Join us for a conversation with OpenSSF Board Member Brian Fox. In this series, we are shining the spotlight on individuals who play a pivotal leadership role in setting the course for how we secure the open source software supply chain. The OpenSSF Governing Board (GB) is responsible for overall management of the OpenSSF and guides the organization in fulfilling its mission. Learn more about what led GB members to this point in their career, what their experiences have been like as a member of the Board, and their advice for others related to open source security.
OpenSSF Governing Board Member: Brian Fox, Co-Founder and CTO, Sonatype
Brian is Chief Technology Officer at Sonatype. He has extensive open source experience as a member of the Apache Software Foundation and former Chair of the Apache Maven project. Brian was a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, and has over 20 years of experience in software development and leadership.
Tell us about your experience being a GB member.
I joined right as we were in the middle of fleshing out the Open Source Software Security Mobilization Plan in conjunction with the White House that came as a result of the hearing on the Log4shell incident. We were fleshing out 10 different streams in parallel, and this provided a great way for me to see the collaboration throughout the OpenSSF in action.
What makes being part of the OpenSSF rewarding for you?
The OpenSSF is an industry wide collaboration towards education and solutions around a common problem — the rise of attacks and impact of security in the open source ecosystem and the supply chain it represents for vendors.
While I have been working in this area for over 16 years, the collective experience and credibility gained from the foundation has really provided a platform to drive much needed attention to this problem. This particularly has enabled deeper collaboration with government and public policy standards bodies.
How has your educational and/or professional career led you here?
A little known fact is that throughout high school, I wanted to be a pilot or an aerospace engineer. I’ve always been in love both with computers and with flying, and to that end, I was enrolled in Navy JROTC for four years in High School and two years of Air Force ROTC in College. The Air Force was offering full boat, three-year scholarships for anyone taking Computer Science as their major, so that’s exactly what I did.
But the government shutdown at the end of my Freshman year changed everything. The Commander called me and said that all new scholarships were now delayed another year, which would have basically forced me into a five-year undergrad plan if I wanted to continue towards a scholarship…And I really needed that scholarship to continue.
But particularly given the thriving market for Software Engineers that was developing, I took this as a strong sign. I found part time work as a developer that helped pay to stay enrolled. A year later, I dropped ROTC, picked up some business electives, and continued with a Computer Science major. Although it was quite devastating at the time to have my whole career plan blown up in my face after getting so far, it was a great learning experience that certainly applied to launching a startup. Things don’t always turn out as you planned, but you need to be open to seizing new opportunities when you least expect it, and keep moving forward.
Throughout my career, I have tended to gravitate towards developer tooling and build system improvements. That eventually led to me getting involved in Apache Maven during the early days, which led directly to the eventual founding of Sonatype 16 years ago.
Tell us something interesting about yourself.
As a kid, my mother owned a balloon / singing telegram business. From middle school through high school, I played many characters at events and deliveries. Fortunately, this predated digital cameras and social media, so there’s essentially no online evidence!
What advice do you have for others related to open source security?
As developers we create open source software for the purposes of sharing, collaborating and helping others with a similar problem. We need to consider security a fundamental part of developing software and not a bolt-on tax.
As consumers of open source software, we must consider that the developers are doing this as a passion and perhaps aren’t experienced in security. We must take the responsibility to ensure that the components we use in our own software are fit for our purpose, and keep track of them so we can make updates as required.
To hear from other leaders featured in this series, check out our OpenSSF Board Member Spotlight Series Feed as we continue to have great conversations with our amazing Board members.