The Opportunity for DEI Participation in the Security Industry (And OpenSSF)

By Chan Voong (Comcast), Jay White (Microsoft), John Kjell (TestifySec), Marcela Melara (Intel), Mo McElaney (IBM)

At Secure Open Source Software (SOSS) Community Day North America 2024, we held a panel discussion on DEI (Diversity, Equity and Inclusion) at OpenSSF. In preparing for this discussion we had a lot of conversations and realized we each had diverse perspectives on what the needs of this community are and why this conversation is important now. Our biggest takeaway was that we need HELP. We felt like it was important to capture the reasons why we are doing this work, and the areas where we need help to be successful. We hope this might inspire more people from the 116 member organizations of OpenSSF to join the DEI Working Group (WG), dig in, and help usher in the next generation of security engineers.

People Highlights from the DEI Working Group (WG)

Jay: At OpenSSF, he leads one WG, co-leads two others, and leads two Special Interest Groups (SIGs,) and was elected to the Technical Advisory Council (TAC.) He joined Microsoft to improve MS’s reputation in open source. Microsoft is a founding member of OpenSSF with Google, they hold one seat on the Governing Board and one seat on the TAC. 

Marcela: In her work at Intel Labs, she often leans on the OpenSSF to find new engagements with the open source community to further her R&D work at Intel as well as that of her academic collaborators. Having this resource to bring all these diverse groups together to solve new interesting OSS security problems is really crucial. To foster stronger cross-collaboration and amplify the needs of different communities, she ran for a seat on the TAC in 2023 and won! 

Chan: She initially joined OpenSSF to learn how to incubate a project, but found it difficult to navigate the community. It was the one on one connections with Katherine Druckman and Ryan Ware that made it less intimidating and offered insights into different WGs. With no professional security background, Chan was immediately drawn to the DEI WG, a space that she knew would be a safe environment to learn about security. 

John: He worked on software distribution to customers at Pivotal but when VMware acquired them he started thinking about supply chain security and ended up getting involved with OpenSSF. Working on building a developer platform with supply chain security integrated from the beginning and he learned a ton. Then made the leap to a startup to work on this day in/day out, director of open source at his current company.

Mo: They lead open source developer programs at IBM and IBM is a member of OpenSSF. While Mo wasn’t directly involved in the work of OpenSSF before this panel, they have more than a decade of experience working on fostering and supporting DEI in the tech industry and was honored this group of folks invited them to chair the panel at SOSS Community Day 2024. 

The Problem

DEI still feels like an afterthought within OpenSSF even though there is a strong imbalance in the amount of diversity in the leadership and membership base of the organization. For DEI to become more of a priority to the wider organization, the DEI WG is going to need more participation. Other OpenSSF WGs get like 40+ active contributors, whereas the DEI one only has 5 people and 3 of the 5 are also on the TAC. Jay noticed when he went into every WG meeting that he was the only person of color there. There were a couple women, some gender diversity, but no other people of color, which was shocking in comparison to other similar organizations. It’s not that there aren’t people in underrepresented communities who would benefit from joining, it’s just that they don’t know how to join. The OpenSSF community is rich in terms of people who are willing to do the work that needs to be done. There is an equitable environment at OpenSSF for people to be impactful once they have a seat at the table. The problem doesn’t seem to be that people of color are kept out, but that people don’t know how to get in or how it could benefit them. Jay will never accept that he has to be 3x better than the white man next to him to get the same job. John feels that in regard to why this panel is important, growing up as a geeky kid he saw a lot of people bullied in the tech industry. And it’s absolutely still a problem that he sees and feels a need to be proactive in combating. Diagnosed with ADHD and from a neurodiversity perspective, he’s also seen the consequences that people face who are neurodiverse and John wants to be part of the solution.

About The DEI WG

This work began as a sub-committee in OpenSSF under the Education WG. Quickly, the Education WG decided there really needs to be a dedicated DEI WG. This is the youngest WG, following the traditional approach across the tech industry to tackle tech problems first before addressing the people problems. But, three people from the OpenSSF Technical Advisory Council are involved in this work which demonstrates the support from the top of the organization, which means this WG has a seat at the table to enact meaningful/positive change at the organizational level. 

Additionally, OpenSSF published a Mission, Vision, Values, Strategy, located on the foundation’s About page. From the Values section: 

“More than just advocacy to Diversity, Equity, and Inclusion (DEI) groups, the OpenSSF remains committed to directly facilitating an environment for all perspectives, all backgrounds, and equitable opportunities for global mentorship and education. The OpenSSF remains committed to continuously evolving these efforts to bring more inclusive and diverse software security education, ensuring stakeholder share opportunities to engage in and receive value from OpenSSF TIs.”

The work in the DEI WG is part of the overarching execution of OpenSSF values, and is an important outcome for the foundation.

OpenSSF must have a robust formal effort in support of DEI if we are going to be the default organization for security in the open source ecosystem. The people in this group want to bring more diverse audiences into open source and technology at large in service of a mutual benefit, more diverse voices at the table solving a more comprehensive variety of problems due to a wider diversity in experience in perspective. This can only benefit everyone.

Example Communities Doing it Right

Leslie Carhart has PancakesCon and that is a good example of this. They have villages for “lock picking” or “hardware hacking”, etc. DefCon has a lot of different tracks, and they are a good example because they have a new track about policy and governance. A lot of conferences have a “kids” day, like KubeCon, Open Source Summit, etc and the Linux Foundation has childcare available which is pretty important and is a good feature to make the events more available to parents with young kids.  Other Linux Foundation orgs have vibrant DEI initiatives that have made a very positive impact.

Specific DEI Needs at OpenSSF

The overarching need is to make it easier for underrepresented communities to join the organization. Some things that could contribute to this effort:

1. Build a mission statement for the DEI WG and how it should impact OpenSSF.
2. Define the role of this WG within OpenSSF and how it can make a larger impact. 
3. DEI liaison to each of the other OpenSSF WGs. 
4. Instead of relying on involvement of just OpenSSF members to make DEI happen, this WG can leverage resources from other LF orgs, etc. 
5. Start to measure DEI stats within the community and organization. 
6. Build a strategy and plan for OpenSSF to focus on recruiting MORE PEOPLE IN as members who traditionally may not consider this a space where they can join and participate. 
7. The DEI SIG should be empowered to impact the location of community events to make them more accessible, to ensure access to underrepresented population bases, and to be able to afford to fund more diverse populations to be able to attend
8. Build “Event in a Box” materials to enable OpenSSF members to host smaller scale events so that we can offer more introductory tracks and explore more of the wide range of opportunities in security that are out there. 
9. WG members should all be willing to do personal outreach to see if we can pull more people in to support the DEI efforts. 

The DEI WG needs YOUR help to do all of this work. To get involved or jump in and lead any of these activities, please join the DEI WG.

About the Authors

Chan Voong, Comcast, OSPO Program Manager – Chan works closely with technologists to successfully open source and innersource their work and builds community through developer relationships. She is a certified Project Management Professional, holds a Master’s degree in Spatial Analytics, and has experience in program managing federally-funded, health-related, and data-driven research and software development projects. During her free time, she explores adventures like rock climbing, snowboarding, hiking the backcountry, and meditating.

Jay White, Microsoft, Security Principal Program Manager, OSS Ecosystem and Incubations Team, Azure Office of the CTO – Jay has 20+ years of IT/information security experience dedicated to cyber risk, security, privacy, and compliance. He provides a combined tactical and strategic balance towards the implementation of security and compliance requirements that aligns to an organization’s broader business strategy. Jay believes we should exceed the standard for our customers and partners and take the community approach to understanding business needs. Jay is a trusted advisor, and proud US Army retiree.

John Kjell, TestifySec, Director of Open Source – John is responsible for open source at TestifySec, a software supply chain security startup. He is a maintainer for the Witness and Archivista sub-projects under in-toto. Additionally, John is an active contributor to CNCF’s TAG Security and multiple projects within the OpenSSF. Before TestifySec, John was an engineering leader at VMware, helping to bring supply chain security features to the Tanzu Application Platform.

Marcela Melara, Intel Corporation, Research Scientist – Marcela is a research scientist in the Security and Privacy Group at Intel Labs. Her current work focuses on solutions for high-integrity software supply chains and trustworthy distributed systems. She leads a number of internal, academic and open source efforts on supply chain security, including serving as an OpenSSF TAC member and maintainer for the CNCF in-toto Attestation Framework. Marcela’s work appears in various publications, conferences and patents. Prior to joining Intel, she received her M.S.E. and PhD in Computer Science from Princeton University.

Mo McElaney, IBM, Lead, Open Source Developer Programs – Mo McElaney (pronouns they/them) is Lead of Open Source Developer Programs at IBM. They are on the Tutorial selection committee for PyCon US and a contributor to the Hippocratic License and Contributor Covenant version 3 through Ethical Source. From 2012-2018 they ran a non-profit teaching people to code using collaborative curriculum open sourced on GitHub. Mo is also on the board of the Vermont Technology Alliance and lives in frosty Vermont with their family, cats, and many plants.