Skip to main content

Contributor Q&A with Melba Lopez, STSM – Supply Chain Security, IBM

By October 19, 2022Blog
QA Contributor Melba Lopez IBM

Contributors play an important role in the OpenSSF and the Linux Foundation, so we want to give you a chance to meet some of the amazing individuals in the open source software (OSS) security community. Over the next few weeks we’ll be featuring maintainers and contributors and hearing how they came to the community, what their experiences have been like, and what advice they have for others.

Meet Melba Lopez, STSM – Supply Chain Security, IBM

Melba is currently a Senior Technical Staff Member (STSM) working as the Lead Product Security Architect for Supply Chain Security at IBM. She has over 15 years of industry experience, has a Master’s in Cybersecurity, and 4 Issued Patents with more to come!

How are you involved in the OpenSSF? 

SLSA Positioning SIG Lead, SLSA co-contact for Code of Conduct, and Contributor to the SLSA Specification SIG.

For the Positioning SIG, I’m helping to drive industry wide adoption and recognition of SLSA as the “lingua franca” for producing software and ensuring a secure software supply chain. Some of my responsibilities include:

  • Hosting Weekly meetings (working sessions/general)
  • Evaluating SLSA compared to other standards/frameworks/regulations
  • Educating the open source community, global industry, and standards/regulatory bodies on SLSA

For the Specification SIG, I’m helping to provide a perspective on how to approach/define the requirements for the different levels of SLSA. This includes:

  • Making sure the requirements are clear and there’s no ambiguity
  • Making sure SLSA is attainable by all (not just a few)
  • Making sure that if an organization/community attests to being SLSA compliant, that we can enable the industry to trust and verify

Why did you choose to become involved?

I was starting on a new journey with Supply Chain Security and I had heard about SLSA from a colleague. At first it became more of a curiosity, but then it evolved into wanting to really enable this framework/community the best it could be.

Tell us about your experience being a contributor. 

I was new to open source and wasn’t sure how to get information about SLSA (outside of the website) and how to contribute. After a while, I stumbled on a GitHub page and eventually an OpenSSF calendar. When I first started joining the meetings, I did feel a little out of place. There were A LOT of smart people discussing supply chain security, which I was still ramping up my own knowledge. I was trying to figure out a way to contribute without stepping on anyone’s toes and that didn’t revolve around coding. Don’t get me wrong; I would love to code, but it would take me a while to get up to speed. Eventually I started opening up a few GitHub issues, I volunteered to be one of the point of contacts for Code of Conduct of SLSA, became the lead of the SLSA Positioning Special Interest Group (SIG) and an active contributor to the SLSA Specification SIG. Now, I really feel like part of the community, by providing a diverse perspective and helping to make SLSA adoptable and more attainable!

Why is being a contributor important? 

For SLSA, being a contributor meant I am enabling a wider audience to be more secure. If we can make SLSA (or anything the OpenSSF) more prominent in the industry, then we are all better off. We inherently would reduce the security risks that organizations that may not have a lot of security people be more secure.

How has your educational and/or professional career led you here?

I had always heard about open source, but figured it was just for a bunch of programmers. It wasn’t until IBM (who is a big advocate of open source) educated me on these various open source programs, that piqued my interest into OpenSSF and SLSA.

What makes being a contributor rewarding for you?

I <3 that I can contribute a different perspective and learn from other organizations (big or small) on similar challenges, different approaches, or new technologies.QA Contributor Melba Lopez IBM Quote

What advice do you have for others?

Open Source participation isn’t just for programmers! They also need thought leadership and industry/collegiate professionals to help provide various perspectives/use cases that they otherwise may not have considered. So even if its something small that you can help out with — it’s a win-win!

How can open-source communities help foster additional participation?

One model I would like for ALL communities to follow is to have a “newbie/office hours” meeting/channel. This helps the newcomers feel welcomed, understand how to get involved, and get help if they need it. Not everyone is used to GitHub or Slack, and it can be overwhelming for someone to get started to navigate those tools + navigate a new community.

Tell us something interesting about yourself.

I really like snowboarding and traveling to different mountains!! Craziest experience I had was when I was up on Whistler to try one of the ‘Bowls’ and there was a complete WHITE OUT!! I had no idea which way was up, down, left, right. It was amazing (and an absolute terror) how without any perspective your body/mind has no idea how to navigate.

To meet other individuals featured in this series, check out our Meet a Maintainer and Contributor Q&A feed as we continue to shine the spotlight on our awesome maintainers and contributors.