8140, CISA NICE, and ICT e-CF, enabling organizations to assess and build security capabilities across job roles.
Developed through global research and community feedback, the framework empowers enterprise leaders to close skills gaps, strengthen security culture, and systematically reduce cyber risk. Listen to the podcast, attend the webinar on Wednesday, June 11 at 11:00 am EDT. Learn more.
The Open Source Security Foundation (OpenSSF) hosted a Tech Talk titled “How to Use the OSPS Baseline to Better Navigate Standards and Regulations” to help maintainers, contributors, and organizations apply the OSPS Baseline in real-world projects. This session offered practical guidance on enhancing compliance, reducing risk, and building more resilient open source software. Learn more.
The Open Source Security Foundation (OpenSSF) Best Practices Working Group has released the new guide Simplifying Software Component Updates. This guide by David A. Wheeler (The Linux Foundation) and Georg Kunz (Ericsson) gives software producers and consumers practical steps to simplify component compatibility. Applying the principles in this guide will eliminate many vulnerabilities in software. Backward-incompatible changes to an application programmer interface (API) often lead to unaddressed security vulnerabilities. Read the blog.
OpenSSF Community Day Europe takes place on Thursday, 28 August in Amsterdam, Netherlands, co-located with Open Source Summit EU. This event brings together contributors, maintainers, practitioners, and researchers to collaborate on securing the open source software we all rely on. Submit your proposals by 26 May 2025 on topics such as AI and ML in security, cyber resilience and supply chain security, OSS signatures and verification, real-world case studies, regulatory compliance, and enhanced security tooling. Learn more.
This case study highlights Ericsson’s collaboration with the OpenSSF on the C/C++ Compiler Options Hardening Guide, a pragmatic resource that maps compiler hardening flags to their performance and security impacts. Originally drafted by Ericsson’s product security team and donated to the OpenSSF, the guide is now maintained in the OpenSSF Best Practices Working Group. Community feedback from compiler maintainers, Linux distribution contributors, and projects like Wireshark, Chainguard, and CPython has refined its recommendations, leading to internal adoption at Ericsson and broader ecosystem uptake.
Ericsson’s work demonstrates how open sourcing practical security guidance and engaging the community can drive real improvements in C/C++ code hardening across the industry. Read the case study.
#29 – S2E06 “Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey Potter”: Meet Stacey Potter, OpenSSF’s new Community Manager, as she shares her journey into open source and her community first mindset.
#30 S2E07 “Scaling Security: Inside the GitHub Securing Open Source Software Fund”: Kevin Crosby and Xavier René-Corail from GitHub discuss the Securing Open Source SOS Fund, its $10K stipends, lessons from cohort 1, and maintainer month.
#31 – S2E08 “Cybersecurity Framework Launch”: Delve into the development of the Cybersecurity Skills Framework, emphasizing the need for continuous learning and community engagement in the tech industry.
Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!
OpenSSF Community Days bring together security and open source experts to drive innovation in software security.
Connect with the OpenSSF Community at these key events:
There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.
You’re invited to…
We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!
Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!
Regards,
The OpenSSF Team