Join us for a conversation with OpenSSF Board Member, Vincent Danen. In this series, we are shining the spotlight on individuals who play a pivotal leadership role in setting the course for how we secure the open source software supply chain. The OpenSSF Governing Board (GB) is responsible for overall management of the OpenSSF and guides the organization in fulfilling its mission. Learn more about what led GB members to this point in their career, what their experiences have been like as a member of the Board, and their thoughts about solving the open-source security issue.
OpenSSF Governing Board Member: Vincent Danen, Vice President of Product Security, Red Hat
Vincent Danen is the Vice President of Product Security at Red Hat, which is responsible for security and compliance activities for all Red Hat products and services. Vincent has been involved with open source and software security for over 20 years, leading security teams and participating in open source communities and development.
Why are you involved in the OpenSSF?
Being involved in open source, and security, for over 20 years, my interests and that of the OpenSSF align. Being a part of Red Hat, and our mission to serve open source communities, made this a natural fit. If I didn’t believe in the work the OpenSSF was doing, I wouldn’t be here. That said, if I thought they got everything right I wouldn’t be here either! My goal is to try to help the OpenSSF see open source security issues through the lens of developers, maintainers, customers, and enterprise open source vendors to make real impactful change in the open source communities we participate in, and more broadly. I have a lot of concerns around government and regulatory impositions on open source that I think would harm the community at large and if I can give a voice to that in the OpenSSF, then I think it helps.
How has your educational and/or professional career led you here?
I started working as Mandrakesoft’s one-man security team back in 2001. I spent 8 years at Mandrakesoft, then Mandriva, managing the end-to-end security patch and disclosure process for our many products. This included discovering and assessing vulnerabilities, patching them, and pushing those patches out for customer consumption. In fact, the entire build and patch infrastructure was in my basement! In 2009 I joined Red Hat’s Security Response Team and have been here for the last 14 years. I’ve built and maintained my own security-focused Linux distribution (Annvix) that I built a small community around, and have written a number of programs released as open source. I’ve been on the end of fixing CVEs and, amusingly, creating them as well! A PHP-based bug tracking system I wrote ages ago has three CVEs assigned to it from back in 2002 and 2006. In many ways, I’ve touched nearly every part of what you might call the open source software lifecycle.
Tell us about your experience being a GB member.
I’ve only been a board member since the beginning of the year, but all of last year I was an observer. So far the experience has been quite positive! I appreciate the fact that we can have candid conversations about really thorny topics and can set aside personal or commercial interests and agendas, for the most part. It’ll be interesting to see how things progress, being an active participant rather than a passive observer, but on the whole, I think we’re heading in the right direction. We’re certainly not there yet – I’m not fully sold on all of the proposed work and I think there are some important decisions to be made in terms of what we focus on, but I think we’ll get there. My general observation is that we have a group of people who see the value in open source, want to see it thrive and help it mature in terms of security – be that in education, processes, technology, and just producing better code that benefits the world. Maybe I’m an idealist, but that’s my perspective anyways!
What makes being part of the OpenSSF rewarding for you?
I’m the type of person who likes to see how the sausage is made. Being involved in the OpenSSF at this stage is literally seeing not only how the sausage is made, but helping figure out what kind of sausage to make. There are hundreds of focal points when it comes to security, so being able to contribute to decisions of what to focus on is really rewarding. There are a lot of people with a lot of ideas, but finite resources – people, money, time. We need to be strategic about what decisions we make that have the most impact. Being in a position to help provide perspective from multiple angles is helpful. I can represent multiple perspectives: the developer, the vendor, a community leader, and a security practitioner because I’ve been doing all of these things over the last 20+ years. Using this experience to contribute broadly to open source as a whole, and not just constrained to Red Hat, is really rewarding. I’m contributing back to the community in a way that, I think, aligns with that experience in a meaningful way.
What do you think is the most important factor to keep in mind that affects the future of the open source community?
Open source is a community. Communities are built of lots of people from lots of places with different experiences and backgrounds. There is no one-size fits all approach that will work when you’re dealing with diverse people and diverse technology. What works for a java ecosystem may not work for a python one. What works for a networking technology might not work for a programming language. Every community is unique and needs to be treated as such. It’s also important to recognize that while there is a lot of commercial interest in open source, at the roots of open source is the philosophy that software is shared broadly for a universal good. This makes open source, for most people, a labor of love. People create because they’re solving interesting problems, not necessarily because they’re paid to do it. So we can’t just throw money at a problem and think that will solve it. Using that money to find creative ways to solve the problem, sure, but at the end of the day we have to remember that people want to do this work because they love to do it. In the context of security specifically, no one can legislate or dictate what any given community does. You can only show them why it’s the right thing to do and then guide and assist them in doing it. But that presupposes that, for one, you know what the right thing to do is, and secondly that the right thing isn’t so onerous that a maintainer or community runs away from it. Alienating a community by trying to do the right thing, which might be the wrong way for them, is a quick way to devalue and depopulate open source. The last thing I’d say is that these communities are humans with jobs, families, and their own life goals. It would be wildly unfair to impose something that interferes with any of those things simply because there’s a commercial interest behind it, particularly if those interests don’t align.
Tell us something interesting about yourself.
I have a lot of interests and weird hobbies. I read a lot of fantasy and leadership books, the first to de-stress and the second to keep “sharpening the saw” as Stephen Covey would say. I play a fair amount of video games, but end up buying more games than I play, usually due to time and because I keep going back to old favorites, which tend to be ninja/samurai games, which also highlights my interest in ancient Japanese culture. My wife and I do marriage counseling and mentoring through our church, where I’m heavily involved as well, and we’ve done a lot of work with the homeless and vulnerable women, trying to help people out of addictions and unhealthy lifestyles. I get most of my energy from helping people, which probably explains why I got into management and why open source means so much to me. I’m also a hacker, and not in the security sense… I love writing code to scratch random itches but usually can’t be bothered to make it perfect or pristine. Probably most importantly and core to who I am, I’m a Christian, and that drives the inherent belief that all humans are equal and worthy of respect and dignity. Oh, cats and tattoos. I love and collect them both. Can you say that you collect cats? I don’t know!
What advice do you have for others related to open source security?
Get involved, learn why it matters, figure out the impact of what we’re doing. Unless you know why we’re doing it, you’ll never know why it’s so important. The easy answer is it reduces the vulnerabilities you need to patch and makes us safer. But think further than that. Think about the ransomware attacks that shut down hospitals and put lives at risk. Think about the open source technology that enables border protection that prevents human trafficking or drug trafficking. Think about the human element of what we’re doing. I don’t wake up in the morning excited to reduce the number of line items on some random company’s vulnerability report. I get excited because I know that open source is used in places where the impact of an exploited vulnerability could have a direct negative impact on human life and knowing that through the work I’m doing I get to help prevent that. Once you have that perspective, even though it doesn’t change how hard the work is, the motivation and inspiration to slog through that work is there to keep you going. This is hard stuff we’re aiming to do! You have to know why you’re in it. And if you’ve never considered how your contributions help in this regard and only thought about it from a purely commercial perspective, maybe reconsider and give of your time and talents for the common good. Open source is one of those “for the people, by the people” things and we need more people to get involved and know why it matters.
Why is participating in the OpenSSF important?
There is so much work to do and little onesie-twosie efforts won’t cut it. Open source as a whole is too big. What difference does it make if this project gets better or that project gets better, when there are thousands that aren’t? The OpenSSF is trying to tackle this at the level of all communities and projects, in collaboration with those communities and projects. That’s a monumental effort! But I believe those involved in the OpenSSF are interested and passionate, and we need more people like that to tackle these issues. I don’t think the use of open source itself is in jeopardy… I think open source will be around forever, to be honest. But if we want the reach of this common good to grow, to benefit more people, we have to get organized. And to this point, the focus has been on the consumer, and how we make them more secure. What about the focus on the producer, and helping them to make something better? Few are focusing on that than on commercial aspects, so I love that the OpenSSF is doing that.
What are your thoughts on solving the open-source security issue?
Which one? There are so many! I think there are a number of things that need to be done. We’re in a place where, ironically, the FUD train has come back around. It used to be that proprietary companies disparaged open source and effectively said it couldn’t work and that proprietary is better. I think that debate has long been solved. Software is useful, irrespective of how it was built, and I’d argue, although I’m obviously biased, that open source is the better model not because “many eyes make all bugs shallow” but because there is a level of transparency in open source not present in proprietary software. It’s also the most equitable – anyone can use it, no matter how deep your pockets are. And importantly, anyone can contribute in meaningful ways beyond just filing bug reports. In other words, there’s no limit to open source. But the FUD that’s come around is that open source is dangerous and insecure. It’s not! Or, at least, not exclusively. It’s not perfect, but no software is.
What’s interesting is the very benefit to open source – transparency – is the thing that lets people believe it’s insecure. But here’s the thing, that transparency lets you know there’s a shortcoming that you can mitigate, even if the upstream or an open source vendor hasn’t fixed something. That doesn’t exist with proprietary software. A known, to the vendor anyways, issue can be sitting for years unfixed. Are you more secure because it exists and you don’t know about it? Or are you more secure because it exists and you do know about it, and then have the opportunity to do something about it? I’d argue the latter. In both cases you don’t have a fix, but only in the latter case do you have knowledge. You can do something with that knowledge. So for me it comes back to how do we dispel the FUD – how do we demonstrate that open source is just as secure as proprietary and stop the rhetoric that somehow it’s more dangerous. I think the efforts on open source security, at large, will help here. At the same time, through those efforts, we’ll have better software, which is a win/win. But there’s a lot of work to do, whether it’s producing SBOMs and figuring out how end-users can use them properly, managing supply chain attacks by making it harder to abuse repositories that host code, eliminating certain classes of vulnerabilities within certain languages, and so forth.
At the end of the day, proprietary software has to solve the same problems too, so the real challenge will be the approach. Commercial companies with proprietary code can dictate how that software is built and tested internally quite easily. How do you do that, at scale, across thousands of projects in dozens of language ecosystems? That’s a hard problem to solve. But if we can figure that out, humanity benefits because open source is everywhere and it’s not going away.
To hear from other leaders featured in this series, check out our OpenSSF Board Member Spotlight Series Feed as we continue to have great conversations with our amazing Board members.