Join us for a conversation with OpenSSF Board Member, Tracy Ragan. In this new series, we are shining the spotlight on individuals who play a pivotal leadership role in setting the course for how we secure the open source software supply chain. The OpenSSF Governing Board (GB) is responsible for overall management of the OpenSSF and guides the organization in fulfilling its mission. Learn more about what led GB members to this point in their career, what their experiences have been like as a member of the Board, and their thoughts about solving the open-source security issue.
OpenSSF Governing Board Member: Tracy Ragan, CEO, DeployHub, Inc.
Tracy is CEO and Co-Founder of DeployHub. She is an expert in supply chain management and pipeline DevOps practices with a hyper-focus on microservices and cloud-native architecture. She serves on the OpenSSF Governing Board, and the Continuous Delivery Foundation (CDF) Technology Oversight Committee. She previously served as a founding board member of the CDF and the Eclipse Foundation. She is the Executive Director of the Ortelius Open Source project, a Microservice Governance Catalog. She is a blog contributor for the CDF, recognized by TechBeacon as one of the top 100 DevOps visionaries, and speaks at many professional events such as CNCF’s KubeCon and CloudBees DevOps World. Tracy is also a DevOps Institute Ambassador and speaks at AWS Marketplace webinar educational events. Prior to DeployHub, Tracy was the COO and co-founder of OpenMake Software, a build acceleration and management tool that is the heart of development for over 400 enterprise development teams. Tracy was recognized as a Women In Technology (WIT) Honoree for her work in the DevOps area. You may also find her as an expert panelist on Webinars along with some of her friends at JFrog, Techstrong, and the Linux Foundation, or quoted in SD Times articles around DevOps subjects.
Why are you involved in the OpenSSF?
In 1995 I started a company called OpenMake Software, with a product called Meister. Meister was all about securing the build- with a build audit. Over the last 20+ years I’ve looked for a community that cared about the same thing – securing the software supply chain. I guess I was a bit ahead of my time. But now I finally have found my peeps.
How has your educational and/or professional career led you here?
As a developer, I quickly understood the gamble of an obscured build process. How do you know what broke if you have no way to compare one binary to another? This is how I began to consider ways to create a transparent build process, where every object is known, and a clear difference report could be created. In essence, the first step of nailing down the software supply chain. We called it software configuration management back then, but it is all the same stuff.
Tell us about your experience being a GB member.
I have served as a GB member for the Eclipse Foundation (founding member), the CDF and the OpenSSF. When I sign-up for a community effort, I’m all in. Because of my commitment to the effort, I get the benefit of learning. Learning how to play politics, how to navigate disagreements, how to help a group focus their attention, and most importantly how to make hard decisions. Serving on these boards has been a great learning experience for me. I hope my lessons have helped the greater good.
What makes being part of the OpenSSF rewarding for you?
Interacting with my peers and discussing security topics is rewarding to me. In the late 90s, I used to say that OpenMake Software was a lone furniture store at the end of a long dark street. No one came down that street. The OpenSSF has finally added some street lights and a marketplace on that street. Being part of that marketplace is what I’ve looked for my entire career.
What do you think is the most important factor to keep in mind that affects the future of the open source community?
Cooperation and inclusion are the two most important aspects of growing this community. In large communities like the OpenSSF, we risk having the ‘giants’ run too much of the show. Smaller organizations, start-ups, and educational associations need to be embraced and included. After all, innovation really does happen in the start-ups. Smaller organizations have established solutions and educational associations are reaching out to the next generation. We all need an equal way to participate. And cooperation across the giants will be essential to achieve this.
Tell us something interesting about yourself.
My biggest personal issue is that I’m interested in way too much. I could never be bored. I have a black-belt in Shotokan Karate. I’m a horse enthusiast competing in Dressage. I live on a mountaintop ranch with a barn, horses and dogs. In my spare time, I run a non-profit to support one of the last remaining historical minor league ballparks in Madrid, NM. I love mentoring younger women and am serving as a host for Techstrong TV Women where we showcase amazing technologists who just happen to be women. And in the two companies I have managed, we have never taken outside funding. Not that I’m not thinking about it for DeployHub, but my belief has always been, let the product do the earning. Maybe a bit old fashioned, but very rewarding. I love technology and am constantly predicting what is around the next corner. While I’m often surprised, I am also often right. I have studied Buddhism since I was 27 and live by the motto ‘practice acts of kindness.’ Afterall, that is where you find the greatest joy.
What advice do you have for others related to open source security?
There is a boat load of work to do. Get involved. It’s great to show up for meetings, but take a chance and volunteer to do more.
Why is participating in the OpenSSF important?
This is the time to get our ducks in a row around the security issue, particularly as it relates to open-source. If we do not address open-source security issues, we might find that open-source is no longer embraced by the enterprise. And if that happens, open-source will eventually die. So let’s get this fixed. It’s time.
What are your thoughts on solving the open-source security issue?
We find ourselves at an interesting cross-roads in technology right now. The shift to a cloud-native architecture away from traditional, monolithic practices is a game changer. Our DevOps pipelines need to evolve to support the movement of many objects across the pipeline. At the same time, we need to add more security automation to the pipeline. Most organizations don’t want to touch their CI/CD workflows. I don’t blame them. But the time is now to revisit our software factories and dive into those workflows. I’m always surprised by how few CI/CD workflows include the generation of SBOMs. But at the same time I understand why they don’t. What is the point of an SBOM sitting in the build directory? Is it just a check-box? As we evolve our processes, we will need to begin consuming the security data that these tools generate. We can then start defining policies, automation and real-time security alerts for the code we deliver to our end users. Everyone needs to stand-up and shift. Will it be painful? Yes. Will it be worth it? Absolutely. Doing business in 2023 and beyond will require it.