Skip to main content

Improving Open Source Security through Collaboration: March 2023 OpenSSF Town Hall Highlights

By March 22, 2023Blog
OpenSSF Town Hall March 2023

Thanks to everyone who attended our recent Town Hall on March 16th where we gave an update on initiatives at the OpenSSF, shared presentations about various initiatives at the OpenSSF, and participants had an opportunity to ask questions to panelists. If you were unable to attend, here are a few highlights from the meeting and where you can find more information.

Town Hall Highlights

We began the town hall with an OpenSSF Tour and Membership Update from OpenSSF General Manager Brian Behlendorf, describing the purpose, mission, and structure of the OpenSSF as well as recent additions to our membership. The main work of the OpenSSF takes place among the various Working Groups and Projects. These initiatives are guided by the Technical Advisory Council (TAC) and Governing Board (GB). Currently, the OpenSSF has over 100 supporting organization members from a variety of sectors, including eight new members welcomed in March 2023.

Next, Michael Scovetta, Principal Security PM Manager at Microsoft, provided updates on the Alpha-Omega project. “Alpha,” which works with the most critical open source projects to improve their security posture, has led to targeted grants and engagements with open source projects including Node.js, jQuery, Rust, and Python. “Omega,” which focuses on the long tail of widely deployed OSS projects, has worked on tooling that helps with automated security analysis and remediation, and which is available on GitHub and open for contributions. Finally, the Project will soon begin outreach and education initiatives including Alpha-Omega Mentorship Program and the University Vulnerability Outreach Program.

Then, Josh Bressers, Vice President of Security at Anchore, discussed the current status and efforts of the SBOM Everywhere initiative. The SBOM Everywhere Special Interest Group aims to develop tooling and advocacy to make Software Bills of Material (SBOMs) available and more easy to use, so that end users of software can more easily identify what components make it up. The group has done considerable work around understanding the SBOM landscape and mapping out existing efforts. Additionally, the working group has funded development of the SPDX Python library to improve tooling around the entire SBOM ecosystem.

Christine Abernathy, Sr Director Open Source at F5 and Dr. Jautau “Jay” White, Security Principal Program Manager, OSS Ecosystem Team, Azure Office of the CTO at Microsoft discussed ways to improve diversity, equity, and inclusion in open source security. They introduced the work of the new DEI Subcommittee of the OpenSSF Best Practices Working Group Education Special Interest Group. Current initiatives of the subcommittee include compiling a comprehensive list of DEI-related organizations in security, engaging with the community through training and engagement, and working to make DEI a larger initiative that cuts across different OpenSSF Working Groups.

David A. Wheeler, Director of Open Source Supply Chain Security at the Linux Foundation, discussed ways to get involved in the OpenSSF, whether by joining our mailing list, joining our Slack, or joining a Working Group or Project. Fundamentally, the OpenSSF is all about collaboration, so we need to have everyone collaborating to the make the world a better place

Finally, we closed with a moderated Q&A session, where participants could ask questions to the panelists about their initiatives. Questions asked included:

  • Are there particular projects or areas that are more in need of volunteers/help than others?
  • Will AI be used for the industrialization of vulnerability hunting in FOSS?
  • Given that today dependency trees are in the thousands and CVEs are published at an increasing rate, researchers note that most are not even exploitable. That suggests we’re heading toward a scalability failure. What can the OpenSSF do to address the volume of work so that we can address security in more efficient ways, e.g., bulk categories? 

To hear the responses from panelists, you can view the recording on YouTube. And if you’d like to download the slides, they are available on the OpenSSF website. 

We enjoyed sharing about about our recent and ongoing efforts at the March OpenSSF Town Hall, and always appreciate the opportunity to connect with our community. If you are interested in securing the open source supply chain, we invite you to join us and get involved in OpenSSF initiatives.