Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea

search
All Posts By

OpenSSF

Jul 01
Love0

What’s in the SOSS? Podcast #34 – S2E11 From Lockpicking to Leadership: Tabatha DiDomenico on Security, Open Source, and Building Community

By Podcast

Summary

In this episode of What’s in the SOSS?, host Yesenia Yser sits down with open source security engineer and community leader Tabatha DiDomenico for an inspiring conversation about her unexpected path into open source, the vibrant communities behind security, and her role as president of BSides Orlando.

From discovering Netscape in the early days to shaping security strategy at G-Research and OpenSSF, Tabatha shares how her career evolved from necessity to purpose. She talks about the power of DevRel, the invisible work behind sustainable open source, and the magic of volunteering – pro-tip: working the registration table is great for networking.

Whether you’re new to the ecosystem or a seasoned contributor, this episode is packed with insight, warmth, and practical advice on getting involved and staying connected.

Topics Covered:

  • The accidental beginnings of an open source career
  • How DevRel supports healthy OSS ecosystems
  • Building internal open source culture through innersource
  • The impact of local security communities like BSides
  • Advice for contributing, volunteering, and thriving in open source

Conversation Highlights

00:00 The Journey into Open Source
06:10 Current Projects and Roles in Open Source
11:57 Involvement with B-Sides Orlando
18:07 Understanding Developer Relations in Open Source
27:08 Rapid Fire Questions and Final Thoughts

Transcript

Intro music (00:00)

Tabatha (00:04)
I immediately felt at ease. And I was like, oh gosh, people think, just like me, they, you know, they are curious. They want to break things, they want to put things back together again, and they’re just so generous with their time.

Yesenia (00:18)
Hello and welcome to What’s in the SOSS? OpenSSF’s podcast where we are talking to interesting people through the open source ecosystem. My name is Yesenia Yser. I’m one of your hosts and today we have an incredible treat. I’m talking to a close colleague and an open source extraordinaire, Tabatha DiDomenico, a security engineer that works on our open source. Welcome Tabatha. Welcome to introduce yourself to the audience.

Tabatha (00:47)
So thank you so much for having me today. My name is Tabitha DiDomenico. I am an open source security engineer at G-Research. And it’s been exciting to be a part of OpenSSF in various working groups and capacities over the past couple of years.

Yesenia (01:04)
Welcome. So glad to have you and we’ll start off with one of my favorite questions. Can you tell us about your journey in open source? What sparked your interest and just how has it grown over time?

Tabatha (01:14)
So this is an interesting question. feel like when I reflect on my journey in open source, it doesn’t quite look like a journey because it was not an intentional thing. When I first began using open source, it was out of necessity. It’s what was available, probably thinking back to Netscape days. And that’s probably my first actual awareness that something was an open source project. A lot of the work that I did at the time, the organizations that I was with, the products that we used internally to power various organizations, we selected them because they were free and happened to be open source. when I think back to how has it been a journey over time, it’s become more intentional. My interest in open source has definitely become an intentional direction that I have set for my career.

You know, when I think back to those early days and using open source out of necessity rather than a desire to be, give back or to be part of something larger than myself or, and there was none of those sort of in intrinsic, lovely motivators that we had. was really just out of necessity. and over time I was fortunate enough to, to be in a position to work with WordPress. and that was sort of the next evolution of, of my engagement in open source. I had built a small agency for myself during WordPress development, website development, and also maintenance, and just getting familiar with the community and the resources that were available. It was not something that I had ever seen from any commercial software that I had been a part of. The large corporations don’t necessarily build these beautiful communities around their paid products. Some do.

But it’s incredibly rare, right? And so when I’d seen this, you know, that there was these word camps and that there was these hyper local conferences and events that people came together because of love for the product, love for the community, that was really compelling to me. From there, I had the incredible opportunity to actually get paid to work on open source through a product called the Dradis Framework, which pen testers in the security community may be familiar with, because it’s an open source penetration test writing tool – where it kind of got at start. The founder of the company is originally a pen tester, wrote this tool in-house. All of the other pen testers began using it. it was one of those products that once he open sourced it, the community thought, wow, this is really great. You’ve got something incredible here. Other people begin using it. It sort of became the case of, you know, if you build it, they will come, your users will come, but then the problem began of, how can you support this product in your spare time and still have a life? know, so that’s when, when he began to look into, you know, releasing it as a commercial product as well. and so that, you know, seeing the, that how community can build around open source and having a hand and starting to shape a community around a product and build a community around a paid version of a product, it further expanded my understanding of how open source can work and how open source can work in business. And then, and now I’m here with G-Research and working with organizations like the Linux Foundation and OpenSSF, going to events like FOSDEM and seeing the scale of open source and, you know, in our world and, and knowing that I I’ve involved somehow, it feels really cool. So, you know, now it’s definitely intentional. get paid to work in open source. it doesn’t necessarily look like me just, you know, writing PRs and pushing them all day long. Cause my work looks different. and that’s great. Cause it’s needed. Yeah. I’m not sure what else to add to that except for it’s been an incredible opportunity to witness the scale of open source and to get an understanding of the breadth of it. It’s fascinating to me and a lot of the challenges that we face in security around open source are complex and not easily solved and I like those kind of problems.

Yesenia (05:53)
Yeah, and just like you said, the scale of it just from, I think my first open source conference to like the latest, like just the number of tendons and people that are aware of them. It’s really great to see in the community. you know, thank you for your contributions and impact to make that happen. With that, I know you just mentioned earlier that you’re starting, you know, a new role. So I’d love for you to share any projects you’re currently working on and just what excites you the most about it.

Tabatha (06:22)
So a lot of my role, a lot of the work in my organization is, I feel like more of like an ecologist than anything else, an open source ecologist. How do I, while my title is open source security engineer, a lot of the work that I do is to support and be good, help our organization be good stewards of the open source projects that are important to us or that we value in some way. And so how do I speak for an open source project in their community and ensure that how we’re interacting with that community is appropriate, that our vision aligns with the vision of the community itself and the direction of the product of the open source component and how do I, know, how can I best connect our internal resources with projects that I see could benefit by that support is sort of the crux of my work and to making it, how do we responsibly and securely contribute and participate in open source ecosystems? It is, it is. And especially if you have a culture and an organization that’s not necessarily

Yesenia (07:42)
It’s big challenge in scenarios today.

Tabatha (07:45)
the most familiar with working in an open source way. So some of our recent projects have been, you know, looking at, you know, perhaps an inner source initiative and getting our starts start there and, and encouraging folks that have never contributed to an open source project before a bit of confidence in working and collaborating with others in an open source way internally before they take that next step and start thinking about pushing things upstream.

Yesenia (08:20)
Yeah, because it’s interesting because it’s a whole different culture when you’re going from internal into an external phase. so building that culture inside to then take it out, I think is a smart way and approach to do it. Yeah.

Tabatha (08:34)
Yeah, yeah. So that’s been, that’s been one of the very fun project to work on and just like I said, connecting folks with projects and solutions that I believe will solve the challenges they’re having or can help point them in a better direction to solve the challenges that they’re having.

Yesenia (08:53)
Yeah, and outside of that, it just sounds like you do a lot for open source, but you know folks like us we just add more hats to ourselves. You are the president of BSides Orlando. It was a great conference. Definitely attended last last year’s and I’m sure you are preparing for this year. How did you get it? You have to your head. How did you get involved with the organization and what’s next on your agenda for that like?

Tabatha (09:21)
So this is a fun story and speaks to more how I really embraced that I was working in security already without it being so much of a title as I was invited to attend Security BSides Orlando 2014. And just to back up for our audience here, that may not be familiar with the Security BSides framework. It was born, I believe, in 2011. And it comes from the desire to elevate additional voices, to get folks involved in participating in information security, and to create space for newcomers and to bring smaller, have smaller events that are more local to a community, to bring speakers in to that community. I’m not explaining it well. I’d like to probably try that again. So the BSides security BSides framework started in around 2011 and it was a group of individuals that recognized that there was a number of speakers that kept returning to the stages of the larger security conferences. And so they looked to have a BSides version of those larger security conferences that was organized by the community that brought people in and speakers and information in that the local community wanted to hear or needed to hear by the, by the judgment of the organizers, and has grown from there. It is not an official organization that’s like run globally. There’s no, you know, contract that we have to sign. don’t pay dues up to any sort of umbrella organization. It’s a, while there is an organization in, know, that’s registered as Security BSides each Security BSides event. And I believe the last count or last look.

I looked at it was over 200 events annually around the world is organized by the community in that area. So it’s, it makes it it’s a community’s conference is how I think about it and how I discuss it when we’re, when we’re talking about planning security besides Orlando. So as I was, I was getting back to wanting to share was my story is how I got involved.

I was invited to attend. A friend of mine had been telling me for a while that I was doing security, that I should consider looking into security as a career change for myself and to maybe go that direction. And if nothing else, that I would enjoy the community. So I attended BSides Orlando 2014. And I’ve shared this story on stage a couple of times. I picked my first lock at that conference and it’s like the lockpicking village to information security job pipeline just took hold. But it was more than that. It was more than just picking lock. It was the willingness of the other attendees and the organizers to share information. It was, I’m getting chills now thinking about it.

Yesenia (12:01)
You got me chills. like, I’m gonna, I am like,

Tabatha (12:03)
That’s how I felt as I walked in and I was greeted by John Singer Who who I don’t know if you know John Singer But he it feels like everybody knows him at least yeah, especially if you’re in the Florida cyber security world It’s hard not to know John Singer but either he was just so welcoming and here’s this guy who was organized this this huge conference in this area and and my first interaction with him was nothing but just welcoming and it’s so, it can be so scary when you’re walking into a new environment like that, a new space, even if you have somebody encouraging you to be there and with you. but I immediately felt that ease and I was like, my gosh, these people think just like me, they, know, they, they are curious. They want to break things. They want to things back together again. And they’re just so generous with their time with the goal of.

Yesenia (12:57)
Mm-hmm. helping others.

Tabatha (12:58)
Helping others, yeah. mean, there’s no, yeah, hacking is, you know, that’s cool and it’s a cool thing to be involved in, but it’s more than that. know, for the folks that I’m drawn to and for the communities that I’m drawn to, there is this sense of, yes, I need to do this work and also I’m doing this work because it is meaningful to me and I recognize that this meaningful work, despite our differences, is bettering your life too. And I think that’s great.

Yesenia (13:31)
Yeah, it’s one of my favorite things about the security communities. You one of the first communities I got involved in was security and everyone was so welcoming that I was just, I was always applauded when they’re like, you know, they knew all the negatives in the space. And I was like, really? Everyone’s been so welcoming and nice and the tech community and open source like that. So I definitely resonate with that. And lockpicking was one of the first things when I started security, they’re like, you can’t start.

You can’t start your first ticket until you lockpick this. So they gave me like a kit and like three different locks and levels and they’re like, all right, we’ll start you off though. So if anyone’s interested in security, you you got to pick your first lock. You got it.

Tabatha (14:20)
Yeah, I think that’s the, that’s, that’s the direct route I took all the time, but I, I’m sure that there’s others out there that have gotten their start in cybersecurity after, after picking their first lock at a BSides event, just like I did. but yeah, it’s, it’s, I know that, that it exists. know that toxic behavior exists in information security and obviously, know, in my time, you know, in the years that I have been involved, in, this industry I have seen the numbers improve with regards to diversity and folks being accountable for their actions and holding others in the community accountable for their actions. So I don’t want to discount that it can be a difficult place sometimes, both working in security and working in the open source world. But by and large, that has not been my experience. My experience has been more similar to yours, where most of the folks that I have engaged with have been more than happy to sit with me and explain a difficult concept or a new approach or most of the time they’re just excited to share whatever thing they’re nerding out about and yeah.

Yesenia (15:27)
That’s it, we just wanna geek out with one now. Like, my god, did you see this new cool thing? Let’s play with it.

Tabatha (15:33)
Yeah. Yeah. We figured out this new way of doing things. can enumerate blah, blah, blah faster. Like, let me show you to do. Okay, great. You know, um, or if I’ve got questions, they’re, they’re always more than, more than willing to, to jump in and help. Um, and from, yeah. So from there, uh, I, I think that was, like I said, it was 2014 later that year. went to my first DEF CON, which is a whole, uh, a whole thing. It’s a, and I found much the same thing. You know, I found, I found that.

The community was very welcoming and here’s all these people that, you know, have lived very different lives and have very different experiences from my own. And still we’re, we’re aiming to solve similar problems and working together seems like the best way to do that. that year, funnily enough, I had worked with others that had been working. So I went to hacker summer camp that year, that first time.

with others that were paid to do security. That was their job, right? I was still there on my own dime. And there’s a conference, there’s a couple of conferences earlier in the week. One of them is Black Hat, and Black Hat is, you know, the more corporate version of the security week, other security conferences out there. And I couldn’t afford to go. So I looked around and I was like, well, surely there has to be a BSides or something. So I looked at the BSides Las Vegas and they were still receiving volunteer applications. I applied and I volunteered that first year at BSides Las Vegas and I was hooked. That was all it took for me to just fall in love even further with the security community. And from there, it was a couple years before I could come back and get engaged. it was 29 BSides Orlando 2019. I came on as staff and I ran registration desk for the event that day. And night.

If you want to meet everybody at the conference that you are attending, I recommend volunteering to work at the registration desk, because that is a fast track networking opportunity. And from there, I became on board in 2020. And then I was nominated and elected to take over as the president of BSides Orlando. I think it was the next year. We were still not quite cleared from COVID to be able to have an on-site event.

But 2022, we returned on site and have been organizing an event annually since then. this year will be my fourth BSides Orlando event as the president. Yeah.

Yesenia (18:09)
Nice. Yeah, it was a great event. I had so much fun there. I did the badge soldering. I went to everything. Thank you for sharing that. was such a… And for those that… I know you had mentioned Hackers Summer Camp, just for those that aren’t aware, Hackers Summer Camp is a week long in Vegas where there’s multiple security conferences. You have Black Hat, BSides, Def Con, Squid Con.

Tabatha (18:33)
Dianna Initiative.

Yesenia (18:35)
And Diana initiative there, there might be others that pop up. I know hacker in heels. They have their own salon that kind of runs there too, for like women networking events in cybersecurity. So if you’re a security professional, those are. Yeah. Worth the money.

Tabatha (18:48)
So definitely check it out. There’s a lot of ways to get out there too if you don’t have the funds to attend and maybe we can share some of those resources at some point.

Yesenia (19:00)
Yeah, maybe in the description, we’ll figure that out. I know you just transitioned over to security engineer, but before that you were doing dev rel developer relationships. And this is kind of like a new space just over on the industry with the last couple of years. What role does dev rel play in open source ecosystem? just someone new that’s coming in, if this is something that interests them, how could they get started and start contributing meaningfully?

Tabatha (19:22)
That’s a great question. DevRel is a bit challenging to sort of define, because each organization does Developer Relations a little bit differently. I know for our organization it, it really, like I said before, it’s sort of acting as the ecologist between the open source ecosystems that we’re involved in, our internal communities and engineers and, you know, acting as sort of the steward between the two, for what that actually looks like in practice, it’s for my job. Up it was it is to be good stewards of the projects that we publish and to ensure that the work that we’re putting out in the world is as high quality as possible, that it makes it that, that the project is ready to receive users, contributors, even would be lovely for many of these projects, and those sorts of the sort of work that needs to be done to in court, encourage new adoption of a project, or to encourage new contributors, or to encourage an existing contributor, to consider Thinking about becoming maintainer and taking on additional responsibility. It requires somebody who’s not necessarily bogged down in doing triaging PRs and doing code reviews. It takes time away. It takes time to sit down and be thoughtful about how do we want to encourage contributions? Do we have a solid contributing guide? Do we have it? Do we make it clear how to get started with even an issue? Do we make it clear on how to be involved in this project? Advocacy for a project, if you recognize that there’s a project that needs just more awareness, like I said before, not all projects are like greatest where you build it, they will come oftentimes, projects you know, that are either a hobby project or something that’s new. It needs that, that awareness building you need. It’s difficult to stumble across a new project, sometimes, just because of the there’s so much out there, you know, how do you make heads or tails of it. So doing work for advocacy, doing work where I’m advocating for various frameworks, perhaps that like open SSF has established through something like s 2c 2f to understand how to best consume open source into your into your organization, advocating internally for using additional things like salsa, you know, and understanding the different different paths to Sally and how that could interplay in your organization. Or even, you know, going out and talking about Sally so other or people at that work at other organizations have knowledge of these various tools, frameworks and projects that are to are there to enable folks to do the work of building open source and being secure while doing while working in open source.

Yesenia (22:36)
Yeah, it’s awesome. I know OpenSSF has the DevRel community meeting that happens once a month. I think it’s a great call for folks that are interested to come in and see what the group is working on.

Tabatha (22:49)
Yeah. And there’s lots of opportunities. know, each of the, each of the working groups that OpenSSF has, there’s brilliant people working on solving really challenging problems. Once those problems are solved, technically there’s still is this, this bit of advocacy that needs to happen there. You you have to take that project and then promote it a bit to get more adopters because without feedback on how this actually works in practice, it’s, you know, it’s not always, you’re not getting the best product project or outcomes because the diversity of opinion is so low. And there’s many different ways to solve all of these problems. So the more of us that come together to share how this works in practice, the better we can make it for all of us.

Yesenia (23:31)
And test it too, I think you just got into a good point. Sometimes we just need people to use it and see, does the guide make sense? Like that was one of the things that hurt me the most when I would pull a new open source tool was the user guide. And I’m just like, they had all these dependencies installed and I had to figure out which ones to install. And I’m like, can we just add this? Like, what do I need installed before? If I got a brand new computer, what do I need? know, just to start. cool.

Tabatha (24:00)
Yeah, that’s one of those things. We work with major league hacking, MLH, and I have a Developer Relations fellow each semester. Yeah, great Org If your organization has the ability to get involved with MLH, I encourage you to do so. And if you’re listening to this and you’re a candidate to become an MLH fellow, I encourage you to do it. It’s been, every single one of the fellows that has come through our doors has been just top notch.

So that aside, it can be a challenge to introduce DevRel to somebody who’s young and excited about working in open source and they’re chomping at the bit to solve their first technical issue and get to coding, right? And then you have to break it to them. That’s not what we’re doing. We’re doing all of the other stuff, the in-between stuff that has to get done in order for people to actually use this.

Uh, and then, you know, they’re just kind of like, Oh, well that, that doesn’t sound nearly as interesting. And then I, I’ve, then I, you know, I kind of do this thing where I’m like, well, do you use any open source in your, know, in your own time and your hobby projects? Have you ever released anything? Do you, you know, have you ever gone and tried to play like an open source game? Is there anything that you’ve seen before? And sometimes they’ll come in and we’ll have, you know, definitely a very clear opinion about open source.

And sometimes they’ll come back and look at it, you it just kind of is the thing. But inevitably I always hear back that they have a greater appreciation for good documentation after having worked with us to do DevRel because they see the value in it now. They understand that it doesn’t just happen. There’s no just like running AI on it to generate, you know, quality documentation. Maybe somebody out there has a tool that does it brilliantly now.

But it’s unlikely. There’s always nuance to these things. So I think that exposure to DevRel creates a different sort of appreciation for the invisible work, the labor that has to go into open source in order for it to flourish and thrive and to give open source projects the best chance at success in the environments that they’re in.

Yesenia (26:16)
There’s so much behind it people just think it’s coding. I’m like no we can use so much more help Great let’s move on to the rapid-fire part of the interview I’m gonna shoot the questions first comes mine and we’ll keep flowing. So first question Star Wars or Star Trek?

Tabatha (26:21)
Star Wars.

Yesenia (26:30)
Early bird or night owl.

Tabatha (26:42)
Ooh, both, depends on the day.

Yesenia (26:45)
Okay, I’ll take it. get that. get that books or podcasts.

Tabatha (26:51)
I would say, see, I finished a master’s program a couple years ago and I’m still recovering from having to read all of that. That’s happened to every time I’ve gotten a degree. So I’m going to go podcasts, but normally in better, not, not graduate level brain still, it would be books. Yeah. Yes.

Yesenia (27:10)
Yeah, your brain burns out. I get that. Like, it’s just recent where I’ve been able to like pick up a book and like, pretty much become addicted to it. Like, I can’t do anything else until I’m done with the book. It’s great.

Tabatha (27:21)
That’s great. I miss being at that level with a new book. So hopefully soon.

Yesenia (27:27)
Took me years. I couldn’t pick up books, but I have a huge library. Last one, spicy or mild food.

Tabatha (27:33)
spicy, absolutely spicy. Yeah. Yeah. I grew up between, I grew up between Texas and South Florida. So it’s spicy all the way.

Yesenia (27:44)
You got it, best of both worlds. Well, thank you for your time. I want to give you space to leave any last minute advice, thoughts for the audience.

Tabatha (27:54)
I’d say any last minute advice or thoughts. I would say get involved. Don’t be afraid. It’s not as scary as it seems and show up in person if there’s an event near you. Excuse me. Let me try that again. So I think that.

Tabatha (28:39)
I think my final thoughts on this would be to get involved in the community because that’s really where I have found the most benefit for myself personally. Reach out, get an understanding of the project. If you’re curious about getting involved and you’re a little nervous to get started and are unsure, even if those good first issues look too scary to you, hop on a community call. If there’s a contributing call, just go and lurk. Attend something where you are engaging in other people engaging with other people and not only the code base because that’s really where you’re going to get more insights on how everything gets put together, how everything works, how the project works and how the community works together and whether or not you actually want to be a part of that community before you get involved. So I say jump in.

Yesenia (28:39)
Totally jump in and volunteer for events too. think that’s another great volunteer. Well, thank you for your leadership and contributions to our communities. You know, many thanks to our listeners and our open source contributors and the community of folks that help drive all of our projects forward. Tabatha, I appreciate your time today and I look forward to seeing all your impact in 2025. Thank you.

Tabatha (28:44)
Volunteer friends. Yeah, absolutely.

Tabatha (28:47)
Thank you, Yesenia, It was great chatting with you today.

Jun 27
Love0

On-Demand Webinar: Cybersecurity Skills, Simplified

By Blog

A Framework That Works

Cybersecurity isn’t just the responsibility of a dedicated team anymore. Whether you’re an engineer, a product owner, or part of the executive suite, your day-to-day decisions have a direct impact on your organization’s security. That was the clear message from the expert panel featured in our webinar, Cybersecurity Skills: A Framework That Works — now available to watch on demand.

Leaders from IBM, Intel, Linux Foundation Education and the Open Source Security Foundation (OpenSSF) share real-world insights on how their organizations are tackling one of today’s biggest challenges: upskilling the entire workforce in security. The panelists discussed the new Cybersecurity Skills Framework, an open, flexible tool designed to help teams identify the right skills for the right roles — and actually get started improving them. It’s practical, customizable, and already helping global organizations raise their security posture.

In the webinar, you’ll hear how to:

  • Map skill requirements across teams using security OKRs
  • Operationalize training at scale with integrated learning plans
  • Lead the charge to implement open, accessible pathways for cybersecurity education

The conversation is packed with actionable advice, whether you’re building a security training program or just want to understand where you or your team stands.

🎥Access the Cybersecurity Skills, Simplified Webinar

BONUS: Receive a 30% Discount for any Security-Related Course, Certification or Bundle Just for Watching

Need to Close the Skills Gap Across Your Team or Enterprise?

Get in Touch Today!

Jun 27
Love0

OpenSSF at UN Open Source Week 2025: Securing the Supply Chain Through Global Collaboration

By Blog

OpenSSF participated in the 2025 UN Open Source Week, a global gathering of participants hosted by the United Nations Office for Digital and Emerging Technologies, focused on harnessing open source innovation to achieve the Sustainable Development Goals (SDGs). Held in New York City, the event gathered technology leaders, policymakers, and open source advocates to address critical global challenges.

On June 20, OpenSSF joined a featured panel discussion during a community-led side event curated by RISE Research Institutes of Sweden, OpenForum Europe, and CURIOSS. The panel, titled “Securing the Supply Chain Through Global Collaboration,” explored how standardized practices and international cooperation enhance open source software security and align with emerging regulatory frameworks such as the EU Cyber Resilience Act (CRA).

Panelists included:

  • Adrianne Marcum, Chief of Staff, OpenSSF
  • Arun Gupta, Vice President Developer Programs, Intel and Organizer, UN Tech Over Hackathon
  • David A. Wheeler, Adjunct Professor, George Mason University, and Director of Open Source Supply Chain Security, The Linux Foundation
  • Scott Clinton, Co-chair, Board of Directors, OWASP Gen AI Security Project

The session highlighted the critical need for international cooperation to secure global software systems effectively. Panelists discussed the emerging role of generative AI (GenAI) and its implications for open source security. The importance of developer education in how to develop secure software was also noted; as developers must increasingly review GenAI results, they will need more, not less, education.

“It was both a great opportunity to share the work of the Gen AI Security Project and insights on the challenges and benefits generative AI brings to our discussion on securing open source and the software supply chain,” said Scott Clinton.

“The United Nations brought together a global community where nations become collaborators rather than competitors,” added Arun Gupta. “It’s thrilling to see the open source community advancing solutions for global problems.”

UN Tech Over Hackathon: Innovation and Stewardship

Earlier that week (June 16–17), the UN Tech Over Hackathon drew over 200 global innovators to address SDG-aligned challenges through open source technology. The hackathon featured three distinct tracks:

  • Ahead of the Storm: A child-focused climate emergency analytics initiative in partnership with UNICEF.
  • Wikipedia Edit-a-Thon: Collaborative enhancement of UN-related historical content.
  • Maintain-a-Thon: Emphasized sustainability and ongoing stewardship of open source infrastructure.

The Maintain-a-Thon, organized in partnership with Alpha-Omega and the Sovereign Tech Agency, engaged over 40 participants across 15 breakout sessions. Senior maintainers offered guidance on issue triage, documentation improvements, and best practices for long-term project maintenance, reinforcing open source software’s foundational role in global digital infrastructure.

🔗 Read the official UN Tech Over press release
🔗 Read Arun Gupta’s blog post on “Ahead of the Storm”

The Road Ahead

UN Open Source Week 2025 underscored the importance of collaborative innovation in securing and sustaining digital public infrastructure. Aligned with its mission, OpenSSF remains dedicated to facilitating global cooperation, promoting secure-by-design best practices, providing educational resources, and supporting innovative technical initiatives. By empowering maintainers and contributors of all skill levels, OpenSSF aims to ensure open source software remains trusted, secure, and reliable for everyone.

Jun 26
Love0

OpenSSF Welcomes New Members and Presents Golden Egg Award

By Blog, Press Release

Foundation furthers mission to enhance the security of open source software 

DENVER – OpenSSF Community Day North America – June 26, 2025 – The Open Source Security Foundation (OpenSSF), a cross-industry initiative of the Linux Foundation that focuses on sustainably securing open source software (OSS), welcomes six new members from leading technology and security companies. New general members include balena, Buildkite, Canonical, Trace Machina, and Triam Security and associate members include Erlang Ecosystem Foundation (EEF). The Foundation also presents the Golden Egg Award during OpenSSF Community Day NA 2025.

“We are thrilled to welcome six new member companies and honor existing contributors during our annual North America Community Day event this week,” said Steve Fernandez, General Manager at OpenSSF. “As companies expand their global footprint and depend more and more on interconnected technologies, it is vital we work together to advance open source security at every layer – from code to systems to people. With the support of our new members, we can share best practices, push for standards and ensure security is front and center in all development.”

Golden Egg Award Recipients

The OpenSSF continues to shine a light on those who go above and beyond in our community with the Golden Egg Awards. The Golden Egg symbolizes gratitude for awardees’ selfless dedication to securing open source projects through community engagement, engineering, innovation, and thoughtful leadership. This year, we celebrate:

  • Ian Dunbar-Hall (Lockheed Martin) – for contributions to the bomctl and SBOMit projects
  • Hayden Blauzvern (Google) – for leadership in the Sigstore project
  • Marcela Melara (Intel) – for contributions to SLSA and leadership in the BEAR Working Group 
  • Yesenia Yser (Microsoft) – for work as a podcast co-host and leadership in the BEAR Working Group 
  • Zach Steindler (GitHub) – for leadership on the Technical Advisory Committee (TAC) and in the Securing Software Repositories Working Group
  • Munehiro “Muuhh” Ikeda – for work as an LF Japan Evangelist and helping to put together OpenSSF Community Day Japan
  • Adolfo “Puerco” Garcia Veytia – for support on Protobom, OpenVEX and Baseline projects

Their efforts have made a lasting impact on the open source security ecosystem, and we are deeply grateful for their continued contributions.

Project Updates

OpenSSF is supported by more than 3,156 technical contributors across OpenSSF projects – providing a vendor-neutral partner to affiliated open source foundations and projects. Recent project updates include:

  • Gittuf, a platform-agnostic Git security system, has advanced to an incubating project under OpenSSF. This milestone marks the maturity and adoption of the project.
  • OpenBao, a software solution to manage, store, and distribute sensitive data including secrets, certificates, and key, joined OpenSSF as a sandbox project
  • Open Source Project Security Baseline (OSPS Baseline), which provides a structured set of security requirements aligned with international cybersecurity frameworks, standards, and regulations, aiming to bolster the security posture of open source software projects, was released.
  • Model Signing released version 1.0 to secure the machine learning supply chain.
  • GUAC released version 1.0 to bring stability to the core functionality.
  • SLSA released version 1.1 RC2 to enhance the clarity and usability of the original specification.

Events and Gatherings

New and existing OpenSSF members are gathering this week in Denver at the annual OpenSSF Community Day NA 2025. Join the community at upcoming 2025 OpenSSF-hosted events, including OpenSSF Community Day India, OpenSSF Community Day Europe, OpenSSF Community Day Korea, and Open Source SecurityCon 2025.

Additional Resources

Supporting Quotes

“At balena, we understand that securing edge computing and IoT solutions is critical for all companies deploying connected devices. As developers focused on enabling reliable and secure operations with balenaCloud, we’re deeply committed to sharing our knowledge and expertise. We’re proud to join OpenSSF to contribute to open collaboration, believing that together we can build more mature security solutions that truly help companies protect their edge fleets and raise collective awareness across the open-source ecosystem.”

– Harald Fischer, Security Aspect Lead, balena

“Joining OpenSSF is a natural extension of Buildkite’s mission to empower teams with secure, scalable, and resilient software delivery. With Buildkite Package Registries, our customers get SLSA-compliant software provenance built in. There’s no complex setup or extra tooling required. We’ve done the heavy lifting so teams can securely publish trusted artifacts from Buildkite Pipelines with minimal effort. We’re excited to collaborate with the OpenSSF community to raise the bar for open source software supply chain security.”

– Ken Thompson, Vice President of Product Management, Buildkite

“Protecting the security of the open source ecosystem is not an easy feat, nor one that can be tackled by any single industry player. OpenSSF leads projects that are shaping this vast landscape. Canonical is proud to join OpenSSF on its mission to spearhead open source security across the entire market. For over 20 years we have delivered security-focused products and services across a broad spectrum of open source technologies. In today’s world, software security, reliability, and provenance is more important than ever. Together we will write the next chapter for open source security frameworks, processes and tools for the benefit of all users.”

– Luci Stanescu, Security Engineering Manager, Canonical

“Starting in 2024, the EEF’s Security WG focused community resources on improving our supply chain infrastructure and tooling to enable us to comply with present and upcoming cybersecurity laws and directives. This year we achieved OpenChain Certification (ISO/IEC 5230) for the core Erlang and Elixir libraries and tooling, and also became the default CVE Numbering Authority (CNA) for all open-source Erlang, Elixir and Gleam language packages. Joining the OpenSSF has been instrumental in connecting us to experts in the field and facilitating relationships with security practitioners in other open-source projects.” 

– Alistair Woodman, Board Chair, Erlang Ecosystem Foundation

“Trace Machina is a technology company, founded in September 2023, that builds infrastructure software for developers to go faster. Our current core product, NativeLink, is a build caching and remote execution platform that speeds up compute-heavy work. As a company we believe both in building our products open source whenever possible, and in supporting the open source ecosystem and community. We believe open source software is a crucial philosophy in technology, especially in the security space. We’re thrilled to join the OpenSSF as a member organization and to continue being active in this wonderful community.” 

– Tyrone Greenfield, Chief of Staff, Trace Machina

“Triam Security is proud to join the Open-Source Security Foundation to support its mission of strengthening the security posture of critical open source software. As container security vulnerabilities continue to pose significant risks to the software supply chain, our expertise in implementing SLSA Level 3/4 controls and building near-zero CVE solutions through CleanStart aligns perfectly with OpenSSF’s supply chain security initiatives. We look forward to collaborating with the community on advancing SLSA adoption, developing security best practices, improving vulnerability management processes, and promoting standards that enhance the security, transparency, and trust in the open-source ecosystem.”

– Biswajit De, CTO, Triam Security

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry organization at the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org

Media Contact
Natasha Woods
The Linux Foundation

PR@linuxfoundation.org 

Jun 25
Love0

OpenSSF Newsletter – June 2025

By Newsletter

Welcome to the June 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Tech Talk: CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations

The recent Tech Talk, “CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations,” brought together open source leaders to explore the practical impact of the EU’s Cyber Resilience Act (CRA). With growing pressure on OSS developers, maintainers, and vendors to meet new security requirements, the session provided a clear, jargon-free overview of what CRA compliance involves. 

Speakers included CRob (OpenSSF), Adrienn Lawson (Linux Foundation), Dave Russo (Red Hat), and David A. Wheeler (OpenSSF), who shared real-world examples of how organizations are preparing for the regulation, even with limited resources. The discussion also highlighted the LFEL1001 CRA course, designed to help OSS contributors move from confusion to clarity with actionable guidance. 

Watch the session here.

Case Study: OSTIF Improves Security Posture of Critical Open Source Projects Through OpenSSF Membership

The Open Source Technology Improvement Fund (OSTIF) addresses a critical gap in open source security by conducting tailored audits for high-impact OSS projects often maintained by small, under-resourced teams. Through its active role in OpenSSF initiatives and strategic partnerships, OSTIF delivers structured, effective security engagements that strengthen project resilience. By leveraging tools like the OpenSSF Scorecard and prioritizing context-specific approaches, OSTIF enhances audit outcomes and fosters a collaborative security community. Read the full case study to explore how OSTIF is scaling impact, overcoming funding hurdles, and shaping the future of OSS security.

Blogs:

✨GUAC 1.0 is Now Available

Discover how GUAC 1.0 transforms the way you manage SBOMs and secure your software supply chain. This first stable release of the “Graph for Understanding Artifact Composition” platform moves beyond isolated bills of materials to aggregate and enrich data from file systems, registries, and repositories into a powerful graph database. Instantly tap into vulnerability insights, license checks, end-of-life notifications, OpenSSF Scorecard metrics, and more. Read the blog to learn more.

✨Maintainers’ Guide: Securing CI/CD Pipelines After the tj-actions and reviewdog Supply Chain Attacks

CI/CD pipelines are now prime targets for supply chain attacks. Just look at the recent breaches of reviewdog and tj-actions, where chained compromises and log-based exfiltration let attackers harvest secrets without raising alarms. In this Maintainers’ Guide, Ashish Kurmi breaks down exactly how those exploits happened and offers a defense-in-depth blueprint from pinning actions to full commit SHAs and enforcing MFA, to monitoring for tag tampering and isolating sensitive secrets that every open source project needs today. Read the full blog to learn practical steps for locking down your workflows before attackers do.

✨From Sandbox to Incubating: gittuf’s Next Step in Open Source Security

gittuf, a platform-agnostic Git security framework, has officially progressed to the Incubating Project stage under the OpenSSF marking a major milestone in its development, community growth, and mission to strengthen the open source software supply chain. By adding cryptographic access controls, tamper-evident logging, and enforceable policies directly into Git repositories without requiring developers to abandon familiar workflows, gittuf secures version control at its core. Read the full post to see how this incubation will accelerate gittuf’s impact and how you can get involved.

✨Choosing an SBOM Generation Tool

With so many tools to build SBOMs, single-language tools like npm-sbom and CycloneDX’s language-specific generators or multi‐language options such as cdxgen, syft, and Tern, how do you know which one to pick? Nathan Naveen helps you decide by comparing each tool’s dependency analysis, ecosystem support, and CI/CD integration, and reminds us that “imperfect SBOMs are better than no SBOMs.” Read the blog to learn more.

✨OSS and the CRA: Am I a Manufacturer or a Steward?

The EU Cyber Resilience Act (CRA) introduces critical distinctions for those involved in open source software particularly between manufacturers and a newly defined role: open source software stewards. In this blog, Mike Bursell of OpenSSF breaks down what these terms mean, why most open source contributors won’t fall under either category, and how the CRA acknowledges the unique structure of open source ecosystems. If you’re wondering whether the CRA applies to your project or your role this post offers clear insights and guidance. Read the full blog to understand your position in the new regulatory landscape.

What’s in the SOSS? An OpenSSF Podcast:

#33 – S2E10 “Bridging DevOps and Security: Tracy Ragan on the Future of Open Source”: In this episode of What’s in the SOSS, host CRob sits down with longtime open source leader and DevOps champion Tracy Ragan to trace her journey from the Eclipse Foundation to her work with Ortelius, the Continuous Delivery Foundation, and the OpenSSF. CRob and Tracy dig into the importance of configuration management, DevSecOps, and projects like the OpenSSF Scorecard and Ortelius in making software supply chains more transparent and secure, plus strategies to bridge the education gap between security professionals and DevOps engineers.

 

#32 – S2E09 “Yoda, Inclusive Strategies, and the Jedi Council: A Conversation with Dr. Eden-Reneé Hayes”: In this episode of What’s in the SOSS, host Yesenia Yser sits down with DEI strategist, social psychologist, and Star Wars superfan Dr. Eden-Reneé Hayes to discuss the myths around DEIA and why unlearning old beliefs is key to progress. Plus, stay for the rapid-fire questions and discover if Dr. Hayes is more Marvel or DC.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

In the News:

  • ITOpsTimes – “Linux Foundation and OpenSSF launch Cybersecurity Skills Framework”
  • HelpNetSecurity – “Cybersecurity Skills Framework connects the dots between IT job roles and the practical skills needed”
  • SiliconAngle“Linux Foundation debuts Cybersecurity Skills Framework to address enterprise talent gaps”
  • Security Boulevard – Linux Foundation Shares Framework for Building Effective Cybersecurity Teams
  • IT Daily – “Linux Foundation Launches Global Cybersecurity Skills Framework”
  • SC World – “New Cybersecurity Skills Framework seeks to bolster enterprise talent readiness”

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Jun 25
Love0

An Introduction to the OpenSSF Model Signing (OMS) Specification: Model Signing for Secure and Trusted AI Supply Chains

By Blog, Guest Blog

By Mihai Maruseac (Google), Eoin Wickens (HiddenLayer), Daniel Major (NVIDIA), Martin Sablotny (NVIDIA)

As AI adoption continues to accelerate, so does the need to secure the AI supply chain. Organizations want to be able to verify that the models they build, deploy, or consume are authentic, untampered, and compliant with internal policies and external regulations. From tampered models to poisoned datasets, the risks facing production AI systems are growing — and the industry is responding.

In collaboration with industry partners, the Open Source Security Foundation (OpenSSF)’s AI/ML Working Group recently delivered a model signing solution. Today, we are formalizing the signature format as OpenSSF Model Signing (OMS): a flexible and implementation-agnostic standard for model signing, purpose-built for the unique requirements of AI workflows.

What is Model Signing

Model signing is a cryptographic process that creates a verifiable record of the origin and integrity of machine learning models.  Recipients can verify that a model was published by the expected source, and has not subsequently been tampered with.  

Signing AI artifacts is an essential step in building trust and accountability across the AI supply chain.  For projects that depend on open source foundational models, project teams can verify the models they are building upon are the ones they trust.  Organizations can trace the integrity of models — whether models are developed in-house, shared between teams, or deployed into production.  

Key stakeholders that benefit from model signing:

  • End users gain confidence that the models they are running are legitimate and unmodified.
  • Compliance and governance teams benefit from traceable metadata that supports audits and regulatory reporting.
  • Developers and MLOps teams are equipped to trace issues, improve incident response, and ensure reproducibility across experiments and deployments.

How does Model Signing Work

Model signing uses cryptographic keys to ensure the integrity and authenticity of an AI model. A signing program uses a private key to generate a digital signature for the model. This signature can then be verified by anyone using the corresponding public key. These keys can be generated a-priori, obtained from signing certificates, or generated transparently during the Sigstore signing flow.If verification succeeds, the model is confirmed as untampered and authentic; if it fails, the model may have been altered or is untrusted.

Figure 1:  Model Signing Diagram

How Does OMS Work

OMS Signature Format

OMS is designed to handle the complexity of modern AI systems, supporting any type of model format and models of any size. Instead of treating each file independently, OMS uses a detached OMS Signature Format that can represent multiple related artifacts—such as model weights, configuration files, tokenizers, and datasets—in a single, verifiable unit.

The OMS Signature Format includes: 

  • A list of all files in the bundle, each referenced by its cryptographic hash (e.g., SHA256)
  • An optional annotations section for custom, domain-specific fields (future support coming)
  • A digital signature that covers the entire manifest, ensuring tamper-evidence

The OMS Signature File follows the Sigstore Bundle Format, ensuring maximum compatibility with existing Sigstore (a graduated OpenSSF project) ecosystem tooling.  This detached format allows verification without modifying or repackaging the original content, making it easier to integrate into existing workflows and distribution systems.

OMS is PKI-agnostic, supporting a wide range of signing options, including:

  • Private or enterprise PKI systems
  • Self-signed certificates
  • Bare keys
  • Keyless signing with public or private Sigstore instances 

This flexibility enables organizations to adopt OMS without changing their existing key management or trust models.

Figure 1. OMS Signature Format

Signing and Verifying with OMS

As reference implementations to speed adoption, OMS offers both a command-line interface (CLI) for lightweight operational use and a Python library for deep integration into CI/CD pipelines, automated publishing flows, and model hubs. Other library integrations are planned.

Signing and Verifying with Sigstore

Shell
# install model-signing package
$ pip install model-signing

# signing the model with Sigstore
$ model_signing sign <MODEL_PATH>

# verification if the model is signed with Sigstore
$ model_signing verify \
  <MODEL_PATH> \
  --signature <OMS_SIG_FILE> \
  --identity "<IDENTITY>" \
  --identity_provider "<OIDC_PROVIDER>"

 

Signing and Verifying with PKI Certificates

Shell
# install model-signing package
$ pip install model-signing

# signing the model with a PKI certificate
$ model_signing sign  \
  --certificate_chain  \
  --private_key 

# verification if the model is signed with a PKI certificate
$ model_signing verify \
 <MODEL_PATH> \
  --signature <OMS_SIG_FILE> \
  --certificate_chain <ROOT_CERT>


 

Other examples, including signing using PKCS#11, can be found in the model-signing documentation.

This design enables better interoperability across tools and vendors, reduces manual steps in model validation, and helps establish a consistent trust foundation across the AI lifecycle.

Looking Ahead

The release of OMS marks a major step forward in securing the AI supply chain. By enabling organizations to verify the integrity, provenance, and trustworthiness of machine learning artifacts, OMS lays the foundation for safer, more transparent AI development and deployment.

Backed by broad industry collaboration and designed with real-world workflows in mind, OMS is ready for adoption today. Whether integrating model signing into CI/CD pipelines, enforcing provenance policies, or distributing models at scale, OMS provides the tools and flexibility to meet enterprise needs.

This is just the first step towards a future of secure AI supply chains. The OpenSSF AI/ML Working Group is engaging with the Coalition for Secure AI to incorporate other AI metadata into the OMS Signature Format, such as embedding rich metadata such as training data sources, model version, hardware used, and compliance attributes.  

To get started, explore the OMS specification, try the CLI and library, and join the OpenSSF AI/ML Working Group to help shape the future of trusted AI.

Special thanks to the contributors driving this effort forward, including Laurent Simon, Rich Harang, and the many others at Google, HiddenLayer, NVIDIA, Red Hat, Intel, Meta, IBM, Microsoft, and in the Sigstore, Coalition for Secure AI, and OpenSSF communities.

Mihai Maruseac is a member of the Google Open Source Security Team (GOSST), working on Supply Chain Security for ML. He is a co-lead on a Secure AI Framework (SAIF) workstream from Google. Under OpenSSF, Mihai chairs the AI/ML working group and the model signing project. Mihai is also a GUAC maintainer. Before joining GOSST, Mihai created the TensorFlow Security team and prior to Google, he worked on adding Differential Privacy to Machine Learning algorithms. Mihai has a PhD in Differential Privacy from UMass Boston.

Eoin Wickens, Director of Threat Intelligence at HiddenLayer, specializes in AI security, threat research, and malware reverse engineering. He has authored numerous articles on AI security, co-authored a book on cyber threat intelligence, and spoken at conferences such as SANS AI Cybersecurity Summit, BSides SF, LABSCON, and 44CON, and delivered the 2024 ACM SCORED opening keynote.

Daniel Major is a Distinguished Security Architect at NVIDIA, where he provides security leadership in areas such as code signing, device PKI, ML deployments and mobile operating systems. Previously, as Principal Security Architect at BlackBerry, he played a key role in leading the mobile phone division’s transition from BlackBerry 10 OS to Android. When not working, Daniel can be found planning his next travel adventure.

Martin Sablotny is a security architect for AI/ML at NVIDIA working on identifying existing gaps in AI security and researching solutions. He received his Ph.D. in computing science from the University of Glasgow in 2023. Before joining NVIDIA, he worked as a security researcher in the German military and conducted research in using AI for security at Google.

Jun 18
Love0

Member Spotlight: Datadog – Powering Open Source Security with Tools, Standards, and Community Leadership

By Blog

Datadog, a leading cloud-scale observability and security platform, joined the Open Source Security Foundation (OpenSSF) as a Premier Member in July, 2024. With both executive leadership and deep technical involvement, Datadog has rapidly become a force in advancing secure open source practices across the industry.

Key Contributions

GuardDog: Open Source Threat Detection

In early 2025, Datadog launched GuardDog, a Python-based open source tool that scans package ecosystems like npm, PyPI, and Go for signs of malicious behavior. GuardDog is backed by a publicly available threat dataset, giving developers and organizations real-time visibility into emerging supply chain risks.

This contribution directly supports OpenSSF’s mission to provide practical tools that harden open source ecosystems against common attack vectors—while promoting transparency and shared defense.

Datadog actively supports the open source security ecosystem through its engineering efforts, tooling contributions, and participation in the OpenSSF community:

  • SBOM Generation and Runtime Insights
    Datadog enhances the usability and value of Software Bills of Materials (SBOMs) through tools and educational content. Their blog, Enhance SBOMs with runtime security context, outlines how they combine SBOM data with runtime intelligence to identify real-world risks and vulnerabilities more effectively.
  • Open Source Tools Supporting SBOM Adoption
    Datadog maintains the SBOM Generator, an open source tool based on CycloneDX, which scans codebases to produce high-quality SBOMs. They also released the datadog-sca-github-action, a GitHub Action that automates SBOM generation and integrates results into the Datadog platform for improved visibility.
  • Sigstore and Software Signing
    As part of the OpenSSF ecosystem, Datadog supports efforts like Sigstore to bring cryptographic signing and verification to the software supply chain. These efforts align with Datadog’s broader commitment to improving software provenance and integrity, especially as part of secure build and deployment practices.
  • OpenSSF Membership
    As a Premier Member of OpenSSF, Datadog collaborates with industry leaders to advance best practices, contribute to strategic initiatives, and help shape the future of secure open source software.

These collaborations demonstrate Datadog’s investment in long-term, community-driven approaches to open source security.

What’s Next

Datadog takes the stage at OpenSSF Community Day North America on Thursday, June 26, 2025, in Denver, CO, co-located with Open Source Summit North America.

They’ll be presenting alongside Intel Labs in the session:

Talk Title: Harnessing In-toto Attestations for Security and Compliance With Next-gen Policies
Time: 3:10–3:30 PM MDT
Location: Bluebird Ballroom 3A
Speakers:

  • Trishank Karthik Kuppusamy, Staff Engineer, Datadog
  • Marcela Melara, Research Scientist, Intel Labs

This session dives into the evolution of the in-toto Attestation Framework, spotlighting new policy standards that make it easier for consumers and auditors to derive meaningful insights from authenticated metadata—such as SBOMs and SLSA Build Provenance. Attendees will see how the latest policy framework bridges gaps in compatibility and usability with a flexible, real-world-ready approach to securing complex software supply chains.

Register now and connect with Datadog, Intel Labs, and fellow open source security leaders in Denver.

Why It Matters

By contributing to secure development frameworks, creating open source tooling, and educating the broader community, Datadog exemplifies what it means to be an OpenSSF Premier Member. Their work is hands-on, standards-driven, and deeply collaborative—helping make open source safer for everyone.

Learn More

Jun 17
Love0

What’s in the SOSS? Podcast #33 – S2E10 Bridging DevOps and Security: Tracy Ragan on the Future of Open Source

By Podcast

Summary

In this episode of What’s in the SOSS, we sit down with longtime open source leader and DevOps champion Tracy Ragan. From her early days with the Eclipse Foundation to her current work with Ortelius, the Continuous Delivery Foundation, and the OpenSSF, Tracy shares her journey through the ever-evolving world of open source security.

We dig into the importance of configuration management, what DevSecOps really means, and how projects like the OpenSSF Scorecard and Ortelius help make our software supply chains more transparent and secure. Plus, we tackle the education gap between security pros and DevOps engineers — and how we can bridge it.

If you’re curious about building more secure pipelines or just want to geek out about SBOMs and OpenSSF Scorecard, this episode is for you.

Conversation Highlights

00:25 – Welcome + Tracy’s Open Source Origin Story
02:00 – Early Days at the Eclipse Foundation
03:10 – DevOps + DevSecOps: Why It Matters
04:20 – Explaining the DevOps “Factory Floor”
06:00 – DevOps Pipelines as Security Data Engines
07:50 – What Is the OpenSSF Scorecard?
09:30 – Ortelius: Aggregating DevOps + Security Insights
11:20 – The DevOps Budget Problem + Exposing Insecure Packages
13:00 – Why DevRel Is Critical for DevOps Security Education
15:40 – Crossing the Divide Between DevOps and Security Teams
16:10 – Rapid Fire: Editors, Mascots & Spicy Food
17:30 – Final Call to Action + How to Get Involved

Transcript

CRob (00:25.07)
Welcome, welcome, welcome to What’s in the SOSS. The OpenSSF podcast where we talk to the amazing people that help make this open source ecosystem for the benefit of everybody. Today we have a real treat: friend of the show Tracy Ragan is here to talk with us about several topics near and dear to her heart. But Tracy before we dive into the exciting technology, can you maybe give us a little bit of information about your open source origin story?

Tracy Ragan
man, which one? When I first started getting involved in open source was the Eclipse Foundation. The Eclipse Foundation was my first foundation in open source and was really the beginning of me understanding what open source was and why it’s important. This was during my Open Mac software days and I think IBM was looking for a woman to be in the room.

To be honest. one of them reached out to me and said, hey, we need somebody technical to add to this board. Would you be interested? And I said, sure. So I went on an honesty of, I always think I was number five or six on the original Eclipse board. I actually even did the help doing the interview and chose Mike as our fearless leader. So I’ve been doing open source for some time, really, and been on these boards for a good part of my career.

CRob
That’s awesome. And it’s like super helpful being able to steer a significant part of the ecosystem through that board membership.

Tracy Ragan (02:07.234)
Yeah, and open source boards are a beast of their own to be quiet on. Because they get so big, and that’s good, but sometimes it can be bad and it can be hard to navigate, but it seems to always work out.

Right.

CRob (02:21.038)
That’s great. So you’ve been doing open source for quite some time and what types of projects are you engaged with more frequently this time right now?

Tracy Ragan
So, you know, I keep my foot in two realms. One foot is in the open source security foundation and the other is in the continuous delivery foundation. I’m a DevOps person. That’s who I am. I have been doing configuration management and whatever you want to call it over the years has gone through so many ridiculous acronyms. But when we really boil it down, it’s still configuration management and getting code from Code to Cloud, let’s just call it that. So I lead an open source project at the Continuous Delivery Foundation called Ortelius, and we’re going to talk a little bit about that. But I also try to keep involved in the open source of the OpenSSF as much as I can. And of course, I get involved in things like the Security Tooling Working Group.

I’m working with Ryan Ware over there too, because that really falls into my area of expertise, right? If it has the word tooling, I’m interested. Because I’m a DevOps person, you know? Is there something I should be adding to my DevOps practice? And then I’ve been involved in DevRel and I’m on the marketing committee and I help lead some of the initiatives at the OpenSSF is working on. But really where my heart is is in between, it sits in between DevOps and open source security. And we can call that DevSecOps if you want, we could all call it DevOSSOps. So that’s what I’ve been working on for the last four years.

CRob (04:21.805)
To go a little bit off script since you opened the door for our audience. Could you maybe explain a little bit more about DevOps and kind of why it’s important for open source communities to have this capability?

Tracy Ragan
So we all have a factory floor that we run. moving code from, if we talk about the software supply chain, let’s just talk about it from that perspective. We are pulling in packages, whether it be an enterprise piece of enterprise code or open source code or something the government’s writing, we pull in these packages, these transitive dependencies that we don’t necessarily understand. We just know we have to have them.

And that’s the way life is. We’ve built this ginormous, I like to call it a Death Star of open source packages and dependencies that we use. We’ve done that over the course of the last 15 years, and we’re not going back. So DevOps, the idea of continuously integrating and continuously deploying code out to end user consumers. We won’t identify what that consumer is. It could be a developer consuming your code, or you could be delivering software to an end user that’s running a mortgage application. When we do that, we have traditionally focused on just being able to execute build and deploy scripts, which is really important.

Gathering the information from the build and deploy scripts is really critical right now in where we are right now in tracking vulnerabilities. Because it shows two things. The build scripts, if we’re doing an SBOM, and please do, shows us the packages we’re consuming. And the deploy script shows where we’re deploying them. So the DevOps, you know, the DevOps pipeline is important, but the data that it generates is critical right now, absolutely critical. So we should all be doing some level of DevOps, but in my mind, we should all be gathering the DevOps information and making it actionable. So we have a lot to do in terms of evolving where we are in the CI, CD world and the continuous delivery foundation and where we believe this kind of technology, how it should evolve.

In my mind right now, we have so many things that we’re working on. AI is chasing us. We have vulnerabilities we’re worrying about. And right now, we haven’t done a whole lot to evolve the DevOps pipeline. So that’s why I talk about it as much as I can. Because that’s where we’re going to find vulnerabilities and fix them. Otherwise, we’re not going to do that.

CRob
Absolutely. And to bridge these two worlds, you recently helped write a blog about our OpenSSF Scorecard, which is a tool that consumers can use to kind of understand the security qualities of software. Could you maybe talk a little bit about your blog and what you were trying to educate folks about?

Tracy Ragan
So we have several really awesome tools at the OpenSSF, one of which is one of the first ones that we came out with. Jamie Thomas kind of spearheaded this called the OpenSSF Scorecard. And what it does is it goes through and it evaluates your repo on certain characteristics.

if I can think about them, dependency management, security configuration, your quality of your code, access control, documentation, if you’re using a CI-CD tool, if you have actions, security practices. And it gives a score for each of those areas to try to define what the… This is the closest we’ll have to compliance in the open source community. Compliance is critical.

Tracy Ragan (08:26.754)
but how do you enforce compliance? But one way is we can evaluate it. So OpenSS Scorecard, I have found to be a very interesting project and as I have pointed out, one of the first of the OpenSSF, which doesn’t mean it was new and it needed extra work. It is about as complete as you can get for doing compliance around open source repos. So…

We at Ortelius, so Ortelius is an open source project incubating at the Continuous Delivery Foundation. We started incubating there before the OpenSSF was formed. And what we do is we gather all that critical DevOps data from the pipeline. Okay, so we like to call us an evidence store. And part of what we gather is the OpenSSF Scorecard.

So if you’re a consumer and you want to know the score of the packages that your application is consuming, Ortelius can provide that information to you. And not only that, what it does is it aggregates. So if you’re working in a decoupled architecture, you’ve got 100 containers that you’re building, and each one of those containers has code, and each one of those containers have an OpenSSF Scorecard, and the packages within them have a scorecard.

We’re aggregating that data up to the logical application level so that you begin seeing what you’re consuming at the time that you consume it. Now there are a lot of tools out there that help manage open source packages. The secure software development framework tells us we should have a repo of the packages that we want to make sure that people are not using and people are the ones that we are approved to be using, but they still need their scorecard. We still need to understand that. And to be quite honest, not every organization out there is using a repo that tracks your open source that you’re using. What can we, you know, the way we looked at the problem was what can we do to, you know, most DevOps engineers don’t have budget.

They have no budget authority. In fact, I’ve seen a t-shirt that says that, no budget authority, right? So what can we do to make open source more secure through open source? Well, OpenSSF scorecard is one of those ways. And one way to see it, because it’s hard to aggregate this information unless you try to dig down to every package and look at their scorecard, is to expose it.

And by exposing it, we are showing people that the packages that they’re consuming, are they trying to be compliant or not? And unfortunately, CRob, most of them are not trying to be compliant yet. And I don’t want to be like, you know, I go to hockey a lot. And one of the things you do at hockey, if you get a penalty, you do shame, shame, shame. But in a way, you know, if you’re looking at Ortelius and you’re seeing all these packages with a zero scorecard value,

We’re kind of exposing it. And I would like to be able to, you know, we could evolve a scorecard to say, you know, let’s highlight the packages that have a seven or a six and above. Because to be quite honest, it’s a test to be able to achieve it. But every single one of those in that test, except for maybe, I think fuzzing can be really, really hard, is totally doable.

And I would encourage any open source community or if you have a package that you’re managing, know, give it a scorecard, go through it. It’s not hard to install. It’s going to start tracking things. But then when you go to have to do all the things that it’s tracking, it’s much more difficult to comply. But we need you to do that at this point in time.

CRob (12:27.64)
So you touched a little bit about your involvement with our DevRel community and it kind of touches into DevOps. Why is DevRel important and how does it help us encourage things like scorecard use?

Well, to be quite honest, I think the person who’s doing the best DevRel right now is Mr. Wheeler with all of his education, right? Education is what we need to do right now. David has done an amazing job of getting his education out on cybersecurity. DevRel has been in OpenSSF for me. It’s been really hard. And one of the reasons is because the tools, this is where I see the disconnect.

The tools that the OpenSSF is creating, and we have created a bunch. There’s SBOM tools. There’s a ton of new open source projects. They need to be consumed by the DevOps professional, because many of them are command line driven. They have to be executed for every workflow, like an SBOM, for example.

But on the flip side, to be quite honest, I talk to DevOps engineers all the time and they haven’t even thought about what it would look like to add a SBOM to the pipeline. We don’t have that big of an adoption of many of the security tools that’s coming out of the OpenSSF and it’s hard to keep track. It’s hard to know what they do. And it’s hard to update DevOps. Jenkins workflows or a CircleCI workflow, whatever tool you’re using, it’s hard to update those workflow files.

Tracy Ragan (14:11.884)
And there’s a lot of them. There’s thousands of them.

So if you’re in a monolithic environment and you want to add an S-bomb to your workflow, that’s fairly easy. But if you’re in a decoupled Kubernetes microservice container environment, you’ve got a lot of work to do to do some simple things like an S-bomb, much less scorecard. So these conversations are really important to the DevOps. We need to educate the DevOps engineer. It’s not necessarily just educating the developer.

We push so much stuff on the developers lap, even though the education that’s coming out of OpenSSF is great. However, we’ve got to do the same thing now for DevOps engineers.

CRob
Absolutely. initiatives like DevRel can help provide that education and give a forum where folks can talk through some of these issues, correct?

Tracy Ragan
Yes, but oftentimes what I have found that in our, in security dev rel, we’re almost, we’re in an echo chamber. So when we talk about security, we get people who are interested in security and they like to talk about SBOMs. It’s probably our favorite thing to do. But the one thing that we’re not doing is getting DevOps engineers to talk about SBOMs and why they’re important.

Tracy Ragan (15:40.524)
So somehow we have to cross the divide and we have to get a handshake between these two organizations. And you know what? It’s not just within the Linux Foundation with the CDF and the OpenSSF. It’s in every single company I have ever spoken to, there is a divide between these two teams.

Tracy Ragan
Well, I look forward to collaborating with you to try to see how we can help adjust that. Let’s move on to the rapid fire part of our interview. Are you ready for rapid rapid fire? Got a couple of wacky questions for you. First off, very contentious. Vi or Emacs.

Yes.

Tracy Ragan (16:12.642)
WRAP

Tracy Ragan (16:24.94)
V.I.

CRob
Excellent. And to be clear, there are no wrong answers. Just some answers are better than others. Like VI.

Tracy Ragan
Yeah, I mean, I wouldn’t even know what to do with anything else except for brief. Remember brief? I used to love brief. wow. Yes.

CRob
Yeah, that’s a blast from the past. Tabs or spaces?

Tracy Ragan
spaces.

CRob (16:51.022)
Very popular answer. What’s your favorite open source mascot?

Tracy Ragan
Well, you know, how could you not love the goose?

CRob
Excellent, and our last question, mild or spicy food?

Tracy Ragan (17:11.937)
You know, when I first moved to New Mexico, I only ate mild food. And now I love spicy. It took me 20 years, but I finally started eating spicy food. So spicy now. That red chili taught me better.

CRob (17:31.49)
Nice. I love green chili. Thank you. And as we wind up for the interview here, do you have a call to action to our audience where they might be able to pick up some of these ideas or participate and collaborate to help move these wonderful projects forward?

Tracy Ragan
You know, I would say if you’re a security professional, to go sit down and talk to a DevOps engineer and really understand how they see the world. And take the time to say, could you show me what it would take to add an SBOM to a single pipeline? And if you’re a DevOps engineer, start taking a look at some of the tooling that’s coming out of the OpenSSF.

The Continuous Delivery Foundation did start a SIG recently called the CI/CD Cybersecurity. And what we’re doing is we’re going through every single, we’re starting with a secure software development framework and we’re going through all the tasks and we’re identifying the task by number that needs to be added to the DevOps workflow. And we’re adding open source tools that you can use to achieve that task. So.

If you’d like to get involved in that as a DevOps engineer and learn more about these things, look up the CD Foundation’s CI/CD Cybersecurity SIG, because it’s becoming an education for all of us to go through that process.

CRob
That sounds amazing. I look forward to checking that out. Tracy, thank you for your time today and thank you for everything you do for developers and DevOps folks and cyber people. We really appreciate all of your contributions to open source and thank you for joining us today.

Tracy Ragan (19:17.08)
Thank you, it’s my pleasure.

CRob
Well, happy open sourcing everybody. That’s a wrap.

Like what you’re hearing? Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, AntennaPod, Pocket Cast, or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it. Check out the newsletter for open source news, upcoming events, and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight, and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS.

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved