Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea

search
All Posts By

OpenSSF

Jul 30
Love0

OpenSSF Newsletter – July 2025

By Newsletter

Welcome to the July 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Submit Your Proposal: OpenSSF Community Day Korea

The Call for Proposals for OpenSSF Community Day Korea is closing Aug 3! If you have insights, tools, research, or community stories to share around open source software security, now is the time to submit your talk. The event takes place on November 4, 2025, in Seoul, South Korea, and brings together developers, researchers, and security professionals from across the open source and security ecosystems.

Whether your focus is on AI and security, vulnerability management, education, or tooling, we welcome submissions in a variety of formats, from quick 5-minute talks to extended 20-minute sessions. Deadline to submit: August 3, 2025, at 23:59 KST / 06:59 PST.

Share your expertise and help shape the future of open source security. We look forward to seeing you in Seoul!

Blogs:

New: Cyber Resilience Act (CRA) Brief Guide for OSS Developers

In our recent blog post, David A. Wheeler introduces the Cyber Resilience Act (CRA) Brief Guide for OSS Developers, a practical overview created by the OpenSSF to help open source developers understand and prepare for the EU’s new cybersecurity regulation. Although the CRA officially applies only within the EU, its global impact is significant due to the international nature of software distribution. The blog clarifies when the CRA does or does not apply to OSS, outlines potential risks for non-compliance, and highlights available resources including free training and community support to help developers build secure, compliant software. Read the full blog.

Recap: OpenSSF Community Day Japan 2025

OpenSSF Community Day Japan 2025 brought together developers, researchers, government, and industry leaders in Tokyo to advance open source software security. The event featured keynotes, technical sessions, and a live incident response exercise focused on secure development, tool adoption, and supply chain integrity.

Read the full blog for session videos, slides, and key takeaways.

Recap: OpenSSF Community Day North America 2025

OpenSSF Community Day NA 2025 brought together a diverse open source security community in Denver for a packed day of insights, tools, and collaboration. From real-world deployments of SBOM, Sigstore, and GUAC to securing AI pipelines and exploring the new AStRA control plane framework, sessions moved beyond awareness into action. 

Read the full blog for recordings, slides, key takeaways and ways to get involved.

On-Demand Webinar: Cybersecurity Skills, Simplified

The on-demand webinar Cybersecurity Skills, Simplified: A Framework That Works brings together experts from IBM, Intel, Linux Foundation Education, and OpenSSF to address a critical challenge: making cybersecurity a shared responsibility across all roles. The panel introduces the Cybersecurity Skills Framework, an open, flexible tool that helps teams identify, map, and improve security skills organization-wide. With insights on setting security OKRs, scaling training, and creating accessible learning pathways, this webinar offers practical guidance for anyone looking to strengthen their team’s security posture. Learn more.

What’s in the SOSS? An OpenSSF Podcast:

#35 – S2E12 Building India’s Open Source Security Community: From Developer Nation to Security Champions

In this episode of What’s in the SOSS?, host CRob sits down with Ram Iyengar, OpenSSF’s India community representative, to explore the evolving landscape of open source security in India. Ram shares his journey from professor to evangelist, the launch of LF India, and the challenges of inspiring a security-first mindset in one of the world’s largest developer populations. The episode covers everything from building local community momentum to hosting regional events and video series, offering listeners both practical insights and a personal look at the passionate effort behind India’s growing open source security movement.

#34 – S2E11 From Lockpicking to Leadership: Tabatha DiDomenico on Security, Open Source, and Building Community

In this episode of What’s in the SOSS? host Yesenia Yser sits down with Tabatha DiDomenico, open source security engineer, community leader, and president of BSides Orlando for a compelling conversation about her unconventional path into open source, the power of community, and the often-overlooked impact of DevRel. From her first experience with Netscape to shaping security strategy at G-Research and OpenSSF, Tabatha reflects on how curiosity, volunteering, and intentional advocacy have fueled her journey. Whether you are new to open source or a longtime contributor, this episode offers heartfelt insights, practical advice, and a powerful reminder: community is everything.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

  • The Security-Focused Guide for AI Code Assistant Instructions that is being developed by the Best practices and the AI/ML WGs is now in final draft, under PR here.
  • Zarf released version v0.58.0 including image push & pull and SDK enhancements.
  • OpenBao recently released v2.3.1 with support for namespaces, CEL for JWT authentication and PKI issuance, and SSH multi-issuer support. The community is making progress on per-namespace sealing, HSM/KMS backed key material, and horizontal scalability, and just kicked off a UI working group.

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here! Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Jul 29
Love0

What’s in the SOSS? Podcast #36 – S2E13 From Compliance to Community: Meeting CRA Requirements Together

By EU Cyber Resilience Act, Podcast

Summary

In this episode of ‘What’s in the SOSS” CRob dives deep into the Erlang ecosystem with Jonatan Männchen (CISO, Erlang Ecosystem Foundation), Ulf Riehm (Product Owner, Herrmann Ultraschall), and Michael Winser (Alpha-Omega). This episode explores the critical importance of security in open source, particularly in light of regulations like the CRA. Hear how the Erlang community is proactively addressing security concerns by bringing in experts, fostering collaboration, and building trust. Discover why manufacturers are investing in upstream projects and how other ecosystems can learn from their approach. This conversation highlights the value of community, transparency, and the essential role of ‘stewards’ in the open source world.

Conversation Highlights

00:00 Welcome
00:57 Meet the Guests
02:56 Jonatan’s Journey into Erlang
06:16 The Alpha-Omega Connection
09:07 Ulf’s Perspective as a Product Manager
13:09 Funding Security in Open Source
18:58 Challenges in Implementing Security
24:54 Becoming a CNA and Normalizing Security
28:18 Jonatan’s role as CISO
32:01 Calls to Action & Advice
36:49 Wrap Up

Transcript

CRob (00:14)
Welcome, welcome, welcome to What’s in the SOSS, the OpenSSF’s podcast where we meet interesting people that are in and around the upstream open source ecosystem. My name’s CRob. I’m the chief security architect for the foundation, and I also do security stuff upstream to help protect that open source software we all know and love. And today I have an amazing collection of gentlemen here, and we’re talking about a very important topic. It’s about the value of bringing experts in.

So I would like to pass the microphone around. I’ll start off with Jonatan. Let’s introduce ourselves and kind of talk about what brought you here today to talk about this interesting topic.

Jonatan Männchen (00:57)
Yeah. Hi, I’m Jonathan Männchen. I’m the Chief Information Security Officer at the Erlang Ecosystem Foundation. And the reason I’m here today is that we’ve started implementing a lot of functionality in the security and in the compliance sector, mostly focused on the CRA. And based on that, I’ve met CRob and Michael, these lovely gentlemen in the Alpha and Omega call and was invited to come here and talk about it all.

CRob (01:31)
Ulf

Ulf (01:33)
Yeah, I’m a product owner with Herman Ultrasonics. We are a German machine builder, like a small company, 500 people only, not one of the big tech companies. And we have decided, arbitrary for a weird Swedish tech stack, including Erlang, to do our automation, to do our machine controls. And as a product owner, I had to make decisions whether how we would tackle security in the longer run. And that brought me here.

CRob (02:09)
Excellent. And our friend, Mr. Windsor.

Michael Winser (02:12)
Hi everyone. So I’m here for the free cookies. I was promised cookies. I think, you know, working in Alpha Omega, one of the surprising and the continuous benefits is that we end up finding community. find people and people find us and then that creates these connections. And so when Jonathan showed up in one of the public meetings and started chatting, I’m like, who are you? What are you doing? And we started talking more and that sort of led to more conversations and we’re still talking about things. that has spread to other parts of the airline community as well. And so the learnings continue. And for me, that’s just, it’s amazing what happens when you put people in a room and start talking together. So now here’s another room, let’s talk.

CRob (02:56)
Excellent. let’s start off. Jonathan, you’re here representing Erlang. Could you maybe talk to us about how you got into open source and maybe talk a little bit about what Erlang is all about?

Jonatan Männchen (02:56)
Mm-hmm. I think I started out quite the normal route, let’s say, just doing some side stuff from my corporate job, essentially. And as these things normally go, you kind of feel responsible for them and they grow and you get more and more of these kind of side projects going on. Some of them getting successful, others you decide to cut the loss at some point. And…

Yeah, I really started in the PHP ecosystem a long time ago, doing some pull requests on Symfony. And I published a library that does a SIP streaming from the server to the browser and that kind of thing. And around 10 years ago, I actually read a book on Elixir specifically and Phoenix, which a roommate at the time bought and I don’t think he ever read it himself, but I did. And yeah, I had to try it out. We had like the perfect project of like a, it was essentially like a bit, an online game essentially with money involved where we would play the game via web sockets and we had to have the state on the server to make sure people don’t cheat.

CRob (04:30)
Mm-hmm.

Jonatan Männchen (04:31)
And that was kind of like the perfect use case because that’s basically the first thing you read always about Erlang can handle that many millions of sockets at the same time. And yeah, kind of figured out at that point that basically I don’t have to wait for the unicorn project where this is the perfect solution, but rather in the end, it’s a technology

that is complete, you can build things with it. I don’t have to stick with PHP for the normal stuff. And yeah, over the time I got more more involved into Elixir itself, also with other open source projects. And I think around three years ago, I’m not quite sure, could be two, could be four. I got involved in the Erlang Ecosystem Foundation and the Security Working Group as well.

Working together with a lot of people trying to make Erlang secure. And maybe as a side note here, Erlang, Elixir, Gleam, and also a few other languages are all languages based on Erlang. So kind of like what’s Scala to Java, for example. And towards the end of last year,

I was talking a lot to Alistair, which is one of the board members of the foundation. And he raised for a long time that the CRA is a topic that we need to be very careful about. And the stars lined up, my last job was ending and in the end, yeah, everything lined up perfectly. And since the start of the year, I’m at the CISO trying to implement all of that.

CRob (06:16)
Awesome. So let’s talk about this new stage that you’re in. You mentioned that you and Michael and I met together at an Alpha and Omega community meeting. Can you, you and Michael maybe talk a little bit about how you two got introduced and how you discovered this amazing community that AO is nurturing.

Jonatan Männchen (06:40)
Yes. I mean, wait, where do I start? So yes, we haven’t really talked at FOSDEM, but I got to know you just from speaking at FOSDEM. But yeah, let’s start there. So I was at…

Michael Winser (06:40)
I think it starts with you, Jonathan. I don’t know how you came to the meeting.

Was it it FOSDEM? I gave a talk at. OK, yeah.

Michael Winser (07:04)
Yeah, so I’ll go. At FOSDEM, I had a couple of talks, one of which was in a room that was partly organized by the folks from the STA and talking about funding and open source. And as you might imagine, it was a crowded room. A lot of people, a lot of questions, lot, and you know,

Mirko and I Mirko’s from the STA Tried to put together a presentation even to sort of explain what we are and how we do things or whatever And in 15 20 minutes, we obviously compressed a lot of thoughts and time into that But it worked as intended right that we got lots of good questions and people who didn’t even know What we did or why or whatever sort of started coming out of the woodwork and and it’s been really great and John is over to you:

Jonatan Männchen (07:52)
Yeah, it was actually the day before. It was the FOSDEM Fringe event. I was not present at your talk. I knew that it happened. But it was the SBOM Fringe event where you were also speaking. I also didn’t… I mean, I read through a lot of the OpenSSF stuff on a high level of what the OpenSSF is doing. And I saw Alpha and Omega, but I didn’t really go into details there. just knew that it existed. yeah, you talking actually brought it up in my mind. And we, as the foundation, we are in this spot where we now have some financing, which basically just extends to myself. But really to implement all of this, we need more help than we currently have. And so I thought it would be good to reach out. And that’s also why I joined the call.

CRob (08:22)
Mm-hmm.

Michael Winser (08:49)
I remember now, and that of course was completely unplanned. I was at that event as just a participant, and then Philippe asked me to come up and just say a few words, and I babbled some stuff, and here we are. So it’s always the sort serendipity things that really drive interesting outcomes.

CRob (08:49)
Excellent.

Ulf (09:05)
Okay.

CRob (09:07)
This is a really interesting topic and let me pull Ulf in for a moment. As a product manager, kind of selecting components that are going to go into a product that your organization sells. How important is it to know that these upstream projects you’re relying on have support and do take security seriously?

Ulf (09:33)
Well, I’m here as an antidote to a poison, is vendor lock-in. So the bigger part of my life, I’ve been part of industrial automation and we were running factories for automotive supplies or plastics or whatsoever. And as part of this company, we were building machines and we were using open source, but we were using it in a, I wouldn’t call it un-moral, but in a weird way that we were just using it, you know, and didn’t, we didn’t take care about what you say, whether it is maintained or safe, it’s just there and you download it and you make a dependency and that’s it. And the antidote is number one, that at one day we stumbled over Alistair as well on a, on a … That was actually… What was that? It was in Berlin. Yeah, Elixir event in Berlin. And we realized that there’s a huge foundation behind it. And that was the cornerstone. And later when the CRA requirements came down to us and we started to wrap our minds how we would fulfill these requirements and make safe software for our customers, then only we realized how important these foundations may become to us. And we were lucky in a way that previously for other reasons, for reasons of resilience and reasons of resource management and reasons of development speed and whatever, know, we have chosen for Erlang slash Alexia stack. And so we were kind of enthusiastic about it, but we never choose it in the first place for security reasons. Then later, we realized that we are in front of a huge challenge of complying with these requirements, which are from you, but basically the United States are doing very similar stuff under different naming and many of them requirements, they overlap. And then we realized, lucky we are that we have chosen a pond rather than an ocean. And that pond is so concise and kind of personal and kind of streamlined, I would say. That gave us the confidence that if we use it to address these challenges, we would possibly have a very concise community to which we can reach out and meet real people, talking real talks and tackling real problems.

CRob (12:22)
Hmm.

Ulf (12:26)
So that is kind of how we ended up here. And this is also what made us finally, which convinced also my owner, we have a company owner and my CEO and also my development officer that we would fund such a foundation to a degree which is maybe not much in comparison to what probably Intel or Meta is doing, but you have to put it into relation to what our annual turnover is. And in that measure, it is a considerable amount of money and we are willing to continue to do so.

CRob (13:09)
Nice.

Michael Winser (13:10)
I just want jump in. I think you would be surprised comparing yourself to what other corporations are doing. And I just, want to start by celebrating the several things here. One is sort of the pragmatic taking control of your destiny approach, right? And it’s always, you know, it’s open source. There’s a lot of stuff that happens and it’s like free as in beer. It’s like someone shows up and gives you beer. But as I like to say, it’s really more like free as in puppies and they need care and they need love. And Organizations that understand that and make that investment Find out all kinds of interesting things such as you now actually have a lot more like you can train your puppies to go in the right direction and not not You know pee in the kitchen, for example Metaphorically, we’re going to stop with that particular direction But I think it’s also an example of how in a competitive landscape regulation even sometimes ham-fisted regulation, I would certainly not attribute anything to one regulation or the other, but regulation is hard. But any kind of regulation essentially creates better incentives and it rises. Like everybody has to pay a little bit more attention to these things because, you know, in a competitive landscape, every dollar you spend on feeding your supply chain and taking care of your puppies is a dollar you’re not spending on marketing or development or whatever. But, you know,

It’s your code, even though you’re not the ones writing it, it’s in your business, it’s in your product. And so the care of that investing in that has a return. So first of all, kudos to you and your organization. I think it’s amazing. and it’s a pattern I would love to see sustained and repeated as more organizations can find ways to do so. And I think you’ve also shown it’s not that hard. You just show up and say, we’d like to make sure that this gets done properly and things happen.

Ulf (15:04)
Yeah, and I would like to add that it becomes even a rational choice. There’s not, I mean, when we talk about puppies, there’s a lot of love and care and all of that, right? But you can also see the case I have been describing as a very rational choice, because especially if you look into the alternatives.

One alternative would have been we would have developed security by our own. Yeah. Okay. And, and obviously that, that is a monstrous task and we would have needed competences, which clearly we do not have. And it would have taken a lot of time probably and would have been expensive. So that has been ruled out in the first place. And the second option would have been that we would have outsourced it to some contractor.

Ulf (13:19)
I mean, there are specialist companies out there. You can tell them what to do. They have the competencies and they will do it in a proper timing and for a proper cost. But still there is a downside to that, which is trust. Because if we go to our customers and tell them about security and we tell them, the security we are selling to you is actually the one we bought from this other guy. And, and he’s a specialist, I tell you.

Then our customer would say, who’s that? And what is he doing exactly? And how do you know? And all of that good questions from a customer point of view, that’s a proper question. And then no matter whether he was doing wrong or right, to build trust is very difficult. In turn, if we kind of outsource that, it’s not a real outsourcing because we don’t have a mandate here, right? We are just funding it.

Ulf (14:09)
But if this is done by somebody else which we do not influence directly, there’s two benefits. There’s never a smell of influencing in turn. So we can tell them what they’re doing is trustworthy because we are not influencing them. There’s no conflict of interests. And also if they are doing it and we are not mandating them directly, they would look for a bigger community, which was foster a more resilient solution landscape. I’m very convinced that this would happen. And both of them mechanisms, I can go back to my customer and tell them, look, and because of these two mechanisms, you can trust them guys a lot more than you can trust either us or a contract that we have bought. So if you look at down that road, it’s probably a very rational choice to kind of outsource things to people you’re not influencing. It sounds contradictious in the first place, but it’s not that much contradictions if you think it to the end.

CRob (15:10)
And the behavior you’re describing – how a manufacturer gets value out of these upstream projects and you have taken the very conscious decision that we’re going to try to support them. That is exactly the behavior that the CRA has explicitly written in is they’ve asked manufacturers like if you’re using upstream components, you should give back and participate. And I really applaud you all for making that choice very early on.

Ulf (18:33)
Yeah and also look into CRA. You have three choices. You’re a consumer, a manufacturer or a steward.

Michael Winser (18:40)
Yeah.

Ulf (18:41)
I don’t want to be a manufacturer in key matters. I would love to be a steward, but I can’t. It’s not in our competencies. So to say, I love to be a steward, I can’t, so I’m going to fund one.

CRob (18:58)
Let me turn the next question to Mr. Windsor. Why is it so hard for a lot of projects to implement good security practices and how does funding help that?

Michael Winser (19:12)
I love this question. So somewhat Ulf talked about starts with competency. know, not everybody is a, you know, well, let’s start with the problem of software supply chain security, right? As I love to say, it’s like the Y2K problem without the same clarity of problem solution or timeline. Right. Everyone is still learning a lot about this and we have decades of technical debt. So expecting, you know,

Mary and Joe, software developers working on a cool open source project to have competency in all the risks that they are essentially carrying forward is unreasonable. It’s just not practical. And any solutions we do are not going to be magically by teaching everybody to become security engineers at the same time, any more than everybody knows how to do front end, back end, or use airline as a language or rust or whatever. There are competencies that take real time and energy to acquire.

And that’s a big deal. The other aspect is it actually goes back to the same competitive pressures that corporations are feeling at the of deepest end of the supply chain or the furthest out to the right end of the supply chain. Open source projects are, you know, like have different reward mechanism. At the end of the day, being used, being valuable is something people care about.

And a lot of the signal that they receive from their downstream dependencies, right, is somewhat abstract, but it’s about usage. How many people are using me? How many, you know, GitHub stars, which please do not use GitHub stars as an indicator of popularity. but, know, and so they’ll do things that people are asking them to do. And invariably, what do people want to do? Like I’m building some software and somebody has built a module that does something for me.

CRob (20:46)
Stars and likes.

Michael Winser (21:00)
If I can shift the work onto them, so could you add a feature that does X, right? Says every enterprise customer ever, and says every open source project. Software developers want somebody else to do the things that they’re not good at, right? So I’m using some HTTP client library. It does some really cool. There’s now an edge case on dealing with streaming over HTTP 3, blah, blah, blah, blah. Could someone do that for me, rather than me having to add that to my application code, which is trying to plug tab A into slot B and make an NCP talk to Zapier, for example.

Michael Winser (21:30)
And so that’s a big part, right? There’s a lot of pressure and signal towards adding new features. There’s a competency they already have, which creates a fluency and ease of work around the feature set they’ve developed. So you have this hard hill to climb of security of things I don’t really know about, an easy and rewarding hill to climb, which is things I do know about and people are asking for, right? Those choices are too easy, right? It’s too easy to go down the path of doing more of that.

And unfortunately, that problem is bigger than that because the people who are downstream who would benefit from the security and might benefit from the feature sets, they don’t know more about the security. They don’t know more about the code. So who is going to do that work? How’s it going to happen? And, you know, this is where I think what’s awesome about what Ulf and company have done, right, is saying, look, we need to bring some experts here. And what I love about it too is the point of leverage, right?

So you could go and look at all the supply chain things and fix all the individual pieces, or you can make it someone’s job in an entire ecosystem to reason and think about that ecosystem and to make changes that are going to benefit all of them. And that’s the alpha of Alpha Omega is all about that scale.

Ulf (22:45)
And we would not have done it if we would not have faith in the fact that it can be done in that ecosystem. And we have faith it can be done in that specific ecosystem. Yeah. Because it’s so streamlined and so concise and so complete in it’s so feature complete that it helps us a lot. Yeah.

Michael Winser (23:06)
I think that’s really key. And I think that the other thing that comes out of this, I think we’re starting to see these in other ecosystems and I fully expect them to become like significant factors in the airline ecosystem as well, which is you’re normalizing security. So when you think about software engineers and the set of skills that they all think are common, right? There’s a certain subset of things.

CRob (23:23)
Mm-mm.

Ulf (23:23)
Yes.

Michael Winser (23:31)
what we’re starting to do is to normalize a broader set of things around security concerns. So not everybody’s going to become a security expert, but if everybody’s aware of security and like, I should do this. it, mean, some of these things aren’t even about implementing more secure code, right you could probably talk for days on how maybe you should handle reports around vulnerability and just having process around vulnerabilities in your projects. And when somebody does tell you, whoopsie, you actually even have a process to handle that.

CRob (23:54)
Exactly.

Michael Winser (24:01)
That is a significant gap for an awful lot of open source projects.

CRob (24:04)
Mm-hmm.

Jonatan Männchen (24:05)
Which is, the way, also a gap we’re very specifically addressing. We’re in the process of becoming a CNA [CVE Numbering Authority]. We’re currently in the onboarding workflow, not done yet. But we’re actually becoming a CNA for every package that is in the package manager, if they’re not covered somewhere else. Just because we think that we have more tools available to do the correct decisions in the whole thing and also reach the

Michael Winser (24:13)
Yes.

CRob (24:26)
Nice.

Jonatan Männchen (24:34)
Correct people than MITRE ever could just because they’re not part of that ecosystem specifically. yeah, so we really want to cover this as a CNA and also build in all the vulnerability reporting into the default tooling so everybody gets the benefits of that.

CRob (24:41)
Exactly.

That’s awesome.

Michael Winser (24:54)
This is, this is, mean, this is a pattern we’re seeing more and more, right? And, know, there’s now documentation well written by other parts of the Alpha Omega family on how to be a CNA. This is what we did, how it worked out or whatever. It’s worth stating to the perhaps, you know, less CNA obsessed listener, right? That one of the things that happens here is that the community can have a more curated control over what is being reported as a vulnerability and the process gets centralized. And this is not to impugn our

CRob (25:20)
Mm-hmm.

Michael Winser (25:24)
Esteemed colleagues in the security research industry, right? But they have incentives to find vulnerabilities and want to push them out and like that and when you push them either straight up to MITRE or directly to the individual project there is none of that curation happening and this allows an Esteemed set of experienced people in the airline community to make sensible decisions about is this really a vulnerability? What severity it has and so forth and there’s still a dialogue and should be a dialogue with the researcher, but it’s not

Sort of like the problem is that there’s no dialogue with MITRE or it just happens. There you go. And then it’s very hard to undo that later on. And it drags around creating, you know, imperfect signal for people consuming things.

CRob (26:03)
Right. So, I see you as representing kind of a really exciting new trend that we’ve witnessed over the last few years, where communities are reaching out and bringing in subject matter experts to become this developer, security developer in residence, kind of having this role. From your perspective, and your role as CISO for Erlang, what do you see your role is in helping your community?

Jonatan Männchen (26:34)
I think the biggest part is to figure out what should we actually be doing. Because there’s lots of regulation from lots of different countries. Nothing is harmonized. And then even, for example, the open SSF, there is so many things in there just sifting through what does actually apply to us. And there’s other organizations than the open SSF as well. So just figuring out what should we be doing, I think is the biggest part.

CRob (26:39)
Mm-hmm.

Right.

Jonatan Männchen (27:04)
And yeah, I’ve started putting together essentially a roadmap of things that we want to implement. Also, there’s some stuff that I can directly tackle myself just because they’re in a size that makes sense for me to invest that in my time. For example, we just did the open chain certification for Elixir or the CV numbering authority, which is talked about.

CRob (27:22)
Very nice.

Jonatan Männchen (27:34)
And we also just implemented the best practices batch for Elixir as well. So there’s lots of different things going on and there’s lots of them, yeah, where I can just look at them, do them, get it done. But there’s also bigger ones like for example, implementing SLSA throughout the whole package manager, where we’re more at the point where we need additional help just because it doesn’t make sense for me to focus on that for that long time right now. And so.

CRob (27:53)
Mm-hmm.

Jonatan Männchen (28:04)
I’m trying to figure out a way of organizing all of that and getting the funding and figuring out what is exactly we’re trying to do. And yet just put together a plan that actually could work essentially.

CRob (28:18)
Michael?

Michael Winser (28:20)
I’m glad you mentioned SLSA and You and I should chat offline for some specifics but I’ve been working within the SLSA working group for a while and one of the members out Tom Hennan has created there’s one of the tracks we’re working on this the build track there’s a less developed thing called the build environment track which manages the sort of Security of the environment which run the Maturing nicely is something called the source track around dealing with the provenance of the source code and the environment in which the source was created, right? And so being able to say you have branch protection on and things like that, and there’s a set of requirements. Well, Tom has produced a very simple little workflow. There’s still in sort of prototype phase that makes getting to SLSA level three of source level three provenance, where you have this continuous from a date, point in time forward chain of trust for all the commits to your repo incredibly easy to achieve.

And so would love to work with you and the Erlang and the Elixir space and the package manager space to do that and then Connected back to trusted publishing depending upon the workflow from there to publishing into the package manager You can start to see an end-to-end provenance story. That is very interesting and You know last week I had a chat with some of your colleagues from Erickson who work on the OTP stuff and I was asking them about what what’s their interest to the package manager versus the other parts of the ecosystem and

They build from source, use the force, build the source. And so that eliminates a lot of tampering threats in the build space, but they still care about the provenance and authenticity of the source. And by the way, they also say they very much care about the health of the ecosystem as well. And so they’re to help out in various ways. So there are dots to connect there that I hope are, and this is part of what we’re funding at Alpha Omega, that reduce the toil for someone like you and your ecosystem to kind of take those next steps.

CRob (30:16)
And I bet as a product manager, Ulf, this would be a really compelling story if you knew that the components that you were putting integrating into your products had this pedigree and provenance that had that chain of custody and they were untampered with.

Jonatan Männchen (30:16)
Mm-hmm.

Ulf (30:31)
Absolutely, and that even if I knew that would be the case then still there’s tons of work to do for security so I’m offloading a part of the problems we are facing and still Previously we mentioned that or I mentioned that probably we do not have the competencies in security and Probably under rating our company. Of course, we have experts in that matter but not to that extent what Jonatan can do for us number one or the community can do for us, number two, or foundation can do for us, or CNA can do for us. And the processes you’re mentioning about making the correct ratings and making the correct proceedings in how to handle these vulnerabilities, all of that we can definitely not do. And still there’s tons of work to do to provide safe software or secure software to our customers from operating systems and good habits and proceedings in the pipelines and management of quality. All of that’s still down to us. And even there, we benefit from Jonatan providing best practices. Simply as that. It’s undisputed, right? Somebody calls out a best practice, it goes into our development rules, and here we go. So it’s simple. You don’t need to spend or wrap your brain around how to do that the best way. It’s a matter of trust.

At the end of the day, for us, it’s a matter of trust.

CRob (32:00)
Awesome. So as we wind down, I would like to talk about, you know, what is all your individual calls to action? You know, what if there are other communities, whether it’s a project or another language ecosystem, and they hear about this amazing story that the three of you are weaving together, you know, what advice would you give these communities and how they can enter in and become these, good stewards and good participants in these types of situations.

Jonatan Männchen (32:36)
Yeah, thinking a second what to say.

Michael Winser (32:39)
Why don’t I start? Because I’ve got the easiest thing to offer right up front. Whether you are an expert in coding, an expert in the problem space, an expert in the language or the package that you’re using in your business, the first and simplest thing to do is to engage, to contact the organizations upstream of yours and say, hello, my name is Michael, and I am benefiting from your work. I would like to make hello and say, how’s it going? Introduce myself so that when you have a problem later on, whether it is an audit finding out that your CRA compliance is at risk because of some practice or whether it’s a silly little bug or whether it’s a vulnerability has surfaced and you’re not sure whose fault it is or what to do or how to do something or what the importance of it is. If you already have a working relationship, even if it’s just purely social, if it’s just literally love in the human sense of like love is a verb, hello, how are you today?

I care about your work, right? You’re already so much better off than you would be otherwise. And so the first thing to do is to engage and to listen, and then you will have a very clear path of opportunities forward, or at least the connection when you need them.

Jonatan Männchen (33:53)
What I could add, a lot of people in an ecosystem don’t really look outside of that ecosystem. So it’s really important that you’re not trying to do everything by yourself. There’s lots of smart people from lots of different places that already thought about these things, but they haven’t thought about it in your specific programming language probably. But yeah, looking around what others are doing and actually connecting beyond the borders of your own ecosystem is probably one of the most important things to do.

Ulf (34:39)
And from a user perspective, of the other end of the food chain, whatever, I wish that more people would be honest about their usage of open source and their contribution and, know, distinguish clearly what is their added value with what they have developed and they willing to sell to their customers and what they have just, you know, grabbed as a base for what they want to offer as a customer value. And if that would be a more honest and a more transparent way of doing business, then automatically more people would join an initiative like we have been doing and that base would become a lot more resilient and even a lot.

And it will be worth the living, you know, for the people who are doing it. mean, currently, most of or many of them projects are maintained by enthusiasts and not for living. And sounds sounds wrong, kind of wrong. Yeah, I would like I can’t see why we should not distinguish between our added value and somebody else’s added value and make that very transparent. Transparency.

CRob (35:37)
Excellent. Well, gentlemen, I really appreciate your actions, both in your businesses and upstream and in your communities. And I thought this was a really insightful conversation. And I know we’ll be having more like this as items like the Cyber Resilience Act in Europe or legislation around the globe continues. This is going to be a matter of great importance that downstream has generated an unimaginable amount of value from the work of upstream. And there needs to be a way to be more participatory and to give back and to show that love that Mr. Windsor noted back to those developers that have given you so much. So gentlemen, thank you. I appreciate your time. And with that, happy open sourcing. That’s a wrap for us.

Jul 23
Love0

Case Study: Google Secures Machine Learning Models with sigstore

By Blog, Case Studies

As machine learning (ML) evolves at lightning speed, so do the threats. The rise of large models like LLMs has accelerated innovation—but also introduced serious vulnerabilities. Data poisoning, model tampering, and unverifiable origins are not theoretical—they’re real risks that impact the entire ML supply chain.

Model hubs, platforms for data scientists to share models and datasets, recognized the challenge: How could they ensure the models hosted on their platform were authentic and safe?

That’s where Google’s Open Source Security Team (GOSST), sigstore, and the Open Source Security Foundation (OpenSSF) stepped in. Together, we created the OpenSSF Model Signing (OMS) specification, an industry standard for signing AI models. We then integrated OMS into major model hubs such as NVIDIA’s NGC and Google’s Kaggle.

The Solution: Seamless Model Signing Built into Model Hubs

We partnered with Kaggle to experiment with how to make the model signing easier without disrupting publishing UX.

“The simplest solution to securing models is: sign the model when you train it and verify it every time you use it.”
 — Mihai Maruseac, Staff Software Engineer, Google

Key features of the prototyped implementation:

  • Model authors could use the same model hub upload tools and processes to upload their models, but, behind the scenes, these models would be automatically signed during the upload process.
  • Each model is signed using the uploader’s identity on the model hub, via OpenID Connect (OIDC). Model hubs should become OIDC providers to ensure that they can sign the model during upload.
  • Model hubs use sigstore to obtain a short-lived certificate, sign the model, and store the signature alongside the model.
  • Verification is automatic and transparent—the model hub verifies the signature and displays its status. A “signed” status confirms the model’s authenticity.
  • Users can independently verify signatures by using a notebook hosted on the model hub, or downloading the model and the signature and verifying using the `model_signing` CLI.
  • Model repositories implement access controls (ACLs) to ensure that only authorized users can sign on behalf of specific organizations.
  • All signing events are logged in the sigstore transparency log, providing a complete audit trail.
  • Future plans include GUAC integration for generating AI-BOMs and inspecting ML supply chains for incident response and transparency.

The process dramatically improves trust and provenance while remaining invisible to most users.

The Result: A Blueprint for Securing AI Models

With sigstore integrated, the experiment with Kaggle proved that model hubs can offer a verified ML ecosystem. Users know that what they download hasn’t been tampered with or misattributed. Each model is cryptographically signed and tied to the author’s identity—no more guessing whether a model came from “Meta” or a spoofed account.

“If we reach a state where all claims about ML systems and metadata are tamperproof, tied to identity, and verifiable by the tools ML developers already use—we can inspect the ML supply chain immediately in case of incidents.”
 — Mihai Maruseac, Staff Software Engineer, Google

This solution serves as a model for the broader ecosystem. Platforms hosting datasets and models can adopt similar practices using open tools like sigstore, backed by community-driven standards through OpenSSF.

Get Involved & Learn More

Join the OpenSSF Community
Be part of the movement to secure open source software, including AI/ML systems. → Join the AI/ML Security WG

Explore sigstore
See how sigstore enables secure, transparent signing for software and models. → Visit sigstore

Learn About Google’s Open Source Security Efforts
Discover how Google is advancing supply chain security in open source and machine learning. → Google Open Source Security Team

Learn More about Kaggle
Explore how Kaggle is evolving into a secure hub for trustworthy ML models. → Visit Kaggle

Watch the Talk
Title: Taming the Wild West of ML: Practical Model Signing With sigstore on Kaggle
Speaker: Mihai Maruseac, Google
Event: OpenSSF Community Day North America – June 26, 2025
Watch the talk → YouTube

Jul 15
Love0

What’s in the SOSS? Podcast #35 – S2E12 Building India’s Open Source Security Community: From Developer Nation to Security Champions

By Podcast

Summary

Join CRob as he sits down with Ram Iyengar, OpenSSF’s India community representative, to explore the unique challenges and opportunities of promoting open source security in one of the world’s largest developer communities. Ram shares his journey from computer science professor to developer evangelist, discusses the launch of LF India, and reveals why getting developers excited about security tools remains one of his biggest challenges. From spicy food preferences to Star Trek vs. Star Wars debates, this episode offers both insights into global open source security efforts and a glimpse into the passionate community builders making it happen.

Conversation Highlights

  • Meet Ram Iyengar
  • Origin Story – From Professor to Evangelist
  • The Power of Developer Education
  • LF India Launch & Community Building
  • Getting Involved & Video Series
  • Rapid Fire
  • The Security Challenge in India
  • Call to Action & Wrap-up

Transcript

CRob (00:21)
Welcome, welcome, welcome to What’s in the SOSS, the OpenSSF’s podcast where I talk to amazing people that are doing incredibly interesting things with upstream open source security. Today, we have a real friend of the show, one of my teammates, Ram, who helps represent our India community. And I would like to hear Ram, could you maybe give us a little bit of an introduction to yourself for those members that may not know who you are and what you’re doing for us?

Ram Iyengar (00:50)
Thanks for having me on the show, Krobe. It’s such a pleasure to be a guest on a podcast that I’ve been very regular in listening to on several of the platforms.

CRob (01:02)
Yay!

Ram Iyengar (01:03)
So I’ve been working with the OpenSSF for a little over a year now. It’s been a wild ride in terms of learning a lot of things. And it’s been…Honestly fun to represent security in a part of the world that I imagine doesn’t take security very seriously. But I also realized that’s true of many parts of the world.

CRob (01:30)
You’re not alone.

Ram Iyengar (01:33)
Yeah. In a geography that’s known for application development and a lot of software getting written, getting built and an increasing number of open source contributions these days. It’s fun to hold the security placard and remind people about, hey, security is important. Hey, don’t forget about security. Hey, open source folks, you still need to secure your goods. So that’s really what I do. So evangelizing OpenSSF and a lot of the… open source security stuff in the India geo.

CRob (02:12)
Excellent. Well, let’s hear a little bit about your backstory. What is your open source origin story Ram?

Ram Iyengar (02:20)
So I was one of those people fortunate enough to work on open source since the start. And when I say start, my first real job was working on some open source content management systems at work. Android caught on big around the time I finished school. And then in terms of roles, I was born in India in the early 90s. So I guess I was born to be a developer, and write software, but also I went to school trained to be an engineer, but I always wanted to be an educator. So after my first few years of being a software developer, I switched roles to be a computer science teacher full time where I went to school in India. So I went to school in Boston.

Got a master’s in telecommunication, did a lot of Android related stuff. And then went back to India, started as a professor of computer science. But then what I realized was, I love being a teacher and an educator, but I also love the salary in the software industry.

CRob (03:40)
Right?

Ram Iyengar (03:41)
And so, and so, eventually I found my path into technology, evangelism and developer relations. And I found that, you know, software and tools and all of these don’t necessarily suffer from a lack of features as much as they do from a lack of education. And so to me, it was, you know, writing guides and doing trainings and giving talks and writing documentation and contributing a lot of the non-technical stuff, both for products that I work with and open source projects that I love. So, one thing led to another and now it’s been like five years of working with the Linux Foundation full time. And, you know, a good chunk of that with the OpenSSF.

CRob (04:33)
That’s awesome. Yeah, thank you for doing all that. I really agree about the importance of education. That is something that is crucial if we’re going to help solve our mission together, right?

Ram Iyengar (04:45)
Absolutely. I remember one of my earliest OpenSSF community day events and you were on stage talking about the diagrammers and the education working group and all of that and yeah, that’s played a huge part in stuff that I’ve been doing. So thank you too.

CRob (05:06)
Oh, pff. Proud to contribute to helping out. So I’d like you to tell me more about LF India and your work with engaging the community there. What’s it like collaborating with other folks in India?

Ram Iyengar (05:22)
So LF India was announced in December of 2024. We’ve been rolling out the first steps of, know, rather the first invisible and boring steps of any entity, is setting things up and getting some of those initial partnerships and conversations going. But all of that apart, I think thanks in big part to the great work that the LF has been doing all around.

It’s kind of marketed itself, to be honest. We have a whole raft of contributors who participate in a lot of LF initiatives already that are global, obviously. But we’re starting to realize certain flavors of sovereignties coming in, ideas that are specific to the region have to be focused on.

Ram Iyengar (06:19)
So LF India is sort of playing this role of replicating a lot of the good work that’s happening in other parts of the world, specifically for the India Geo. And in the past few months, we’ve had some good conversations from people about what’s potential in terms of projects that can come on, terms of initiatives that we can support, in terms of conversations that we can have in the public sector, in academia, and obviously in the big…organizations and private sector that we’re most used to. So there’s a lot of interest in participating in LF India forums now. And part of it is online events and things like that. And a big part of it is also offline events.

Big thanks to the CNCF and Kubernetes in stewarding a lot of these conversations.

It goes without saying that they’re probably one of the more active open source communities right now. And piggybacking on that success, think LF India is happy to announce the open source summit event that’s sort of its flagship that happens in different parts of the world. And it’s going to be sandwiched between the KubeCon in India and the OpenSSF Community Day in India as well which I’m really excited about.

CRob (07:44)
You’re gonna have a really busy time, huh?

Ram Iyengar (07:47)
Yeah. I mean, it’s all happening. The conversations are there, the partnerships are coming forth, the events are happening. And so I think it’s the whole package. it makes me extremely both proud and privileged to be part of the opening cohort that’s helping herald some of these new changes in this part of the world.

CRob (08:10)
That’s awesome. I know most Linux Foundation entities kind of operate similarly, where we’ll have a webpage and a GitHub repository and then some mailing lists and whatnot. So if someone was curious about whether they wanted to get engaged with either LF India or your direct work with the OpenSSF, how best can someone kind of find out more about you and like what’s going on with that part of the world?

Ram Iyengar (08:38)
So the goal at the moment is to drive more awareness of LF itself. So I guess, you know, just do the individual project website. So CNCF has its website and the Slack and all of these. The OpenSSF has the openssf.org website, the OpenSSF Slack. So get on all of these. I’m accessible through LinkedIn and other things if you wanted to reach out directly. And right now the focus is to get more people to become aware of the LF projects directly. And obviously there’s going to be like an LF India web page and things like that. Like I said, it’s one of those boring pieces that we’re still getting together.

CRob (09:23)
Now I remember that you were doing a series of videos. Could you maybe talk a little bit about that?

Ram Iyengar (09:30)
Mm-hmm, Yeah. Every once in a while, mostly at the frequency of like twice a month, or every fortnightly, I try and identify somebody who’s working in the security space and is based out of India. So they can give us like a picture of what it’s like to be doing security in this geography. You know, I’ve had the good fortune of meeting so many wonderful guests. And we do like a 45 minute session where they do like part of it is something of topical interest, like they’ll pick up an area that either they’re very happy to speak about or they feel that the community needs to be educated and energized about. And then a big chunk of it is also just an open conversation about here’s what I have encountered and help me validate these ideas or help me inform people about how important security is, and especially when they’re working with open source and things like that. So I’ve had like 15, 20 guests up to now and they’re all recorded and available on YouTube. I usually stream them live and then thanks to technology, they’re available for consumption as a long tail for people. And these are on the OpenSSF YouTube channel. So those who are interested in catching any of these episodes in retrospect, you’re welcome to visit the OpenSSF YouTube channel. And there’s also always something that’s going to be up and coming. So if you subscribe to the channel, you can stay updated about what’s coming.

CRob (11:16)
Excellent. Yeah, I’ve really enjoyed some of your interviews over the last year or so. Top notch stuff. Thank you for doing that.

Ram Iyengar (11:23)
Sure. I mean, some of them are, you know, deeply technical, like runtime security, for example, and some of them have been more about how to build a security culture within an organization and what are the missing pieces in security that entry level developers should know and things like that, you know, so stuff that, you know, I feel will strike a good balance. And it’s been wonderful just discovering all this talent that’s always been around and I’ve never looked for security people before, but it’s amazing to see what comes up.

CRob (12:00)
That’s amazing. Now, I love the security community and especially the open source security community. Great folks. I love the fact that everyone’s so willing to kind of share whether they’re educating or kind of bringing a topic that they want to have a conversation about. I love that.

CRob (12:15)
Let’s move on to the rapid fire part of the show. you ready for rapid rapid rapid fire?

Ram Iyengar (12:22)
Ooh, I am.

CRob (12:23)
I have a bunch of silly questions. I just want to hear your first response off the top of your head. We’ll start off easy, mild or spicy food, sir.

Ram Iyengar (12:34)
Spicy.

CRob (12:37)
Oooh that’s spicy. I love spicy food too, although I’m not sure I could hang with you. I do my best.

Ram Iyengar (12:45)
Yeah, sure. I think spicy means something completely different in this part of the world.

CRob (12:51)
Like a different stratosphere. I have mad respect. Uh, VI or Emacs.

Ram Iyengar (12:57)
Oh, I’m a VI person, always happy.

CRob (13:03)
Excellent, excellent. Who’s your favorite open source mascot?

Ram Iyengar (13:06)
I like the Tecton mascot a lot. Closely, but obviously like the tux is a classic, for the recent ones, Tecton has been my favorite. Although, you know, honk, I think deserves a special mention.

CRob (13:24)
We all love honk. Excellent. What’s your favorite vegetable?

Ram Iyengar (13:32)
I love the versatility of an eggplant. Can do a lot with it. Yeah. Yeah.

CRob (13:38)
Yum. I love eggplant parmesan. That’s a delicious choice. And finally, and most importantly, Star Trek or Star Wars?

Ram Iyengar (13:47)
Star Trek Crob.

CRob (13:50)
Hahahaha, There are no wrong answers, but yes, that’s an excellent one.

Ram Iyengar (13:54)
Yeah sure. But also like fun fact, I don’t know if this might get me in trouble, I have never watched any one of the Star Wars movies.

CRob (14:00)
WHAT?!

Ram Iyengar (14:01)
Yes. Yeah. This might alienate a lot of people or help me make new friends but yeah.

CRob (14:11)
[Sad Trombone] Well, I would encourage you to go watch there are many options in the Star Wars universe, but Star Trek is pretty awesome.

Ram Iyengar (14:19)
It is

CRob (14:21)
Well, thank you for sharing a little bit of insight about yourself as we wind down Do you have a call to action or something? You want to you know, ask our audience to maybe look into or do?

Ram Iyengar (14:32)
It’s hard in the region that is India to get people to focus on security, let alone like, especially when they’re working on open source stuff. Even if you look at a lot of the recent AI trends, for example, there’s a bunch of people who are focused on AI agents and MCP and whatever new technology is going to come in a couple of days from now, you’ll find like 15 examples of people developing something, but you don’t see the same kind of enthusiasm around applying security tools. Even for like the container ecosystem, everybody was in on like cloud native. And then when you talk about, did you scan that container as you as you run a build, people are like,

“Why would I even think of doing that?” So it’s a hard problem. And when you have what some of by some of these estimates is going to be the largest developer population in the world or some crazy stuff like that, you really need to help them focus on security and educate them about secure apps are also good quality apps.

There was a lot of cloud-native development and blockchain development and AI development and all of these, but not enough emphasis on the security side of stuff. At the same time, that’s what the OpenSSF is here to help you about. Get a leg up on security stuff. Take a look at the projects and the working groups. It might really be worth your time. And so, let’s come together, help build an informed and educated security community around the wonderful app development community that we already have. so, you know, engage with the OpenSSF, engage with the Linux Foundation, whether it’s through events or meetups or, you know, just read through some of what the working groups are putting out and participate on Slack and throw in a comment or two on social media and just tiny things if you can. It goes a long way in helping open source move forward and build momentum. So if you can do any of those, I’d really be happy.

CRob (17:01)
some great advice and no matter where you live, there’s a ton of great content and please share with your communities. So, Ram, thank you for taking time today. I know you’re gonna be busy with that whole series of events, especially the Open Source Community Day in India, which will be pretty fun. Our second one, correct?

Ram Iyengar (17:23)
That’s right. So first one was in 2024, second one in 2025. I love how there’s a balance of a Linux security talk, security culture talk, some AI security stuff, some container security stuff. And I’m really grateful to the community to have come forward and submitted all these wonderful talks.

CRob (17:48)
Well, thank you for helping lead the community and helping educate them. And thank you for everything you do for us here at the OpenSSF.

Ram Iyengar (17:56)
My absolute pleasure, CRob. Thank you so much for all of that and having me on the show.

CRob (18:01)
You’re very welcome. And to all of our listeners, that’s a wrap. Happy open sourcing.

Jul 01
Love0

What’s in the SOSS? Podcast #34 – S2E11 From Lockpicking to Leadership: Tabatha DiDomenico on Security, Open Source, and Building Community

By Podcast

Summary

In this episode of What’s in the SOSS?, host Yesenia Yser sits down with open source security engineer and community leader Tabatha DiDomenico for an inspiring conversation about her unexpected path into open source, the vibrant communities behind security, and her role as president of BSides Orlando.

From discovering Netscape in the early days to shaping security strategy at G-Research and OpenSSF, Tabatha shares how her career evolved from necessity to purpose. She talks about the power of DevRel, the invisible work behind sustainable open source, and the magic of volunteering – pro-tip: working the registration table is great for networking.

Whether you’re new to the ecosystem or a seasoned contributor, this episode is packed with insight, warmth, and practical advice on getting involved and staying connected.

Topics Covered:

  • The accidental beginnings of an open source career
  • How DevRel supports healthy OSS ecosystems
  • Building internal open source culture through innersource
  • The impact of local security communities like BSides
  • Advice for contributing, volunteering, and thriving in open source

Conversation Highlights

00:00 The Journey into Open Source
06:10 Current Projects and Roles in Open Source
11:57 Involvement with B-Sides Orlando
18:07 Understanding Developer Relations in Open Source
27:08 Rapid Fire Questions and Final Thoughts

Transcript

Intro music (00:00)

Tabatha (00:04)
I immediately felt at ease. And I was like, oh gosh, people think, just like me, they, you know, they are curious. They want to break things, they want to put things back together again, and they’re just so generous with their time.

Yesenia (00:18)
Hello and welcome to What’s in the SOSS? OpenSSF’s podcast where we are talking to interesting people through the open source ecosystem. My name is Yesenia Yser. I’m one of your hosts and today we have an incredible treat. I’m talking to a close colleague and an open source extraordinaire, Tabatha DiDomenico, a security engineer that works on our open source. Welcome Tabatha. Welcome to introduce yourself to the audience.

Tabatha (00:47)
So thank you so much for having me today. My name is Tabitha DiDomenico. I am an open source security engineer at G-Research. And it’s been exciting to be a part of OpenSSF in various working groups and capacities over the past couple of years.

Yesenia (01:04)
Welcome. So glad to have you and we’ll start off with one of my favorite questions. Can you tell us about your journey in open source? What sparked your interest and just how has it grown over time?

Tabatha (01:14)
So this is an interesting question. feel like when I reflect on my journey in open source, it doesn’t quite look like a journey because it was not an intentional thing. When I first began using open source, it was out of necessity. It’s what was available, probably thinking back to Netscape days. And that’s probably my first actual awareness that something was an open source project. A lot of the work that I did at the time, the organizations that I was with, the products that we used internally to power various organizations, we selected them because they were free and happened to be open source. when I think back to how has it been a journey over time, it’s become more intentional. My interest in open source has definitely become an intentional direction that I have set for my career.

You know, when I think back to those early days and using open source out of necessity rather than a desire to be, give back or to be part of something larger than myself or, and there was none of those sort of in intrinsic, lovely motivators that we had. was really just out of necessity. and over time I was fortunate enough to, to be in a position to work with WordPress. and that was sort of the next evolution of, of my engagement in open source. I had built a small agency for myself during WordPress development, website development, and also maintenance, and just getting familiar with the community and the resources that were available. It was not something that I had ever seen from any commercial software that I had been a part of. The large corporations don’t necessarily build these beautiful communities around their paid products. Some do.

But it’s incredibly rare, right? And so when I’d seen this, you know, that there was these word camps and that there was these hyper local conferences and events that people came together because of love for the product, love for the community, that was really compelling to me. From there, I had the incredible opportunity to actually get paid to work on open source through a product called the Dradis Framework, which pen testers in the security community may be familiar with, because it’s an open source penetration test writing tool – where it kind of got at start. The founder of the company is originally a pen tester, wrote this tool in-house. All of the other pen testers began using it. it was one of those products that once he open sourced it, the community thought, wow, this is really great. You’ve got something incredible here. Other people begin using it. It sort of became the case of, you know, if you build it, they will come, your users will come, but then the problem began of, how can you support this product in your spare time and still have a life? know, so that’s when, when he began to look into, you know, releasing it as a commercial product as well. and so that, you know, seeing the, that how community can build around open source and having a hand and starting to shape a community around a product and build a community around a paid version of a product, it further expanded my understanding of how open source can work and how open source can work in business. And then, and now I’m here with G-Research and working with organizations like the Linux Foundation and OpenSSF, going to events like FOSDEM and seeing the scale of open source and, you know, in our world and, and knowing that I I’ve involved somehow, it feels really cool. So, you know, now it’s definitely intentional. get paid to work in open source. it doesn’t necessarily look like me just, you know, writing PRs and pushing them all day long. Cause my work looks different. and that’s great. Cause it’s needed. Yeah. I’m not sure what else to add to that except for it’s been an incredible opportunity to witness the scale of open source and to get an understanding of the breadth of it. It’s fascinating to me and a lot of the challenges that we face in security around open source are complex and not easily solved and I like those kind of problems.

Yesenia (05:53)
Yeah, and just like you said, the scale of it just from, I think my first open source conference to like the latest, like just the number of tendons and people that are aware of them. It’s really great to see in the community. you know, thank you for your contributions and impact to make that happen. With that, I know you just mentioned earlier that you’re starting, you know, a new role. So I’d love for you to share any projects you’re currently working on and just what excites you the most about it.

Tabatha (06:22)
So a lot of my role, a lot of the work in my organization is, I feel like more of like an ecologist than anything else, an open source ecologist. How do I, while my title is open source security engineer, a lot of the work that I do is to support and be good, help our organization be good stewards of the open source projects that are important to us or that we value in some way. And so how do I speak for an open source project in their community and ensure that how we’re interacting with that community is appropriate, that our vision aligns with the vision of the community itself and the direction of the product of the open source component and how do I, know, how can I best connect our internal resources with projects that I see could benefit by that support is sort of the crux of my work and to making it, how do we responsibly and securely contribute and participate in open source ecosystems? It is, it is. And especially if you have a culture and an organization that’s not necessarily

Yesenia (07:42)
It’s big challenge in scenarios today.

Tabatha (07:45)
the most familiar with working in an open source way. So some of our recent projects have been, you know, looking at, you know, perhaps an inner source initiative and getting our starts start there and, and encouraging folks that have never contributed to an open source project before a bit of confidence in working and collaborating with others in an open source way internally before they take that next step and start thinking about pushing things upstream.

Yesenia (08:20)
Yeah, because it’s interesting because it’s a whole different culture when you’re going from internal into an external phase. so building that culture inside to then take it out, I think is a smart way and approach to do it. Yeah.

Tabatha (08:34)
Yeah, yeah. So that’s been, that’s been one of the very fun project to work on and just like I said, connecting folks with projects and solutions that I believe will solve the challenges they’re having or can help point them in a better direction to solve the challenges that they’re having.

Yesenia (08:53)
Yeah, and outside of that, it just sounds like you do a lot for open source, but you know folks like us we just add more hats to ourselves. You are the president of BSides Orlando. It was a great conference. Definitely attended last last year’s and I’m sure you are preparing for this year. How did you get it? You have to your head. How did you get involved with the organization and what’s next on your agenda for that like?

Tabatha (09:21)
So this is a fun story and speaks to more how I really embraced that I was working in security already without it being so much of a title as I was invited to attend Security BSides Orlando 2014. And just to back up for our audience here, that may not be familiar with the Security BSides framework. It was born, I believe, in 2011. And it comes from the desire to elevate additional voices, to get folks involved in participating in information security, and to create space for newcomers and to bring smaller, have smaller events that are more local to a community, to bring speakers in to that community. I’m not explaining it well. I’d like to probably try that again. So the BSides security BSides framework started in around 2011 and it was a group of individuals that recognized that there was a number of speakers that kept returning to the stages of the larger security conferences. And so they looked to have a BSides version of those larger security conferences that was organized by the community that brought people in and speakers and information in that the local community wanted to hear or needed to hear by the, by the judgment of the organizers, and has grown from there. It is not an official organization that’s like run globally. There’s no, you know, contract that we have to sign. don’t pay dues up to any sort of umbrella organization. It’s a, while there is an organization in, know, that’s registered as Security BSides each Security BSides event. And I believe the last count or last look.

I looked at it was over 200 events annually around the world is organized by the community in that area. So it’s, it makes it it’s a community’s conference is how I think about it and how I discuss it when we’re, when we’re talking about planning security besides Orlando. So as I was, I was getting back to wanting to share was my story is how I got involved.

I was invited to attend. A friend of mine had been telling me for a while that I was doing security, that I should consider looking into security as a career change for myself and to maybe go that direction. And if nothing else, that I would enjoy the community. So I attended BSides Orlando 2014. And I’ve shared this story on stage a couple of times. I picked my first lock at that conference and it’s like the lockpicking village to information security job pipeline just took hold. But it was more than that. It was more than just picking lock. It was the willingness of the other attendees and the organizers to share information. It was, I’m getting chills now thinking about it.

Yesenia (12:01)
You got me chills. like, I’m gonna, I am like,

Tabatha (12:03)
That’s how I felt as I walked in and I was greeted by John Singer Who who I don’t know if you know John Singer But he it feels like everybody knows him at least yeah, especially if you’re in the Florida cyber security world It’s hard not to know John Singer but either he was just so welcoming and here’s this guy who was organized this this huge conference in this area and and my first interaction with him was nothing but just welcoming and it’s so, it can be so scary when you’re walking into a new environment like that, a new space, even if you have somebody encouraging you to be there and with you. but I immediately felt that ease and I was like, my gosh, these people think just like me, they, know, they, they are curious. They want to break things. They want to things back together again. And they’re just so generous with their time with the goal of.

Yesenia (12:57)
Mm-hmm. helping others.

Tabatha (12:58)
Helping others, yeah. mean, there’s no, yeah, hacking is, you know, that’s cool and it’s a cool thing to be involved in, but it’s more than that. know, for the folks that I’m drawn to and for the communities that I’m drawn to, there is this sense of, yes, I need to do this work and also I’m doing this work because it is meaningful to me and I recognize that this meaningful work, despite our differences, is bettering your life too. And I think that’s great.

Yesenia (13:31)
Yeah, it’s one of my favorite things about the security communities. You one of the first communities I got involved in was security and everyone was so welcoming that I was just, I was always applauded when they’re like, you know, they knew all the negatives in the space. And I was like, really? Everyone’s been so welcoming and nice and the tech community and open source like that. So I definitely resonate with that. And lockpicking was one of the first things when I started security, they’re like, you can’t start.

You can’t start your first ticket until you lockpick this. So they gave me like a kit and like three different locks and levels and they’re like, all right, we’ll start you off though. So if anyone’s interested in security, you you got to pick your first lock. You got it.

Tabatha (14:20)
Yeah, I think that’s the, that’s, that’s the direct route I took all the time, but I, I’m sure that there’s others out there that have gotten their start in cybersecurity after, after picking their first lock at a BSides event, just like I did. but yeah, it’s, it’s, I know that, that it exists. know that toxic behavior exists in information security and obviously, know, in my time, you know, in the years that I have been involved, in, this industry I have seen the numbers improve with regards to diversity and folks being accountable for their actions and holding others in the community accountable for their actions. So I don’t want to discount that it can be a difficult place sometimes, both working in security and working in the open source world. But by and large, that has not been my experience. My experience has been more similar to yours, where most of the folks that I have engaged with have been more than happy to sit with me and explain a difficult concept or a new approach or most of the time they’re just excited to share whatever thing they’re nerding out about and yeah.

Yesenia (15:27)
That’s it, we just wanna geek out with one now. Like, my god, did you see this new cool thing? Let’s play with it.

Tabatha (15:33)
Yeah. Yeah. We figured out this new way of doing things. can enumerate blah, blah, blah faster. Like, let me show you to do. Okay, great. You know, um, or if I’ve got questions, they’re, they’re always more than, more than willing to, to jump in and help. Um, and from, yeah. So from there, uh, I, I think that was, like I said, it was 2014 later that year. went to my first DEF CON, which is a whole, uh, a whole thing. It’s a, and I found much the same thing. You know, I found, I found that.

The community was very welcoming and here’s all these people that, you know, have lived very different lives and have very different experiences from my own. And still we’re, we’re aiming to solve similar problems and working together seems like the best way to do that. that year, funnily enough, I had worked with others that had been working. So I went to hacker summer camp that year, that first time.

with others that were paid to do security. That was their job, right? I was still there on my own dime. And there’s a conference, there’s a couple of conferences earlier in the week. One of them is Black Hat, and Black Hat is, you know, the more corporate version of the security week, other security conferences out there. And I couldn’t afford to go. So I looked around and I was like, well, surely there has to be a BSides or something. So I looked at the BSides Las Vegas and they were still receiving volunteer applications. I applied and I volunteered that first year at BSides Las Vegas and I was hooked. That was all it took for me to just fall in love even further with the security community. And from there, it was a couple years before I could come back and get engaged. it was 29 BSides Orlando 2019. I came on as staff and I ran registration desk for the event that day. And night.

If you want to meet everybody at the conference that you are attending, I recommend volunteering to work at the registration desk, because that is a fast track networking opportunity. And from there, I became on board in 2020. And then I was nominated and elected to take over as the president of BSides Orlando. I think it was the next year. We were still not quite cleared from COVID to be able to have an on-site event.

But 2022, we returned on site and have been organizing an event annually since then. this year will be my fourth BSides Orlando event as the president. Yeah.

Yesenia (18:09)
Nice. Yeah, it was a great event. I had so much fun there. I did the badge soldering. I went to everything. Thank you for sharing that. was such a… And for those that… I know you had mentioned Hackers Summer Camp, just for those that aren’t aware, Hackers Summer Camp is a week long in Vegas where there’s multiple security conferences. You have Black Hat, BSides, Def Con, Squid Con.

Tabatha (18:33)
Dianna Initiative.

Yesenia (18:35)
And Diana initiative there, there might be others that pop up. I know hacker in heels. They have their own salon that kind of runs there too, for like women networking events in cybersecurity. So if you’re a security professional, those are. Yeah. Worth the money.

Tabatha (18:48)
So definitely check it out. There’s a lot of ways to get out there too if you don’t have the funds to attend and maybe we can share some of those resources at some point.

Yesenia (19:00)
Yeah, maybe in the description, we’ll figure that out. I know you just transitioned over to security engineer, but before that you were doing dev rel developer relationships. And this is kind of like a new space just over on the industry with the last couple of years. What role does dev rel play in open source ecosystem? just someone new that’s coming in, if this is something that interests them, how could they get started and start contributing meaningfully?

Tabatha (19:22)
That’s a great question. DevRel is a bit challenging to sort of define, because each organization does Developer Relations a little bit differently. I know for our organization it, it really, like I said before, it’s sort of acting as the ecologist between the open source ecosystems that we’re involved in, our internal communities and engineers and, you know, acting as sort of the steward between the two, for what that actually looks like in practice, it’s for my job. Up it was it is to be good stewards of the projects that we publish and to ensure that the work that we’re putting out in the world is as high quality as possible, that it makes it that, that the project is ready to receive users, contributors, even would be lovely for many of these projects, and those sorts of the sort of work that needs to be done to in court, encourage new adoption of a project, or to encourage new contributors, or to encourage an existing contributor, to consider Thinking about becoming maintainer and taking on additional responsibility. It requires somebody who’s not necessarily bogged down in doing triaging PRs and doing code reviews. It takes time away. It takes time to sit down and be thoughtful about how do we want to encourage contributions? Do we have a solid contributing guide? Do we have it? Do we make it clear how to get started with even an issue? Do we make it clear on how to be involved in this project? Advocacy for a project, if you recognize that there’s a project that needs just more awareness, like I said before, not all projects are like greatest where you build it, they will come oftentimes, projects you know, that are either a hobby project or something that’s new. It needs that, that awareness building you need. It’s difficult to stumble across a new project, sometimes, just because of the there’s so much out there, you know, how do you make heads or tails of it. So doing work for advocacy, doing work where I’m advocating for various frameworks, perhaps that like open SSF has established through something like s 2c 2f to understand how to best consume open source into your into your organization, advocating internally for using additional things like salsa, you know, and understanding the different different paths to Sally and how that could interplay in your organization. Or even, you know, going out and talking about Sally so other or people at that work at other organizations have knowledge of these various tools, frameworks and projects that are to are there to enable folks to do the work of building open source and being secure while doing while working in open source.

Yesenia (22:36)
Yeah, it’s awesome. I know OpenSSF has the DevRel community meeting that happens once a month. I think it’s a great call for folks that are interested to come in and see what the group is working on.

Tabatha (22:49)
Yeah. And there’s lots of opportunities. know, each of the, each of the working groups that OpenSSF has, there’s brilliant people working on solving really challenging problems. Once those problems are solved, technically there’s still is this, this bit of advocacy that needs to happen there. You you have to take that project and then promote it a bit to get more adopters because without feedback on how this actually works in practice, it’s, you know, it’s not always, you’re not getting the best product project or outcomes because the diversity of opinion is so low. And there’s many different ways to solve all of these problems. So the more of us that come together to share how this works in practice, the better we can make it for all of us.

Yesenia (23:31)
And test it too, I think you just got into a good point. Sometimes we just need people to use it and see, does the guide make sense? Like that was one of the things that hurt me the most when I would pull a new open source tool was the user guide. And I’m just like, they had all these dependencies installed and I had to figure out which ones to install. And I’m like, can we just add this? Like, what do I need installed before? If I got a brand new computer, what do I need? know, just to start. cool.

Tabatha (24:00)
Yeah, that’s one of those things. We work with major league hacking, MLH, and I have a Developer Relations fellow each semester. Yeah, great Org If your organization has the ability to get involved with MLH, I encourage you to do so. And if you’re listening to this and you’re a candidate to become an MLH fellow, I encourage you to do it. It’s been, every single one of the fellows that has come through our doors has been just top notch.

So that aside, it can be a challenge to introduce DevRel to somebody who’s young and excited about working in open source and they’re chomping at the bit to solve their first technical issue and get to coding, right? And then you have to break it to them. That’s not what we’re doing. We’re doing all of the other stuff, the in-between stuff that has to get done in order for people to actually use this.

Uh, and then, you know, they’re just kind of like, Oh, well that, that doesn’t sound nearly as interesting. And then I, I’ve, then I, you know, I kind of do this thing where I’m like, well, do you use any open source in your, know, in your own time and your hobby projects? Have you ever released anything? Do you, you know, have you ever gone and tried to play like an open source game? Is there anything that you’ve seen before? And sometimes they’ll come in and we’ll have, you know, definitely a very clear opinion about open source.

And sometimes they’ll come back and look at it, you it just kind of is the thing. But inevitably I always hear back that they have a greater appreciation for good documentation after having worked with us to do DevRel because they see the value in it now. They understand that it doesn’t just happen. There’s no just like running AI on it to generate, you know, quality documentation. Maybe somebody out there has a tool that does it brilliantly now.

But it’s unlikely. There’s always nuance to these things. So I think that exposure to DevRel creates a different sort of appreciation for the invisible work, the labor that has to go into open source in order for it to flourish and thrive and to give open source projects the best chance at success in the environments that they’re in.

Yesenia (26:16)
There’s so much behind it people just think it’s coding. I’m like no we can use so much more help Great let’s move on to the rapid-fire part of the interview I’m gonna shoot the questions first comes mine and we’ll keep flowing. So first question Star Wars or Star Trek?

Tabatha (26:21)
Star Wars.

Yesenia (26:30)
Early bird or night owl.

Tabatha (26:42)
Ooh, both, depends on the day.

Yesenia (26:45)
Okay, I’ll take it. get that. get that books or podcasts.

Tabatha (26:51)
I would say, see, I finished a master’s program a couple years ago and I’m still recovering from having to read all of that. That’s happened to every time I’ve gotten a degree. So I’m going to go podcasts, but normally in better, not, not graduate level brain still, it would be books. Yeah. Yes.

Yesenia (27:10)
Yeah, your brain burns out. I get that. Like, it’s just recent where I’ve been able to like pick up a book and like, pretty much become addicted to it. Like, I can’t do anything else until I’m done with the book. It’s great.

Tabatha (27:21)
That’s great. I miss being at that level with a new book. So hopefully soon.

Yesenia (27:27)
Took me years. I couldn’t pick up books, but I have a huge library. Last one, spicy or mild food.

Tabatha (27:33)
spicy, absolutely spicy. Yeah. Yeah. I grew up between, I grew up between Texas and South Florida. So it’s spicy all the way.

Yesenia (27:44)
You got it, best of both worlds. Well, thank you for your time. I want to give you space to leave any last minute advice, thoughts for the audience.

Tabatha (27:54)
I’d say any last minute advice or thoughts. I would say get involved. Don’t be afraid. It’s not as scary as it seems and show up in person if there’s an event near you. Excuse me. Let me try that again. So I think that.

Tabatha (28:39)
I think my final thoughts on this would be to get involved in the community because that’s really where I have found the most benefit for myself personally. Reach out, get an understanding of the project. If you’re curious about getting involved and you’re a little nervous to get started and are unsure, even if those good first issues look too scary to you, hop on a community call. If there’s a contributing call, just go and lurk. Attend something where you are engaging in other people engaging with other people and not only the code base because that’s really where you’re going to get more insights on how everything gets put together, how everything works, how the project works and how the community works together and whether or not you actually want to be a part of that community before you get involved. So I say jump in.

Yesenia (28:39)
Totally jump in and volunteer for events too. think that’s another great volunteer. Well, thank you for your leadership and contributions to our communities. You know, many thanks to our listeners and our open source contributors and the community of folks that help drive all of our projects forward. Tabatha, I appreciate your time today and I look forward to seeing all your impact in 2025. Thank you.

Tabatha (28:44)
Volunteer friends. Yeah, absolutely.

Tabatha (28:47)
Thank you, Yesenia, It was great chatting with you today.

Jun 27
Love0

On-Demand Webinar: Cybersecurity Skills, Simplified

By Blog

A Framework That Works

Cybersecurity isn’t just the responsibility of a dedicated team anymore. Whether you’re an engineer, a product owner, or part of the executive suite, your day-to-day decisions have a direct impact on your organization’s security. That was the clear message from the expert panel featured in our webinar, Cybersecurity Skills: A Framework That Works — now available to watch on demand.

Leaders from IBM, Intel, Linux Foundation Education and the Open Source Security Foundation (OpenSSF) share real-world insights on how their organizations are tackling one of today’s biggest challenges: upskilling the entire workforce in security. The panelists discussed the new Cybersecurity Skills Framework, an open, flexible tool designed to help teams identify the right skills for the right roles — and actually get started improving them. It’s practical, customizable, and already helping global organizations raise their security posture.

In the webinar, you’ll hear how to:

  • Map skill requirements across teams using security OKRs
  • Operationalize training at scale with integrated learning plans
  • Lead the charge to implement open, accessible pathways for cybersecurity education

The conversation is packed with actionable advice, whether you’re building a security training program or just want to understand where you or your team stands.

🎥Access the Cybersecurity Skills, Simplified Webinar

BONUS: Receive a 30% Discount for any Security-Related Course, Certification or Bundle Just for Watching

Need to Close the Skills Gap Across Your Team or Enterprise?

Get in Touch Today!

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved