Skip to main content

📣 Submit your proposal: OpenSSF Community Day Europe

Category

Podcast

What’s in the SOSS? Podcast #28 – S2E05 Secure Software Starts with Awareness: Education & Open Source with the Council of Daves

By Podcast

Summary

In this episode of What’s in the SOSS, host CRob is joined by the “Council of Daves” – Dr. David A. Wheeler of the OpenSSF and Dave Russo from Red Hat – for a deep dive into the intersection of secure software development and education. From their open source origin stories to the challenges of educating developers and managers alike, this conversation covers key initiatives like the LFD121 course, upcoming resources on the EU Cyber Resilience Act, and how AI is shifting the landscape.

Whether you’re a developer, manager, or just open source curious, this is your crash course in why security training matters more than ever.

Conversation Highlights

Intro & Meet the Council of Daves (0:16)
Open Source Origin Stories (1:22)
The Role of the Education SIG (4:05)
Why Secure Software Education Is Critical (6:30)
Inside the LFD121 Secure Development Course (8:01)
Training Managers on Secure SDLC Practices (12:24)
Why AI Makes Education More Important, Not Less (13:53)
What’s Next in Security Education: CRA 101 and More (16:04)
Rapid Fire Round: VI vs. EMACS, Tabs or Spaces & Mascots (20:20)
Final Thoughts & Call to Action (22:04)

Transcript

[Dave Russo] (0:00 – 0:16)
If you’re a people manager, understanding the amount of time and effort and skills that are needed to perform these different activities is vital to know.

[CRob] (0:16 – 0:46)
Hello and welcome to What’s in the SOSS, the OpenSSF’s podcast where we talk to interesting people from around the amazing open source ecosystem. I’m Krobe, your host. Today we have a real treat.

I’m joined by the Council of Daves and we’re going to talk about a topic that is near and dear to both our hearts, but let’s start off with some introductions. I’ll go with David Wheeler first, and then we’ll go to Dave Rousseau. So David, why don’t you introduce yourself real quick?

[David Wheeler] (0:47 – 1:03)
Okay, sure. David Wheeler. I work at the Open Source Security Foundation, OpenSSF, which is part of the Linux Foundation, and I’ve been involved in how do you develop secure software or developing open source software for literally decades.

[Dave Russo] (1:03 – 1:20)
My name is Dave Russo. I work at Red Hat on the product security team. I’m the governance portfolio manager.

I don’t have quite as long a history with open source as Dr. Wheeler does, but I’ve been working on SDLC related activities for quite some time.

[CRob] (1:22 – 1:33)
Awesome. I think we’re gonna have a great chat today about secure software development and education, but let’s get your open source origin stories. Dave Rousseau, how did you get involved in upstream open source?

[Dave Russo] (1:34 – 2:18)
So I was not directly involved in open source for very long in my previous arrangement. I did do some work in the software industry, then I was working in an industry that was not around development. So around 2016, when I joined Red Hat, my good friend Krobe introduced me to a lot of the awesome open source stuff that was going on in and around Red Hat and the upstreams a little bit prior to that.

And a lot of the conversation was aligned with SDLC activities, specifically secure development practices, which is an interest of mine. And then after joining Red Hat, obviously I became much more involved in a lot of different areas of open source, primarily around, again, secure development.

[CRob] (2:19 – 2:24)
Cool.

David Wheeler, how did you get involved? What’s your origin story?

[David Wheeler] (2:24 – 3:46)
That one’s a little challenging because I’ve been involved in it for such a long time, I don’t even remember the first time I gave, you know, I just just contributed to release some, well, what wasn’t called open source software, because the term hadn’t been invented yet.

People were occasionally sharing around source code. Since before I was born, frankly, they just didn’t use these terms. And, you know, necessarily have figured out some of the legal stuff.

So I think the big change to me, though, was the first time I held a very, very early version of Red Hat Linux in my hand. This is back when it was being distributed on CDs. Because at the time, there was a general agreement that yes, of course, people can share source code on, you know, on bulletin boards, and maybe this internet thing, but you couldn’t build something big with it.

And all of a sudden, an entire operating system was open source, and useful. And I think this is where instead of the, oh, sure, we can sometimes share with this, oh, this can be used for building large scale systems. And that was kind of the, and I later on did analysis of this and been doing things involving open source for quite well, since before the name was created.

[CRob] (3:46 – 4:04)
Cool. Well, thanks for sharing, gentlemen. So let’s dive into it.

Dave Russo, you are the current chair of the OpenSSF’s Education SIG, which is part of the BEST working group. Could you maybe talk a little bit about what the Education SIG is and what you all get into?

[Dave Russo] (4:05 – 4:27)
Sure. So the Education SIG is obviously around educating our open source developers to do a better job of incorporating security practices in the development and delivery of these projects. Now, a lot of my previous life experience was in development, so I’ve got a fairly good amount of experience in this area.

[David Wheeler] (4:28 – 4:39)
It is very obvious to a lot of people who’ve been doing this for a while that education has not been a focus area when it comes to developers, especially around security.

[Dave Russo] (4:40 – 6:17)
Developers are mostly interested in creating cool new stuff, which I completely agree with. That is the primary purpose is to put new features and functionality in their software to make it do more cool things, better, faster, stronger, etc. However, security for the longest time was not even a consideration for a lot of software development and delivery.

And over the past 10, maybe 15 years, there’s been a little bit more attention paid to it. But there’s been a movement to try and provide good education courses that talk about secure development practices to the development communities themselves. So at the Education SIG, what we are trying to do is help address that need.

We’re trying to help understand what kind of information and materials we can provide to our upstream communities to help the developers understand what it means when we talk about developing and delivering software more securely and specific techniques and ways that they can incorporate this into their projects, such as hardening guides, delivery guides, compiler rules, general awareness of some of the reasons behind having security, not only from a risk based perspective, just making the project a little bit more robust, but now also because of a lot of international regulations and expectations by different industries and geos that are compelling developers of various types to provide very specific attestations or statements of conformity when it comes to doing things in a certain way while they’re doing their development delivery.

[CRob] (6:17 – 6:30)
Awesome. So it sounds like, Dave, you touched on it a little bit. But David, could you maybe expand a little bit about you know, why do you feel it’s important to get this type of content in the hands of developers?

[David Wheeler] (6:30 – 8:01)
Well, I think the short answer is that if developers don’t know how to develop secure software, they won’t develop secure software. It really is that simple. I often tell people that we get software that’s more secure than we deserve.

Because why should we expect that software be secure when for the most part, developers aren’t told how to do that? It’s it’s it’s not a magic trick, but it does require some knowledge. By the way, we actually did a survey of developers about the state of secure software development education last year.

And I mean, we found that overall, you know, 28% of the professionals weren’t familiar with secure software development. It jumped up to 75% for those who had less than a year of experience because the colleges and universities for the most part, are not requiring it. And so yes, they they increasingly get it over on the job.

But the on the job is often spotty, it has holes. And by the time they become more knowledgeable, there’s more that have come in, again, with that lack of knowledge. And so we’re just constantly on this treadmill of people who don’t know how to do it.

And lack of training was the was one of the primary reasons that people gave for why don’t you know how to do this.

[CRob] (8:01 – 8:17)
So I’m aware that the SIG has a couple artifacts that they work on. The first thing we’ll talk about is the LFD 121 course. So maybe Dr. Wheeler, if you could give a little taste about what that is all about.

[David Wheeler] (8:18 – 8:30)
Absolutely. I’ll quickly note, by the way, both of my participants have used my title doctor, I do have a PhD. But my experience is when people use my title, they’re just yanking my chain.

[CRob] (8:30 – 8:32)
So we love you, sir.

[David Wheeler] (8:33 – 10:14)
Well, thank you. Yeah, so the so we’ve got a course called LFD 121, developing secure software.

Now, we’re here talking about open source. But I want to make sure everybody knows that this is absolutely for open source software. It’s also for closed source software.

It’s for anybody who develops software, because the frank reality is attackers don’t care what your license is. They just don’t. They just want to take over things and do bad stuff and make everyone stay miserable.

So we’re here to help developers deal with that. I just looked at the numbers and we have including, you know, up to now, for both our Japanese and English through edX and through TI, all these are, we’ve had over 30,000 in [Crob: Wow], in that course, which is, you know, fantastic. That’s a lot of people.

That’s a lot of people. So we’ve got a course, we very much focus on the practical, how do you do stuff. And we have optional hands on labs, they’re not required.

But we do encourage people at least do a few. Because doing things hands on is really, really helpful. I’ll do a quick note.

Some people have gotten the wrong impression that security is always expensive. Generally, that’s not true. It’s retrofitting security.

That’s expensive. And so what we should be doing is stopping the retrofit. It’s not hard to do most of the stuff if you just know ahead of time what you’re supposed to do.

But once you once you’ve dug the hole deep, it’s very hard to get out.

[CRob] (10:15 – 10:21)
Speaking of security, not being expensive. This sounds like an amazing class. How much does it cost to take?

[David Wheeler] (10:23 – 10:48)
Oh, what a pitch. Of course, as you know, it’s completely free. The course is free, the labs are free, whole thing’s free.

So, you know, please don’t please don’t make costs a limiting factor for this. You know, it’s basically important for us all around the world that anybody who develops software knows the basics. And that’s what this this particular course covers.

[CRob] (10:49 – 11:08)
So a big part of your world, Dave Russo, is, you know, secure software development and SDLC, secure development lifecycle. From your perspective, you’ve looked at the LFD 121 class. What do you find that to be a useful artifact as you’re sharing it with your engineers?

It is.

[Dave Russo] (11:08 – 12:23)
The content in the course does a very good job at talking about what the different activities that should take place along the different times of the software lifecycle should be. And again, to kind of repeat from what we said earlier, awareness is a big problem that we have. A lot of developers don’t understand what it means when we say we should develop things securely.

And then you start using words like risk assessment, penetration testing, threat modeling, attack surface analysis, and people’s eyes just kind of glaze over because they have no idea what you’re talking about. The course is able to go into these topics and provide a good amount of information, provide an understanding to a developer what we mean when we talk about these sorts of things. And additionally, to David’s point earlier, making the developers aware of this early so they can build it into the plan instead of trying to go back and do it after certain things have been done, makes adopting and implementing these things much, much easier.

So the combination of knowing what these activities actually are, the amount of effort that is needed to complete them, and when to insert them into the lifecycle make the course absolutely invaluable for people who are doing software development.

[CRob] (12:24 – 12:38)
That was one of the OG projects that David Wheeler brought into the foundation. Let’s talk about some of the more current work. Who would like to talk about the security for developer manager class we’ve all been working on?

[Dave Russo] (12:38 – 13:52)
So I’ll go and I’ll start off from a general level. And then I’ll let David go into some things a little bit more in depth. So the intent of the secure software development for managers course is to again, inform.

Awareness is a problem. If I’m a development manager, and someone says to me, you need to do your stuff securely, what does that mean? There’s a lot of different factors involved.

From a risk perspective, if we don’t do these activities, what does that mean? What does it mean for the actual software itself? What does it mean for the organization or company that I work for?

What kind of risk may be exposing the company to? More importantly, if you’re a people manager, understanding the amount of time and effort and skills that are needed to perform these different activities is vital to know. You need to understand when to put these things into roadmaps and timelines, how much time to allocate for them.

And does anybody on your team actually know what it means to do, for example, a penetration test? If not, you’re going to need to find some additional resources to help you with that. So again, not necessarily diving down into the deep weeds on a lot of these topics.

This is meant to provide additional awareness and understanding to someone who’s in a development manager position.

[David Wheeler] (13:53 – 16:04)
And if I can jump in with some additions. Fundamentally, if management’s not on board, it’s probably not going to happen.

And unfortunately, some managers are kind of assuming things like, well, the the IT security department will somehow take care of it. Well, no, they won’t. They certainly do have an important role to play.

There are things that they that they will do that will be very, very helpful. But if you’re managing the development of software, there are things that you as a manager need to know need to do need to make possible. We spend more than a little time in the course helping you understand some terminology, understanding what needs to happen, and frankly, making sure one of the key things a manager needs to do is making sure that the developers know what they need to know.

In many organizations, managers aren’t necessarily writing the code, but they need to make sure that the people they’re bringing in know what they need to know. And if they don’t, fixing that with what is fundamentally a training problem, an education problem. Because just like any other field, if you don’t know what you’re doing, you’re not likely to do a good job.

And it doesn’t mean that they’re stupid. It just means that they lack some important information. I will quickly note, just because I’m thinking of it.

Lots of people talking about AI. AI is awesome. The majority of developers nowadays are using AI to develop code, according to some surveys.

And here’s the problem. Just because some AI generated code does not make it secure code. What do you think that that system was trained on?

Right. So this actually AI is actually increasing the need for education by developers and by their managers. Because if you’re using an AI system, who is going to be reviewing it?

Not just the AI, I hope. You’re going to need people to know what they’re doing. Which brings us back to the need for more education.

The increased need for education, not the decreased need because of AI.

[CRob] (16:04 – 16:15)
Excellent point. Broadly, what other things are on the horizon from an education perspective? What do you got in the hopper in the back? It’s going to come down the road.

[David Wheeler] (16:18 – 16:20)
Well, Dave, you want to go ahead?

[Dave Russo] (16:20 – 18:23)
Sure. So the USSF is putting a lot of attention on education.

There’s some expectations as to what our SIG can help contribute moving forward in 2025. And again, I’ll hit this from an awareness perspective, I think, and I’ll let David dive in to a couple things a little bit deeper. We need to get the message out.

We need to get information out there into the upstream communities and the projects and let them know what it is we’re trying to accomplish and what materials we already have that they could leverage and use right now, as well as understanding how to bring more people into the group, into the USSF in general, and provide their subject matter expertise to help us generate even more materials on top of that.

So we’re going to be making some additions to the information we’ve got on our GitHub page and such. We’re going to try and socialize some of the things that we’ve already put together as a group, some of the hardening guides we’ve done, we already talked about some of the education courses that are being worked on. We’re taking a little bit of a look right now, something that’s in progress, a little bit of behind the curtain for everybody.

We’re working on a CRA 101 course. Again, the EU Cyber Resiliency Act has been passed by their parliament, and everyone is trying to understand exactly what that means to them. So we’re trying to put, again, a general information course together that makes it digestible for people with a couple different types of roles to understand what the CRA means and what the expectations are going to be moving forward as it begins to come into effect.

So these regulations are becoming more common. There’s a couple other ones that are in progress at various geographies around the world, so we expect we’re probably going to do this for a couple other ones as they become available. Hopefully, we’ll have some representatives speaking at certain conferences, talking about the OSSF mission in general, some of the education information in particular, and again, trying to make sure that we are looking at the right ways to bring the right information to our constituency.

David?

[David Wheeler] (18:24 – 20:18)
Yeah, so let me jump in specifically on the Cyber Resilience Act, which is kind of a big thing that’s coming up. Strictly speaking, it only applies to software, and so on, that is released to the EU market.

I guess more accurately, I should say products with digital elements, which is the term of art that they use within the regulation. But the reality is, Europe’s a big place. Most organizations, especially in the software world, are global.

So this is going to affect many, many, many. Indeed, it’ll affect many who have never really needed to look at this kind of thing before. And so we’ve been trying to develop this, what we’ve been calling a CRA 101.

We actually even have an official number for it, it’s LFEL 1001, when it’ll get released. But basically, it’s a little introduction, explanation, what does this say? What does it require?

And it’s going to be a big change, I think, to industry, to the market. It even has some requirements specifically on what’s called open source software stewards. It’s a relatively light touch, but it does impose some requirements.

It does talk about open source software developers. I think in many cases, it will be much less of a touch, but it’s not completely none. And so this is going to affect, and of course, people who develop open source software, that software usually gets pulled into larger systems in many cases.

So this is going to affect a lot of folks. And so it’s gonna be important for us all to be prepared. So we’ve been working very hard to get that introduction developed, and we’re hoping to get that out the door as soon as we can.

[CRob] (20:20 – 20:43)
Excellent. Well, I’m looking forward to taking it, so I can become smart about the CRA. Thank you, gentlemen.

Let’s move on to the rapid fire part of the interview. All right. I got a couple wacky questions, and I would like you both to answer the first thing that comes to your mind.

First, most important question. VI or EMACS?

[Dave Russo] (20:43 – 20:44)
VI.

[David Wheeler] (20:44 – 20:45)
VIM.

[CRob] (20:46 – 20:54)
Excellent answer. Now, the next one, potentially even more controversial.

Tabs or spaces?

[David Wheeler] (20:55 – 20:56)
Spaces.

[Dave Russo] (20:56 – 20:56)
Spaces.

[David Wheeler] (20:58 – 20:59)
Always spaces.

[CRob] (20:59 – 21:09)
I can go back and count, but that is a very contentious, verging on religion for many people. What’s your favorite open source mascot?

[Dave Russo] (21:11 – 21:11)
Tux the Penguin.

[David Wheeler] (21:12 – 21:14)
Oh, it’s it’s hard to beat Tux.

[CRob] (21:16 – 21:17)
Classic.

[David Wheeler] (21:18 – 21:27)
Classic.

I’m planning to print up one on a 3D printer soon, because Tux is fun. But I will say that Honk the Goose. Honk the Goose?

[CRob] (21:28 – 21:28)
Honk the Goose.

[David Wheeler] (21:28 – 21:29)
He is a kind of fun goose.

[CRob] (21:29 – 21:36)
I am personally a fan of the goose. And last question. What’s your favorite vegetable?

[Dave Russo] (21:37 – 21:38)
None of the above.

[David Wheeler] (21:39 – 21:43)
I’ll count corn as a vegetable. Corn on the cob.

[CRob] (21:43 – 22:04)
There you go. Thank you, gentlemen.

Now, as we wrap up, do you have a call to action or some advice you’d like to share with our listeners who are where they have a lot of people across the industry that listen to this newcomers or people that aren’t familiar with open source or cyber security? So what kind of advice or what call to action do you have for our listeners?

[Dave Russo] (22:04 – 22:31)
Get involved.

Get involved. Understand what’s out there. The OpenSSF has a lot of really good information, a lot of different working groups that are going through things that affect all the open source communities, trying to, you know, make our security better, reach farther, make us more proficient in those areas. So if there’s something you think you contribute or if it’s something you want to learn or just want to listen and see what’s going on, join a couple of the working group calls and see what’s happening.

[CRob] (22:32 – 22:34)
Excellent. David?

[David Wheeler] (22:34 – 23:41)
I’ve got a couple.

So for get involved, if you’re interested in security, open source and security, obviously OpenSSF, if you are the happy user of an open source project where it’s starting to become important to you, get involved in that project. If you are a developer of software, please, please learn how to develop secure software. I think our course is great.

I don’t really care if you take that course per se. If you take another course, that’s great. Because what’s more important is all of society now depends on software.

We need that software to be more secure. And the vast, vast, vast majority of the problems we’re seeing today are the same problems we’ve been having for decades. It’s well understood how to systemically counter them.

But people need to know how to do it first. And I, I don’t, as I said earlier, AI is not going to change that. AI will simply mean that we can write bad code faster.

It means we can write good code faster. But to write the good code, the humans have to know what good code looks like.

[CRob] (23:43 – 24:05)
Well, what a difference some Daves make. Gentlemen, some of my favorite people to collaborate with. I appreciate your time and all of your contributions to help trying to improve the quality of life for open source developers and ultimately the users that use all that amazing software.

So that’s a wrap. Thank you all for joining What’s in the SOSS and happy security, everybody.

(24:09 – 24:46)
Like what you’re hearing? Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, Antenapod, Pocketcast, or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all.

Check out the newsletter for open source news, upcoming events and other happenings. Go to OpenSSF.org slash newsletter to subscribe. Connect with us on LinkedIn for the most up to date OpenSSF news and insight and be a part of the OpenSSF community at OpenSSF.org slash get involved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS.

What’s in the SOSS? Podcast #27 – S2E04 Enterprise to Open Source: Steve Fernandez’s Journey to the OpenSSF

By Podcast

Summary

In this episode of What’s in the SOSS, we sit down with the OpenSSF’s new General Manager, Steve Fernandez — a seasoned enterprise tech leader whose resumé spans giants like L’Oréal, Coca-Cola, AIG, and Ford. Steve shares his “origin story,” what drew him into the world of open source, and how his decades of experience as a consumer of open source software are shaping his vision for the Foundation.

Conversation Highlights

00:21 Welcome & Introductions
00:57 Steve’s Tech Journey
03:13 Why OpenSSF?
05:02 The Role of Security & Strategic Vision
08:17 Rapid Fire & Final Thoughts

Transcript

CRob (00:21)
Welcome, welcome, welcome. This is What’s in the SOSS, the OpenSSF’s podcast where we talk to developers, industry experts, and assorted amazing people within our open source ecosystem. I’m CRob, one of your co-hosts for this little event. I do security stuff on the internet, and today we have a new friend to introduce the world to, Steve Fernandez, who just recently joined the foundation.

And Steve, maybe you could talk a little bit about, introduce yourself and maybe talk about your technology origin story.

Steve Fernandez (00:57)
Thanks a lot and great introduction, by the way. So pleasure to meet everybody. My name is Steve Fernandez and as CRob mentioned, I’m the new general manager for the OpenSSF. And I come to this place through a long IT journey. For the last 30 years, I’ve been mainly on the enterprise side of the IT game.

I’ve done various roles as CIO and CTO in many different industries as well as many different companies. Most recently, before I came to the OpenSSF, I was the CIO for NCR Voyix, and previous to that, I was Chief Technology Officer for L’Oreal in Paris, Chief Technology Officer for AIG in the insurance industry.

I was chief technology officer at Coca-Cola and then I worked many years inside of GE and Ford Motor Company in different technology roles. So I really come to this job, I think, with a different and unique perspective than many who’ve been in the open source world for forever. I’m coming as a user of the open source and it’s been a user of the software and the technology inside of all the platforms that I’ve run and managed over the last 30 years. So I’m very excited to take a little different view of technology in this role and hoping a lot of my experience from running enterprise and running large scale platforms and running things day to day is going to translate into growth for the organization and further stability as we move forward.

CRob (02:43)
And, we’ve cited here and at other events, just the penetration of open source in normal operations and just how critical open source is to a lot of enterprises. So I’m very excited to kind of benefit from the experiences you’ve had in your long and successful career and trying to help bring that more business focus to us. But I’m curious, what drew you to the OpenSSF? Was it the goose?

Steve Fernandez (03:13)
I think it could have been the goose, which is quite the great icon. You know, it was a, it’s really interesting for me personally. I was getting to a point in my life where I’ve done many, many operational roles throughout my life and my career. And I was taking a little break and trying to figure out what I wanted to do when I grow up and what I wanted to do next on the journey. And, you know, it’s one of those small things, a friend of a friend talked to me about this position and I said, hmm being general manager of a foundation. Well, I can at least take a look and see what it’s about. And, and, uh, I don’t know, it’s something I’ve never done before, but I think it might make sense. So I sat down with, uh, Jim Zemlin, uh, head of the Linux foundation. And we just had a great conversation and being an open source user throughout my career and knowing the importance of open source and security you know, to every company’s platform, to every company’s install base. It really was a job that I was looking for where I thought I could do some good for the community. I thought I could, like I said earlier, take a different perspective on things, add a little bit of my corporate background to the organization and merge the two together.

Steve Fernandez (04:31)
So for me, it was really about trying something new, experimenting – bring a little bit of your old experience into a new environment. And I have to say, in just the last month that I’ve been here, it’s been an exceptional experience and working with absolutely great people, working with a great community. So, so far it’s been a really, really positive experience and a bit different from my enterprise days, but at the same time, very exciting and it’s great to be involved in real technology.

CRob (05:02)
So it’s interesting you have a long history of kind of helping lead technology organizations. From your perspective, how have you seen security kind of help the business and how does security help developers and other consumers?

Steve Fernandez (05:18)
Yeah, so I’ve always called security kind of the hidden greatness. It’s one of those things that you don’t know you need security until you know you need security.

CRob (05:30) Yeah.

Steve Fernandez (05:31)
And on the enterprise side of the game, it’s your constant worry about security and risk. And you’re always worrying about your platforms. You’re always worried about your products. You’re always worried about making sure that things that you’re presenting to the consumer or to the employee or to, you know, the different install bases, you have an inherent need to make sure your products and your technology are secure. So I’ve always had a love hate with it because you hate to spend incredible amounts of time and investment in security, but you absolutely love it because it keeps you safe and, and, and makes sure that your products and your technology are going to…with it – you know, there are bad actors out there and people do want to get into your products. They do want to find out, you know, personal information. So security is that thing that makes us feel a little bit better. And it lowers your risk profile. And, you know, it’s really the glue that’s needed inside of a technology base.

CRob (06:37)
Mm-hmm.

And thinking about your experiences in your past roles, what do you see, kind of, the additional value and capabilities you’re going to bring to the foundation to help us further our mission?

Steve Fernandez (06:51)
Well, I’m thinking, you what I found in the foundation last month and working with people is we have an incredible set of people and we have an incredible set of technical sales and also have like a really unique community that works together in, you know, in a matrix like organization, but it really works and people are all, you know, moving forward to do what they think is the right thing.

I think what I’m going to try to bring to the foundation from my past is a little bit of strategic vision, a little bit of process, a little bit of thought process at a methodical level so that we best utilize the people that we have and the capabilities that we have. One of the great things I felt as I came into the organization and I’ve been doing my original first month assessment is, you know, we don’t have to reinvent the wheel. We just got to get efficient. We got to make sure our priorities are in line. We need to make sure we work with our enterprise partners. We need to make sure we work with our development community. And I think my job is going to be bringing those different pieces together and working a little bit more seamlessly.

So, that’s really, think, where I’ll add value and a little bit of my past will help out the organization.

CRob (08:17)
Excellent. Well, I can say personally, I’m very excited to be collaborating with you on this mission. And I know our community is very excited to be working with you. But let’s move on to the rapid fire part of our session. Are you ready for rapid, rapid, rapid fire? I got a couple of wacky questions I’m going to ask you just off the cuff answers. What’s your favorite vegetable?

Steve Fernandez (08:40)
Broccoli

CRob (08:42)
Okay, that is a perfectly fine vegetable. Thinking about the amazing open source ecosystem, what’s your favorite open source mascot?

Steve Fernandez (08:51)
The Goose.

CRob (08:53)
The goose, that’s an excellent answer. And mild or spicy food?

Steve Fernandez (08:59)
Spicy as it can get.

CRob (09:00)
Ohhhh, that’s spicy. Nice. And final and probably most important question. Star Trek or Star Wars?

Steve Fernandez (09:11)
Gotta go Trek.

CRob (09:12)
Excellent. Both answers are great, but that’s a fine, fine answer. Thank you, thank you. Well, Steve, as we wind down, do you have any kind of parting thoughts, any words of wisdom that you want to share with our community?

Steve Fernandez (09:29)
You know, I just say to the community, mostly keep the passion alive that you have for the work you’re doing. It’s very apparent when somebody new to the community sees it, you know, especially like myself. I see the passion. I see the intelligence. I see the hard work. And I think you should all feel very proud about that work that you’re doing. It really shows and it’s really transparent to everybody.

So, you know, I’m here to work with you. I’m here to collaborate. I’m here to help drive whatever I can do to better the community. So in that spirit, just please be open with everybody. Feel free to contact me at any time if you have ideas or thoughts about how we can improve the community or how we can move forward. That’s very important to me and I want to work in this know, great environment and, you know, and really help it grow and really foster that security community that we built and continue to do so. So I just say keep working hard and it’s going great.

CRob (10:35)
Thank you very much Steve Fernandez. Thank you for joining us and thank you for spending your time today with what’s in the SOSS and to our audience Happy open sourcing. We’ll talk to you soon

(10:47)
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

What’s in the SOSS? Podcast #26 – S2E03 JavaScript’s Big Footprint: Robin Bender Ginn on Leading OpenJS and Open Source at Scale

By Podcast

Summary

Robin Bender Ginn, Executive Director of the OpenJS Foundation, joins us to talk about JavaScript’s massive footprint, the challenges of sustaining critical open source projects, and the importance of security in the web ecosystem. She shares her journey, insights on community-led development, and how OpenJS is building a healthier future for the JavaScript ecosystem.

Learn more and register for JSConf North America: https://events.linuxfoundation.org/jsconf-north-america/register/

Conversation Highlights

0:00 JavaScript’s Critical Web Presence
0:51 Robin Bender Ginn Introduces OpenJS Foundation
2:01 Core Challenges Facing JavaScript Ecosystem
4:12 Managing Older Projects and Outdated Software
8:23 Solutions and Security Improvements
12:12 Individual Impact and Community Involvement
14:35 Wrap-Up and Call to Action

Transcript

Robin Bender Ginn: 0:02
Anything you do requires JavaScript, whether it’s AI or in the metaverse. People forget that JavaScript is a critical part of delivering almost everything you do.

CRob: 0:17
Welcome, welcome, welcome to What’s in the SOSS, the OpenSSS podcast where we talk to amazing people and technologists within the space of open source, open source supply chain and software security. We have a real treat today. We have a friend of the foundation, Robin Ginn, and we are going to hear some amazing stuff about her little corner of this amazing world called open source. So, Robin, why don’t you introduce yourself and maybe share what’s your open source origin story for our audience?

Robin Bender Ginn: 0:51
Super cool. Well, hey, thanks for having me. I’m just super psyched to be here. We kind of have a little I would say we have a little corner for JavaScript. We have a big sort of footprint in the world. If you think about the web, JavaScript’s in 98% of the world’s websites. And I have the honor of being the executive director of the OpenJS Foundation. I’ve been there since the beginning and OpenJS was the merger of the Node.js Foundation with the JS, the JavaScript Foundation, a little over five years ago. So, I came on after a long career at Microsoft doing open source to lead up this wonderful organization. So super psyched to be here.

CRob: 1:39
That’s cool and we’re very glad for all the amazing work that comes out of your community super used around the web. From your perspective, having done this for a while, what do you see are some of the core challenges facing the world of JavaScript and the web ecosystem that impacts security?

Robin Bender Ginn: 2:01
Well, you know, I think we have the coolest developers around. Again, anything you do requires JavaScript, whether it’s AI or in the metaverse. People forget that JavaScript is a critical part of delivering almost everything you do. But unfortunately, one of the key challenges is the world of tech suffers from this shiny penny we call it the shiny penny syndrome.

Robin Bender Ginn: 2:26
People love the latest and greatest things and, you know, sometimes JavaScript and the web may not be seen as strategic as it truly is. That sort of creates a kind of a ripple effect on some other challenges we face. So whether that is raising money, you know, sustainability is very important. We have a lot of volunteers running our open source projects. As opposed to some company led projects, we have a lot of community led projects. So if you think about Node.js, it was downloaded 2 billion times last year, wow, wow. And that’s a lot of volunteers and, unfortunately, a lot of companies who all rely on, for example, Node.js, treat our really hardworking, passionate volunteers like they are their paid support staff and create a lot of demands on these folks. So those, you know, leads to burnout and all these other things.

CRob: 3:33
And that’s something that many of the communities we talk with and interact with feel similarly. They have similar challenges.

Robin Bender Ginn: 3:39
Yeah.

CRob: 3:42
Yeah, I think you probably touched on this a bit with your statement of being kind of a seminal foundation for the web. It’s hard to be a little older speaking as someone that has a little more gray in their hair than they used to, and OpenJS holds some really interesting kind of oldies but goodie type projects like Node.js and jQuery. You know how that impacts your maintainers and end users, where it seems like there are so many people that are using outdated or unsupported open source software?

Robin Bender Ginn: 4:22
Yeah, I mean, it does you know? Sometimes it sucks to be old, but in our case I would say that we have broad adoption. So Node.js, again 15 years old, it’s basically everywhere. Node is everywhere. Express.js, you know, 30 plus million. You know weekly downloads. Jquery, 18 years old. It’s in 92% of the world’s websites. So you know, what’s great is the adoption, the stability. The maintainers, many of them have been with the project for 10 plus years. It’s awesome.

Robin Bender Ginn: 4:59
And yeah, so we have this beautiful culture around these projects. You know, some of the challenges are a couple of things that we fixed. One is that our infrastructure got to be a little messy.

Robin Bender Ginn: 5:17
Let’s just put it that way, not quite like wobbly servers in people’s closets, but you know we had to do like an archaeological dig over the last couple of years to find out who in the years past, you know, had a handshake deal with this IT infrastructure company, who had access. So we’ve, you know we’ve done a lot on the infrastructure front to kind of clean that up. But, as you mentioned, a core challenge with older projects is that a lot of people are still using old versions that are unsupported and outdated.

Robin Bender Ginn: 5:55
We did some research with IDC Research Al Gillen, a pretty prominent open source developer analyst, and found that three quarters of a billion websites are using out of date jQuery, and of those people we surveyed which is pretty consistent with some other data we’ve seen a third of those reported having security and privacy incidents in the last two years. Yes, the Node project has done some other research to find that three quarters of users on Node.js are using old and outdated versions. Again, with 2 billion downloads, that’s pretty significant too. So we have created a couple of tools for people to see if they’re using current versions, and for us, it may not be our projects that could create a vulnerability, but it’s really a canary in the coal mine. So, for example, if you’re using old jQuery, if you’re using old Node, probably everything else under the hood is old too.

CRob: 7:03
It’s a really good guess.

Robin Bender Ginn: 7:05
Yeah, so if you want to kind of check your website, you can go to healthyweb.org to see if your jQuery is out of date and then the Node project. If you go on GitHub on Node.js, it’s /is-my-node-vulnerable and you can find out if you’re using an outdated version or not.

CRob: 7:29
This is a really kind of a systemic problem. I’ve talked a lot about this with Brian Fox from Sonotype and others in the ecosystem, and this is something that is again another very common problem. We have a lot of different language ecosystems, and, while the nuances of how to work in that particular space is a little different, a lot of the core challenges are identical.

Robin Bender Ginn: 7:52
Yeah, that’s why we wanted to sort of create this sort of idea of a health check. Like you know, you get your health check once a year, make sure you know everything’s spot on with your physical. We want people to like, maybe yearly, like you change your batteries and your smoke alarm, why don’t you take a look at what versions you’re using?

CRob: 8:13
That’s awesome advice. Yeah, so, but it can’t be all doom and gloom. What do you see as some kind of pathways to move us forward to a better future on the web?

Robin Bender Ginn: 8:23
Yeah, we have had a lot of industry support, government support and support from folks like you at OpenSSF and our friends Alpha Omega. So if you think about, you know, the IT infrastructure, we really solved that problem through funding from the Sovereign Tech Agency oh, excellent, which was wonderful. They provided funding for us to do, you know, kind of that archaeological dig, so to speak, and we essentially modernized all of our OpenJS hosted projects onto just a few handful of software companies, whether it’s CDNs or clouds, and that has all been consolidated, migrated, and now we have some great partnerships in place for people who are sponsoring that work. So, for example, like CloudFlare, DigitalOcean, fastly, Microsoft Azure and others. So we know that six months from now, two years from now, that they’re going to be supporting our infrastructure. And what else was your other question? Oh, on how you know.

CRob: 9:37
What else do we do to move it forward? What do you do to move it forward?

Robin Bender Ginn: 9:39
Yeah, I mean really, I think one of the inherent problems with relying on volunteers is the one missing component to our maintainers is having people with security expertise. That is kind of a secret sauce for talking, you know.

CRob: 9:57
Yeah, it is so.

Robin Bender Ginn: 10:00
Through grants, through Alpha-Omega, we’ve been able to fund security engineers.

CRob: 10:05
Yes, oh, that’s awesome.

Robin Bender Ginn: 10:06
Which we couldn’t have done it otherwise. I mean, I think this is maybe the fourth year we’ve had a Node grant from Alpha-Omega. Four years ago the Node project did not have an active security working group. Today it’s a very robust working group. Back in the day four years ago it was very difficult to put out security releases for Node. It was 26 steps for every release.

Robin Bender Ginn: 10:33
Imagine with someone without expertise who wants to sign up for that in their free time nobody right, yeah, so, um, as part of the work um, that security working group now has fully automated their security uh releases, so it’s been like a game changer for the Node project.

CRob: 10:51
I bet Well. It also relieves a lot of the burden from the regular maintainers as well, right?

Robin Bender Ginn: 11:02
Absolutely. They’ve also put out some permissions, guides and policies on what defines a vulnerability and what doesn’t. Our OpenJS Foundation Security Working Group, which we call it LabSpace security working group, which we call it Lab Space. We’re opening up our own CNA, which is pretty cool, so we’ll be communicating more about that. The thing about JavaScript is that I think security vulnerability reports, probably like others, have become like car alarms Ignore, ignore, ignore. So hopefully, with some new policies and kind of having a little more control with this with our own CNA, we’ll kind of alleviate some burden for our folks.

CRob: 11:40
Oh, that’s excellent. That’s so exciting to hear about those amazing changes. I’m so happy for you all.

Robin Bender Ginn: 11:47
Yes, I know, honestly, we couldn’t have done it without the grants that we’ve received from you all and the membership support and the government grants, which we hopefully will go after some more Excellent.

CRob: 12:02
And thinking about can an individual make a difference in the space of web security or are they totally at the mercy of big tech in the space of web security.

Robin Bender Ginn: 12:12
Are they totally at the mercy of big tech? No, I think one of the flip sides of having these community-led projects is that if you want something, if you want to influence an open source project, we kind of have a doers, not a talkers policy. Excellent. So if you’re a doer, if you want a feature, if you want to help, all you have to do is show up. I think, again, we have the most warm and welcoming and fun group of community members. So, as you know, with open source, you can just come to any of our meetings. We have a radical transparency policy at OpenJS in our projects. So our meetings are almost all streamed live on YouTube and on our YouTube channel. So if you want to just lurk, if you want to participate, if there’s something especially you want, you can just be a doer, just show up and do the work. Also, there’s so many ways that you can make a difference. If coding is not your thing, but you want to make a difference, I like to say content is queen.

CRob: 13:17
I love that I’m going to open source that.

Robin Bender Ginn: 13:20
Absolutely so. You know we do a lot with training, documentation, uh, community organizing, um, and so that’s again brought new, brought new community members to our projects that’s amazing.

CRob: 13:35
Well, let’s move on to the rapid fire part of our session here. Right on, let’s do it fire, rapid fire. A couple quick and crazy questions for you. We’ll start off with a controversial one vi or emacs, neither. Oh, what’s your editor of choice?

Robin Bender Ginn: 13:57
I am a writer, I write about code the same.

CRob: 14:03
That’s awesome, cool cool, we’re neutral.

Robin Bender Ginn: 14:05
I’m neutral at Open.js well said, there you go.

CRob: 14:11
Who’s your favorite open source mascot?

Robin Bender Ginn: 14:15
Well, the rocket turtle probably. We had a mascot contest for the Node project 15 years ago. When it was created. We had a turtle icon and a rocket icon and you can see the rocket turtle is our new mascot, that’s awesome. Yeah.

CRob: 14:34
What’s your favorite adult beverage? Water, water flavored water, water, water flavored water, water flavored water well, that is a responsible choice, yes, adult beverage, so I don’t know I had a person just tell me coffee, which I was like you know, you’re right, I love coffee. That is my favorite adult beverage too.

Robin Bender Ginn: 14:55
Yeah, I, yeah, I don’t know.

CRob: 14:58
And then uh kind of uh as we wrap up here thinking about, uh, what call to action would you have for our audience or what advice would you like to share to a newcomer trying to break into this amazing space?

Robin Bender Ginn: 15:13
Um, yeah, I think the one thing I would say is you know, if we had one, I would encourage folks to join our Slack channel. That might be kind of an easy entry way, maybe even a little easier than trying to figure out what’s going on in GitHub. We have so many different channels. We have an icon right on the homepage of our website, so whether you’re interested in security or package metadata, interoperability or standards, we’ve got like an all-star group working on TC39 and some W3C projects. An easy way to get to know folks perhaps is our Slack channel and then you can see what’s going on. We also have a book club and events and other fun things, so you can get to know us. But yeah, it’s a very friendly group. You can always reach out to me too if you’re just not sure where to go, and I’m happy to introduce you to folks in each of these areas.

CRob: 16:08
Well, excellent. Thank you so much for showing up and sharing a little bit about this amazing space that, as you shared, runs a lot of our world today, and especially how we interact with software and services and applications. So thank you for all the work that your foundation does and thank you for the amazing things you do for the community.

Robin Bender Ginn: 16:28
And thanks, CRob, and for all of your folks. You provide a lot of guidance. I know we sometimes bend the rules a little bit to customize things for JavaScript, but you know You’ve got to make things for JavaScript, but you know You’ve got to make it work for the environment you live in. We do. We take all of what the OpenSSF creates and then we maybe tweak it a little bit for what works for our maintainers and end users. And we’ve been working on and we’ll be publishing on our website some new guidelines as well.

CRob: 16:56
Well, I look forward to reading it. Thank you for joining us. Have a great day.

CRob: 17:09
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

What’s in the SOSS? Podcast #25 – S2E02 Empowering Security: Yesenia Yser on Open Source, AI, and Personal Branding

By Podcast

Summary

In this inspiring episode of “What’s in the SOSS?”, we welcome our new Co-Host, cybersecurity expert and open source advocate Yesenia Yser. Join hosts CRob and Yesenia as they delve into her compelling journey from discovering open source at Red Hat to pioneering AI security at Microsoft. Learn how Yesenia blends her passion for cybersecurity, Brazilian jiu-jitsu, and empowering communities—especially women—to shape her personal brand and advocacy efforts. Don’t miss this lively conversation full of actionable insights for anyone interested in cybersecurity, open source communities, and personal growth.

Conversation Highlights

00:18 – Introduction to Yesenia Yser
00:55 – Yesenia’s open source origin story
03:30 – From cybersecurity professional to jiu-jitsu practitioner
05:56 – Building a personal brand in tech and beyond
09:04 – Advocating diversity in tech through the BEAR group
12:40 – Fun rapid-fire round (VI or Emacs, Coke or Pepsi, favorite open source mascot, spicy vs. mild food, and more)
13:52 – Yesenia joins as new co-host of “What’s in the SOSS?”
15:39 – Advice for breaking into open source and cybersecurity

Transcript

Soundbite – Yesenia Yser
One thing that you’ll hear me advocate over and over again is to find an open source project that will support your career growth. Whether you’re looking to go into program management, business analyst, management, or your technical skills, find a project that aligns with you. You can jump on the open source Slack and hit up in general, just say, I’m interested in doing this, this, this. This is how many hours I have. And I bet you someone’s going to be.

Hey, come over to our group, join us. We’ll teach you along the way. That’s the best thing I know about open source and the tech is that folks are very open to teach.

Intro – CRob (00:18)
Hello and Welcome to “What’s in the SOSS?” OpenSSF’s podcast where we talk to interesting people throughout the open source ecosystem. My name is CRob, one of your hosts, and today we have an incredible treat. I’m talking to a very dear friend of mine and amazing open source contributor, Yesenia. We have some amazing news to share at the end of the podcast today.

CRob (00:49):
Yesi, please introduce yourself to the audience and tell us about your open source origin story.

Yesenia Yser (00:54):
Hey everyone! Thank you for those listening. I’m Yesenia, born and raised in Miami, South Florida. I’m Cuban American, I’ve been in the cyber tech industry for over 12 years, a bachelor’s in computer science, and a master’s in digital forensics. I usually like to joke that I “social engineered” my way into my first security role. It was always interesting because in school I used a bunch of tools that were online and free.
My first couple of jobs, we used a bunch of libraries and things of that nature. It wasn’t until my time at Red Hat, which was like six years into my career that I realized what I was actually using and that it was open source and there was a huge community of great and amazing folks behind it that are part of it. So from there, I started exploring open source more exploring OpenSSF, a community that I do a lot of, advocacy work and contribution to. But it was just, it was very interesting that for someone that uses it, this is just, you know, everyday person that’s like learning how to code. You bring in Python, you import your libraries and you got to keep them up to date every now and then. And you don’t really know where they come from, but they come from a little black hole that’s called the open source space. Then, my journey took me from Red Hat. worked at the Linux foundation on the Alpha-Omega project. So I was helping with the Omega piece of it and we, in which we were automating, security vulnerability identification and open source software. Then my career took me to Microsoft where right now I’m working on artificial intelligence and open source security research. In that space, I get to explore both AI from the large tech industry and all the threats and yumminess that is in this emerging new technology. And then I get to share my love and passion for open source.

CRob (02:48):
That’s awesome. And as we mentioned, you and I both work together at Red Hat, where you were the very first supply chain security engineer. So I am a little bit more up to speed with your background than other folks may be. But, I think what I find very fascinating about you is that you not only are an amazing technologist and super smart, but you also have a lot of outside of work activities that I find very fascinating. Could you maybe talk about how things like your passion for jiu-jitsu and outside activities kind of inform your practice around open source security and AI security?

Yesenia (03:30):
Yeah. So starting at Red Hat was pretty, pretty cool. I was there as the first supply chain security engineer. A very big breach happened called SolarWinds, in which it blew up the supply chain security space for the industry. So, it was really great to be in the forefront of that in such a big company that is big and open source and be able to see all the plethora of things that happened in the wild wild west that is the development industry.

So outside of work is usually what I like to say about my day job. So by the day, I’m a security professional. By night, I’m a jiujiteira, which means a jiu-jitsu practitioner. I’ve been working, I’ve been training and teaching jiu-jitsu for almost seven years now. Started with the kids and working with them. And it was just lovely to see their faces bright light up when they learned a new technique. And over the years I’ve seen parallels between jiu-jitsu and my own cyber career, in which I became a mirror of things that I was seen as myself in a leader in the cyberspace that was holding me back. And then that was being mirrored into my jiu-jitsu. A year or so ago, I started a nonprofit called the Lioness Instincts, in which our mission is to empower women to protect themselves both physically and digitally, because as a security professional and a presented to jiu-jitsu instructor, which we would teach women’s self-defense classes and teach kids. I saw a huge boost in just their self-confidence and being able to work through some of the traumas that does happen through some of the crazy things that happen throughout the world. So we started the nonprofit. And if I’m not in the cyber world, I’m on the mat teaching and training. I also have two dogs that I teach and you’ll see me with them as well.

They’re their own plethora of tricks and cuteness.

CRob (05:25):
That’s awesome. And I know how much this kind of outside advocacy and your jiu-jitsu kind of affects, know, it colors your thinking and how you conduct yourself. Let’s think about this. I know you’ve kind of taken this and kind of started to develop a personal brand around these types of things. Can you maybe say why it’s important for people to find these opportunities and these passions and kind of try to do this for themselves? How does this personal branding help you?

Yesenia (05:56):
Yes. So for me, it’s my personal brand. And for those that follow, I’m called cyber jiujiteira online because of the mixture of, me, gives me a purpose and an avenue. And usually when I make a decision of something that I’m going to do, I ask myself, does it match or fit my brand? And my brand has its own pillars of advocacy as it has its five, has its five pillars, which is, cybersecurity and promoting advocacy, education and guidance to get more folks into the industry. There’s just the empowerment, self-defense, digital privacy piece that involves digital and the physical side, teaching and lessons, motivation, and then lifestyles. Because I normally talk to folks and they’re like, you have a very interesting lifestyle of just working in training, working in training, and then running a nonprofit. So I feel like a brand helps you not only keep because I have ADHD, so I’m all over the place, but it helps me keep aligned with what I’m doing and then ensuring that I can go back to it when it comes to social media platforms, it helps people know who I am and what I stand for. So I’ve been in conferences, both physical, like for jiu-jitsu things, and then for cybersecurity things or open source. And they’re like, you’re the jiu-jitsu girl. You’re the cyber girl. So it’s great. I’m like, yeah, you know me.

It becomes a cool way for folks to connect with you on a more personal level, and understand who you are. And in that, once you hear that you understand that I’m a martial artist and any thoughts around martial artists, you relate it to me in a, in a way. So martial artists tend to be disciplined. They tend to be focused. They tend to have patience. So as an individual that’s applying to cybersecurity roles that are fast pacing, working with executives. Things are constantly moving. You have to adapt quickly. The mindset of a martial artist, I think, falls very well into that, which helps with interviewing. And somebody said it the other day, which I think is great for branding, is your brand should be getting you the interviews. So instead of you searching out for these interviews, your brand should be helping you acquire what’s right for you.

And it’s just very important when you’re networking and connecting with folks that your brand speaks on who you are, whether or not you’re in the room.

CRob (08:29):
Excellent. Yeah. And thank you for all you do for especially, you know, late getting ladies into cyber and talking about self-defense. I think that’s amazing contribution back given back. We get to work together in the open SSF as part of a group that also has a lot of very strong advocacy bent to it. So maybe could you talk a little bit about the bear group that we participate in and you know, why is it so important to kind of bring awareness and kind of reach out to people that may not be currently in this career path of this world.

Yesenia (09:03):
Yes. So the BEAR, I think what we’re doing in the group is great. So bear stands for belonging.The E is empowerment, is for allyship and R is for representation. And I, I strongly feel very passionate about this because in the open source space, let’s just start with the challenges. A lot of the times are open source maintainers. They created this when they were younger. It was a college project. It was just a fun idea that they had and somehow it went very mainstream. It went viral, blew up, and now is in 80 to 90 % of software that’s out there, right? So we have this one tool that’s maintained by one person who probably has a family, who probably works two or three jobs. And it’s crucial to everything from US government infrastructure to maybe you know, outside sources to big tech company, industries. So the idea of Bayer is to be able to make that bridge a little bit easier for folks. Cause I know myself when I was starting, as I mentioned earlier, I didn’t know what open source was. was just like, okay, some cool thing that I can pull from online, but having these like community office hours, which we do once a month, we get to highlight different areas of like how to get started into space, how to look for mentorships.

We talk about your branding and how to get that. And we just highlight a lot of amazing voices in the community and that we are associated with to bring out different representations and ideas that will help folks understand how to get into the industry. This is also for folks already in the industry, because if you want to give back or you have knowledge that’s very important, you can set up your own mentorship. You can join our community and plan different events.

We’re looking to also host conversations at different OpenSSF and open source community conferences. And this advocacy is important because it’s going to give maintainers and open source contributors a little bit of extra break room to bring more folks in. One of the biggest issues you hear is that people just don’t have time. But if they have an individual…it’s willing to take on a task, right? And it doesn’t have to be a coding task. It can be writing documentation to make it easier for other people to use it. It could be updating the website. It could be a plethora of different skills that doesn’t require coding that can assist the maintainer in coming on. And we can just improve our open source software and tools usage.

CRob (11:43):
Yeah, it’s an, love the mission of the bear group and I love kind of the, how we’re moving forward with the community office hours. I think it’s been really impactful to kind of give these different perspectives and try to help have a very broad contributor base and help people break into something that sometimes there’s a lot of obstacles to, right?

Yesenia (12:04):
There’s a lot. And if you’ve missed any of the previous ones, they’re on YouTube. You can check them out and join us on Slack and ask, know, questions. We’ll be willing to either make a community office hours specific for that or just answer your questions right there on Slack. Even if you’re looking for a project.

CRob (12:23):
Cool. Well, let’s move on to the rapid fire part of the interview. All right. I have a couple of wacky questions. You probably don’t want to be drinking a drink when I ask you this. We don’t need any spit takes, but first question, VI or Emacs.

Yesenia (12:42):
VI or Emacs, we’re going to go with VI.

CRob (12:45):
Nice. Excellent, excellent. There are no wrong answers.

Yesenia (12:49):
Here. Haha.

CRob (12:52):
Next question, Coke or Pepsi? Yes, there was a right answer for that one and you’ve got it. Who’s your favorite open source mascot?

Yesenia (12:54):
CRob with the goose hat.

CRob (13:05):
CRob the goose hat?! Haha.

I don’t think you have a tattoo of that one yet though.

Yesenia (13:11):
Yet, but the one I do have a tattoo is Tux

CRob (13:15):
Very nice. What’s your favorite adult beverage?

Yesenia (13:19):
Coffee. This place is coffee.

CRob (13:23):
Yum yum yum. Love me some coffee. And last rapid fire question, spicy or mild food?

Yesenia (13:31):
None of the above. I’m Cuban. We don’t do spicy. It all hurts. haha.

CRob (13:39):
Fair enough.

Yesenia (13:40):
Seasoned, seasoned with a dull.

CRob (13:43):
Okay, excellent.

Well, thank you for playing rapid fire. So before I move on to our last question, I wanted to let the audience know that Yacinia is going to be joining us as a featured co-host of What’s in the SOSS. So you’re going to see her talking to some other amazing, interesting people. Do you want to give us kind of a little taste of what you, kind of the types of topics or people you’re interested in exploring as you’re going through and doing interviews?

Yesenia (14:11):
Yeah, I’m just interested in getting folks in the open source community and then external that may not even be aware that they’re using open source or how they can get involved. Our upcoming community office hours is going to bring in some amazing voices. But really just anybody that’s interested in speaking, speaking in the open source, talking about their journey in any shape or form or bringing in some technical coolness that, you know, like to spice up the SOSS, right?

So if you are interested… Was that the play if I said spicy? Yeah, I had feeling that was going be the audio.

Yeah, just looking at my list, but, once I post, this episode or just a general call for action, I’ll keep the community up to date, but if anyone listening to this is interested or has an awesome voice that they would love to share the space with, let me know.

CRob (15:11):
Yeah, I think this is going to be really amazing. Kind of reaching out to new voices and perspectives and just kind of broadening the awareness of the things the foundation does and the importance of open source security. So thank you for joining us. Yeah. And to that end, as we launch you off on your new endeavor, what’s your call to action or what advice do you have for people trying to get into this crazy field of cyber and open source security?

Yesenia (15:24):
Thank you for having me.

One thing that you’ll hear me advocate over and over again is to find an open source project that will support your career growth. Whether you’re looking to go into program management, business analyst, management, or your technical skills, find a project that aligns with you. You can jump on the open source Slack and hit up in general, just say, I’m interested in doing this, this, this. This is how many hours I have. And I bet you someone’s going to be.

Hey, come over to our group, join us. We’ll teach you along the way. That’s the best thing I know about open source and the tech is folks are very open to teach.

CRob (16:18):
Well, again, thank you for joining us today and thank you for volunteering to help us co-host the podcast. And we look forward with eager anticipation to the amazing interviews you’re going to do for us. And with that, it’s a wrap. Thank you all for joining us today.

Yesenia (16:29):
It’s going to be amazing. Thank you.

CRob (16:38):
Thank you.

Outro (18:40):
Enjoyed the podcast? Subscribe to “What’s in the SOSS?” on Spotify, Apple Podcasts, Pocket Casts, or your favorite platform. Stay updated with OpenSSF news and events by subscribing to our newsletter at openssf.org/newsletter. Join the OpenSSF community at openssf.org/get-involved, and connect with us on LinkedIn.

Thanks for listening, and we’ll catch you next time on “What’s in the SOSS?”

What’s in the SOSS? Podcast #24 – S2E01 OpenSSF MVVSR Overview

By Podcast

Summary

In this episode,CRob is joined by Arun Gupta, Vice President and General Manager of Developer Programs at Intel and OpenSSF Governing Board Chair, and Zach Steindler, Principal Engineer at Github, a member of the OpenSSF TAC and co-chairs the OpenSSF Security Packages Repository Working Group to discuss the key lessons learned from open source security in 2024, the importance of the MVVSR (Mission, Vision, Values, Strategy, and Roadmap) framework, and the exciting initiatives planned for 2025. They highlight the growing reliance on open source, the challenges of dependency vulnerabilities, and the need for better security practices in the industry.

Conversation Highlights

  • 00:00 Opening
  • 03:29 Key Lessons from Open Source Security in 2024
  • 08:29 MVVSR: Mission, Vision, Values, Strategy, and Roadmap
  • 13:41 Importance of Strategy and Roadmap in OpenSSF
  • 17:48 Roadmap Items for Community Collaboration
  • 20:02 Key Resources and Courses for Developers
  • 22:09 Exciting Opportunities Ahead for 2025

Transcript

CRob (00:50.337)
Hello and welcome to What’s in the SOSS, the Open Source Security Foundation’s podcast where we talk to folks from all around the open source ecosystem—interesting developers, thought leaders, and participants within this amazing movement that we call open source. Today, I have some amazing guests on the podcast with us that you may remember from previous sessions. I have Arun and Zach, who are part of the leadership of the foundation, and we’re here today to talk about some of the amazing things we’re planning on doing in 2025. But before we jump into the cool stuff, let’s just briefly, Arun and then Zach, if you could give us a TLDR of who you are and what you do with the foundation.

Arun Gupta (01:38.222)
Absolutely, I can start. Very happy to be here, CRob. Yeah, I’ve been with the OpenSSF Foundation for over two years now, been on the governing board all along. I was the governing board chair for 2024, and I was fortunate enough to be elected again for 2025. So, I guess the work I was doing was liked by somebody at least, so I’m happy to be here. OpenSSF is doing something really, really cool, which we’ll talk about today. And I’m really happy to help with my share.

Zach Steindler (02:18.392)
Yeah, thanks, Arun. I’m Zach Steindler. I work at GitHub on supply chain security for open source users, but also for our enterprise customers. I’m just about to start my third year serving on the OpenSSF TAC. I took over as 2024 tech chair, CRob, when you made the jump into the OpenSSF Chief Architect role. I also co-chair the Securing Software Repositories Working Group, where we get together folks from PyPI, Homebrew, and RubyGems to talk about best practices for securing those ecosystems.

CRob (03:00.161)
Excellent. And I want to thank you both for your ongoing leadership and community involvement. I think 2025 is going to have some amazing stuff in store for us all. Reflecting back, last year, 2024 was a very busy year for the foundation. I would encourage everyone to review our annual report, which came out in December, to see some of the amazing things our community members are working on. But looking at all of that, 2025 looks even busier. From your perspective, Arun, what were some of the key lessons we learned about open source security in 2024?

Arun Gupta (03:41.058)
Yeah, if you look at 2024, a few themes easily emerged. The reliance on open source is only going to grow. If you look at a typical application, roughly 80%, sometimes 90%, of the stack is open source. So it is definitely a critical part of our infrastructure. Pick any industry, vertical, or domain, and open source is prevalent. With a bigger scope comes a bigger attack area as well. The kinds of things we saw include dependency vulnerabilities continuing to be big. It started with Log4Shell during the pandemic back in 2021, and it has only grown. Many organizations still face outdated or insecure dependencies and need help tracking and fixing them. We have projects like GUAC, the AI cybersecurity challenge, and other OpenSSF efforts driving this part of the industry.

Another issue we saw was social engineering attacks. Open source is built on a human engineering fabric, so threats like the XZ Utils backdoor are a real concern. OpenSSF and OpenJS worked together to issue an alert on what needs to be done. Should we have trusted maintainers whom we’ve met in real life? These are important questions.

Supply chain attacks also continue to rise due to reliance on open source, particularly with government mandates requiring SBOMs to improve transparency and manage supply chains. OpenSSF is working on projects like Protobomb and BombCTL to simplify SBOM creation and portability.

Finally, regulatory pressures increased. The Cyber Resilience Act and the U.S. executive order on stricter open source compliance created unintended consequences for small businesses and open source communities. OpenSSF is working with the EU to ensure a balanced implementation that supports open source while keeping it secure.

Zach, what else would you add?

Zach Steindler (07:15.736)
That was a fantastic overview. I’ve spent much of my career on the defensive side of things in OpenSSF with supply chain security. It has been interesting to see how some of the capabilities we’ve developed have helped in incident response, such as build provenance in the Python package Ultraylitics compromise. That helped us understand what the attacker was doing and how to respond.

Going back to XZ Utils, I think a lot about how we can make the lives of open source maintainers easier in 2025. We ask a lot from them, and while we’re building new security capabilities, they shouldn’t add extra burdens. We must ensure security improvements come with usability improvements to make maintainers’ lives easier.

CRob (08:29.697)
Excellent points. Let’s talk about some things the foundation wants to collaborate on this year. We adopted a practice called MVVSR last year. Zach, maybe you could give an overview of what MVVSR is.

Zach Steindler (08:51.074)
OpenSSF is exiting an exciting early phase where we tried a lot of things to see what worked. Now, we’re borrowing practices from nonprofits and the business world to be more thoughtful about engagement. MVVSR stands for Mission, Vision, Values, Strategy, and Roadmap. It helps us define where we want the organization to go. The mission is high-level, perhaps on a 10-year timeline. The roadmap outlines immediate actions, spanning months or a year.

In late 2024, the OpenSSF TAC, Governance Committee, and Governing Board revised the MVVSR, focusing on strategy. We defined three key categories:

  1. Catalyst for Change – Building tools for open source developers to meet security goals.
  2. Educate & Empower the Modern Developer – Providing guides, courses, and best practices.
  3. Ecosystem Leader – Developing standards and frameworks like Salsa for supply chain security.

CRob (13:13.505)
Awesome. Arun, you’re involved in various foundations. How important is having a roadmap for OpenSSF’s strategy?

Arun Gupta (13:41.486)
It’s critical. Success depends not just on creating guidelines but on their adoption by other foundations. OpenSSF’s mission is to improve open source security, but much of the work happens in other foundations like CNCF, Apache, and Eclipse. Our success is defined by how widely our recommendations are adopted.

For example, Kubernetes adopting OpenSSF recommendations is a big win. At Intel, we ran the OpenSSF Scorecard across all public GitHub repos, tracking incremental security improvements. These efforts align back to OpenSSF’s mission.

CRob (26:18.849)
We’ve accomplished a lot in 2024 and have exciting plans for 2025. Thank you both for your leadership, and thanks to our community of contributors for driving these projects forward. It’s amazing to see initiatives like Salsa and sigstore, which started over four years ago, continue to grow. Gentlemen, I appreciate your time today, and I look forward to working together in 2025. Thank you.

Arun Gupta (27:05.486)
Thank you so much.

Zach Steindler (27:05.72)
Thanks, CRob, pleasure to be here.

What’s in the SOSS? Podcast #23 – Kusari’s Michael Lieberman Talks GUAC, SLSA and Securing the Open Source Supply Chain

By Podcast

Summary

CRob is joined by Michael Lieberman, CTO and co-founder of Kusari, about the importance of supply chain security in the open source ecosystem. They discuss Michael’s journey in open source, his contributions to projects like SLSA and GUAC and the future of supply chain security.

Conversation Highlights

  • 01:56 – Michael explains how he got into open source
  • 04:10 – The challenges of being a startup within the open source ecosystem
  • 05:38 – Michael digs into his participation with SLSA and GUAC
  • 09:13 – How maintainers can address SBOMs with GUAC
  • 10:56 – Michael’s predictions for supply chain security and dependency management
  • 14:26 – Michael answers CRob’s rapid-fire questions
  • 15:32 – Advice for those entering the cybersecurity or open source development spaces
  • 17:50 – Michael’s call to action

Transcript

Michael Lieberman soundbite (00:01)
I think for the downstream consumers, it’s one thing to do the security. It’s another thing to have folks who are consuming the software know, yes, I feel confident that they’re actually doing the right things because I’m getting signed in an atttested documentation that I can tie back to the maintainers.

CRob (00:18)
Hello, everybody. I’m CRob. I do security stuff on the internet, amongst other things, and I also am a community member and chief security architect for the Open Source Security Foundation. And one of the amazing things I get to do is host “What’s in the SOSS?” podcast, where I talk to interesting people, whether they’re developers or leaders, policy people in and around the open source software ecosystem.

And today we have a pretty cool treat, my friend Michael Lieberman from Kusari. I’ve had the chance to work with Michael for a couple of years within the OpenSSF, and we’re going to talk today about supply chain security and other topics. But before we do that, Michael, why don’t you introduce yourself to the audience?

Michael Lieberman (01:07)
Sure. Yeah. So I’m Michael Lieberman, and I’m CTO and co-founder of a startup called Kusari, focused in supply chain security, but also very much focused in building and using open source.

And in addition to that, I also wear multiple hats in the community as a CNCF TAG security lead, which is the technical advisory group for security for the CNCF as the name sort of suggests.

And then in addition to that in the OpenSSF, I’m a maintainer of some projects like GUAC and SLSA. And in addition to that, I’m also a TAC member and a governing board member.

CRob (01:47)
Now that we’ve got the today story for Michael told, could you maybe share with us, what’s your open source origin story?

Michael Lieberman (01:56)
Sure, so I’ve been using open source obviously, like, since college, you maybe even before that, actually, I remember learning my first programming language, was a very early version of Python. And you know, that was kind of my first introduction, I think, to open source. But as far as, like, my career is gone, using open source for a really long time, occasionally opening up an issue on whether it was prior to GitHub, you know, into some mailing list or that sort of thing.

More recently, when I was…got into the banking world, I was working at a big hedge fund called Bridgewater for a while where we were doing a lot in open source, but we were starting to become more open and contributing back, especially given that we were so security focused. We wanted to make sure that certain things we had seen would get addressed upstream.

And so that involved a lot of stuff on that end. And then as time sort of progressed, would say around the time of the pandemic started getting a lot more involved in, in open source, where I first was a regular member of the financial services end user working group, which is part of the CNCF or at least for the CNCF, I should say. And then eventually I became one of the chairs of that.

Folks in that group are very interested in security. And that’s how I got introduced to TAG Security, where I started working on the Supply Chain Integrity white paper that they had sort of best practices paper, I should say, that they wrote up and I contributed to. And then eventually the Secure Software Factory Reference Architecture, which I helped lead. But as part of this whole thing, there was a relatively new group called the OpenSSF, or Open Source Security Foundation.

And that’s kind of…how I got introduced there, because obviously CNCF, TAGv Security, security, that’s very much focused purely on cloud native, but then you had OpenSSF, which was focused more broadly just on open source security, and that’s kind of how I got introduced there.

CRob (03:54)
That’s pretty cool. And you’re unique in regards to some of our other guests in that you are leader of a startup. Can you maybe describe a little bit for the audience, what’s it like being a startup within this amazing open source ecosystem?

Michael Lieberman (04:10)
It can be very challenging to kind of get some signal above the noise, especially when you don’t have like…when I worked at the big banks, it was very easy to say, “Hey, I work at Big Bank X, you should listen to me,” compared to when you work at a startup and you’re like, “Well, I’m a founder of a startup. You should listen to me.” But I think the thing there is you sort of live and die by your contributions.

So when folks see that you are a good contributor to the community, that you are coming in with your expertise, but also trying to understand other things, and also just trying to do the chopping wood sort of work. It’s not just about, yes, I’ve worked on that for years and this is how it should be done. It should be also, hey, this is how it should be done. And let me show you, let me sit down and actually write down some of the documentation or let me work on a tool or open up a PR to show you how that sort of thing would work.

So it’s a little bit of everything and I will say it’s kind of hard to not get drowned out sometimes by just how much is going on. But with that said, I will say if you put in the time and effort, it can be very rewarding.

CRob (05:18)
But let’s talk about some of your contributions that I know you still, in addition to running your company and being involved in all these different organizations, you’re an active developer and participant in a couple of our biggest initiatives within the foundation, SLSA and GUAC. Could you maybe talk a little bit about SLSA first, and then let’s dive into dependencies with GUAC.

Michael Lieberman (05:38)
Sure. So my introduction to SLSA was kind of a funny one where I saw an article about this new set of practices that had been contributed to the OpenSSF by Google. And I immediately asked the question of like, what’s going on here? What is this thing? And everybody else said, “We just released it today. Like, give us a second!” But I got involved very early on because it seemed like, wow, this is actually hitting something that was not being hit prior, right?

A lot of other best practices that are out there were hitting like how to secure a thing, but not how do you prove that the data that says you are securing the thing is actually accurate? That’s really what SLSA is hitting, especially in the build process right now. So I got involved very, very early on. I became part of the steering committee.

And then as sort of things evolved, I became sort of an actual maintainer of the spec itself, where I contribute both to the content of the spec, as well as reviewing stuff and making sure that things line up with other pieces of the spec. So that’s kind of how I got involved with SLSA.

And then as part of some of that work, right, that was back when I was still working at the banks. And as I kind of continued on, it was very clear that when we look at software bill of materials or SBOMs and a lot of this other data like SLSA that’s like the information that’s coming out of SLSA there is not a lot to make sense of it. And what things do make sense of it often look at each of those things as a in a vacuum? So it looks at a SLSA attestation in a vacuum or an SBOM in a vacuum and so there was something that was missing there.

And after myself and my co-founders decided to create a startup, we quickly realized that maybe we should start working on a tool to start addressing stuff in that space. And a few of the other folks in the space — like Professor Santiago Torres from Purdue University, as well as some folks from Google, like Brandon Lum and Mihai, who also is a big contributor in OpenSSF — we all sort of kind of came together and we realized like, oh, we all want to build this thing.

And so why, given that we were all working together in some capacity in the open source already, we said, as opposed to all of us creating different tools and yada, yada, why don’t we all come together and build something? And so that’s kind of was the genesis of GUAC and GUAC became this tool and it’s now part of the OpenSSF. At the time, we had sort of created it outside of the OpenSSF, but once it kind of reached that critical mass, we decided to contribute it to the OpenSSF.

And for folks who are not super familiar, it’s essentially a way to analyze lots of SBOMs, lots of SLSA attestations, other supply chain metadata, enrich it with information like vulnerability data from open source databases like OSV, or to figure out license risk information from APIs like Clearly Defined, and all sorts of other stuff. And so it’s trying to help answer the questions of what is in your supply chain? What should you be worried about? Where’s the next Log4j? Where does that live? And what does it impact? Is it impacting one of my applications or all of my applications? So it’s really a graph of understanding everything that’s in your software.

CRob (09:03)
So this sounds really valuable to downstream consumers. How would like an open source maintainer or developer leverage an SBOM or GUAC? Would that be useful to them?

Michael Lieberman (09:13)
Sure, yeah. So it depends. So the way that we currently have it set up, and it’s evolving, is

GUAC right now has a good answer for when you have lots of SBOM. So for the end stream consumer, but also in addition to that, we’re having conversations, for example, with the Kubernetes ecosystem and some other ecosystems that their project actually consists of lots and lots of lots of different pieces.

And for them, one SBOM is not enough because they have hundreds potentially of sub-projects that they need to keep track of. And some of the questions they ask are, did I update this logging library in one Go project or did I update in all of them? And do I have a situation where this sub-project is using a completely different framework than this other one and that’s introducing just general risks to the project.

So that’s kind of where some maintainers are kind of coming at it from as well. But there are plans actually as of recently, we had some discussions to actually start working on some additional tools and integrating with additional tools like Protobom, like bomctl, that are also OpenSSF projects to also help answer the question of what happens when I have one or five SBOMs as opposed to when I have 500 or 5,000 SBOMs. And there’s a big gap right now between I have one and I have 5,000 and we’re looking to try and help bridge that gap with some of the upcoming work in the new year.

CRob (10:44)
Very nice. Speaking of upcoming work, you’ve been in this space for a while. What do you see coming down the road in the next few years around supply chain security or dependency management?

Michael Lieberman (10:56)
Sure. What I see is a lot more of the open source distributors, so like your Pi PI, your Maven Central’s, integrating a lot more of this stuff like SBOMs and SLSA into the ecosystem and I know a lot of them are already in the works for doing this. But I think for the downstream consumers, right, but it’s one thing to do the security, it’s another thing to have folks who are consuming the software know, yes, I feel confident that they were that they’re actually doing the right things because I’m getting signed in attested documentation that I can tie back to the maintainers and You know unless the maintainers are completely lying to me, in which case, well, now they can’t be trusted and yada, yada, there’s potentially public repercussions or whatever for those individuals, like there’s clearly incentive to do this.

And so what I see is finally folks looking at not just how to produce all of this stuff, but how to consume it to answer questions and address risk, which then I think will introduce what is really needed right now, which is a feedback loop of people are producing SBOMs, some of them are gonna be more accurate than others. But I think through analysis tools, whether it is GUAC or any other thing that’s out there, right, Like there’s OSV scanner and there’s a bunch of other, things, we’ll start to see that folks will find gaps in those SBOMs, in those SLSA statements, in the supply chain metadata and realize that it needs to be updated. That data will be updated or enriched and will be generating better SLSA and SBOMs in the future. That’s, I think, one big thing.

The second big thing I think we’ll see, which is maybe, maybe a bit more, I don’t want to sound myopic or anything like that, but I do think especially in the AI space in the next, whether it’s next year or the next couple of years, we will see something akin to a Log4j in that space where a lot of folks will be relying maybe either on a data set that everybody thought was good, but it turns out it’s been polluted in some way, poisoned in some way. Or a model itself that a lot of things rely on that has some critical vulnerability, whether it’s purposefully injected with some sort of malicious behavior, or if it’s just, hey, we realize that the way we train this led it to be potentially exploited in a particular way to get it to make certain decisions that we don’t want to allow.

I think we’ll see that in the future because it’s hard enough to track dependencies and understand your supply chain when you’re talking about software and software consists of code. But when you’re talking about AI models that are trained on terabytes or more of data here, it can be very difficult to know like, where does that needle live of this thing has somehow polluted the overall model?

CRob (14:02)
That’s really interesting food for thought. We’ll keep an eye on that as we go into the future.

But let’s move on to the rapid fire part of our talk. So I got a couple quick and easy questions. I just want the first thought that comes into your head. First question, mild or spicy food?

Michael Lieberman (14:26)
Spicy.

CRob (14:30)
Nice. I also love me some spicy food. Text editor, Vi or Emacs?

Michael Lieberman (14:38)
Vi, Vi.

CRob (14:41)
(Laughter) All right, well that’s not the most contentious question we’re going to have. But Vi, I also love me some Vi. What’s your favorite adult beverage?

Michael Lieberman (14:51)
Ooh, whiskey.

CRob (14:53)
Whiskey, very good. Very safe answer. Now the most controversial question. Tabs or spaces?

Michael Lieberman (15:01)
(Sighs) Spaces.

CRob (15:06)
Awesome. And then finally, what’s your favorite open source mascot?

Michael Lieberman (15:11)
You know, for as much as I love the goose, I will say I’m a big fan of Tag Security’s TrashPanda raccoon mascot.

CRob (15:20)
Very nice. That’s a good one. So as we close out, do you have any kind of words of advice for someone that’s getting into the cybersecurity or open source development space?

Michael Lieberman (15:32)
Sure, yeah. The advice I always give is just get involved, right? Just get started. And it doesn’t matter where you get started. And to be clear, I was the same way where I’d be scared to, you know, I’d be like, I think I found a bug in a potential piece of software. Should I bother them with this? I could be wrong. It’s like, obviously do your due diligence. Like don’t just come in and immediately start saying, hey, I found this thing.

And obviously, everybody is, everybody’s wrong and I’m right. It’s more like, well, I look through the documentation, I look to see if there was any open issues about a thing, I didn’t see it, I opened up an issue, right? And then when it comes to the open source community generally, or just cybersecurity community in general, just, I think the big thing is ask questions, introduce yourself. Folks wanna help, right? Because even if we were all like, I wanna say like, most of us are pretty nice in the community. You know, yes, we can get a little annoyed at things and yada yada, but most of us are pretty nice.

And what I say is even if we weren’t nice, it’s in our best interest to get help here because it’s…there’s so much stuff that needs to get done. And so just come in, introduce yourself and so on. There’s also like, you know, for folks who are, who think that they need lots of expensive training on a lot of this, you know, you don’t, at least especially when you’re starting.

There is a lot of free stuff out there. There’s, for example, the Linux Foundation has a ton of great free resources, like from a training perspective for cybersecurity. But in addition to that there’s also all sorts of other like, you know, charities as well. Like if you’re somebody who is from an underrepresented group or, or struggles financially that, you know, can help get you a leg up as well.

But, in addition to that, think the big thing is it just keeps going back to introduce yourself to the community because we can help point you in the right direction. There’s a lot of folks who will help mentor and help you out in whatever way you need, whether it’s pointing you in the direction of a great training course or helping mentor directly or even just pointing you to here’s a good book you should read that I think helped me out.

CRob (17:42)
That’s awesome advice. Thank you. And finally, do you have a call to action for our listeners, something you’d like to see them do?

Michael Lieberman (17:50)
Sure. First, I’ll talk a little bit more broadly and then I’ll go more specific. But I think more broadly again, especially for folks who are end users who work at end users, like, you know, your, your big banks, I know having worked at big banks for years and years and years, you can feel disincentivized to participate in the open source community. Push for this because as folks who will be listening to this will are inevitably aware, right, banks are using tons of open source.

A lot of the challenges they have is not being able to contribute back, not being able to work with the community to address issues. Push on your organizations to be more involved while highlighting the actual risks there of if we don’t get involved, this costs us more money because there’s a whole community that’s looking to help and help fix this. And so we need to need to be involved to kind of get our voices heard.

And then in addition to that, just generally, right? Like, be more involved in the open source community, be more involved in the security community, especially if you’re a security engineer, it’s much easier to be involved in open source just from like, hey, I created this really cool tool that has this new feature and this new feature could make us all lots of money. You know, security is not often seen as the thing that makes everybody a ton of money. So it can sometimes be like, yeah, yeah, yeah, yeah, we’ll work on that later. No, no. If you don’t take care of security, could potentially lose a lot of money. You could lose customer data. You could ruin your reputation, the reputation of others and cause serious damage. So more involved in the cybersecurity community is super important.

And then a bit more specific, a bit more self-serving, come join the GUAC community. We’re always looking for more contributors. We’re trying to find more end users, you know, one of our big challenges has been, turns out, you know, a lot of enterprises actually do use GUAC or have been making POCs of GUAC, but a lot of those large enterprises don’t come to the community, for example. And we’ll hear through the grapevine, such and such as using GUAC and they’re running into a bug. It’s like, well, we can’t fix it if we don’t know about it. So, so come join, come participate.

And again, as I mentioned earlier, contributions are not purely, like, I wrote, you know, a thousand lines of code for this new feature. It can just be open up an issue, fix a typo in our documentation. It can be helping write notes in the community meetings, right? Anything is helpful and appreciated.

CRob (20:19)
That’s awesome. Thank you very much, Michael. Appreciate your contributions to the community and thank you for joining us today.

Michael Lieberman (20:26)
Yep! Thank you for having me.

Announcer (20:28)
Like what you’re hearing? Be sure to subscribe to “What’s in the SOSS?” on Spotify, Apple Podcasts, AntennaPod, Pocket Casts, or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all.

Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org slash newsletter to subscribe. Connect with us on LinkedIn for the most up to date OpenSSF news and insight. And be a part of the OpenSSF community at openssf.org slash get involved. Thanks for listening, and we’ll talk to you next time on “What’s in the SOSS?”

What’s in the SOSS? Podcast #22 – Sovereign Tech Agency’s Tara Tarakiyee and Funding Important Open Source Projects

By Podcast

Summary

In this episode, CRob talks to Tara Tarakiyee, FOSS technologist at the Sovereign Tech Agency, which supports the development, improvement and maintenance of open digital infrastructure. The Sovereign Tech Agency’s goal is to sustainably strengthen the open source ecosystem, focusing on security, resilience, technological diversity and the people behind the code.

Conversation Highlights

  • 01:42 – Why the Sovereign Tech Fund became the Sovereign Tech Agency
  • 03:59 – The ways the Sovereign Tech Agency supports open source infrastructure initiatives
  • 04:42 – The four criteria for Sovereign Tech Agency funding: prevalence, relevance, vulnerability and public interest
  • 06:51 – Sovereign Tech Agency success stories
  • 09:09 Plans for the Sovereign Tech Agency in 2025
  • 11:54 – Tara answers CRob’s rapid-fire questions
  • 13:54 – Advice to those entering open source development or security field
  • 14:55 – Tara’s call to action for listeners

Transcript

Tara Tarakiyee soundbite (00:01)
You can actually hear the relief when we’re talking to maintainers about how can we sort of get this kickstarted? How can we get the ball rolling? Hopefully those maintainers can also show the benefits of investing in security, investing in resilience to people that depend on their software and get them to invest in it as well.

CRob (00:17)
Hello everybody, I’m CRob. I do security stuff on the internet. I’m a community leader and I’m also the chief architect within the Open Source Security Foundation. One of the coolest things I get to do as part of this role is to host “What’s in the SOSS?” podcast, where I talk to interesting people, maintainers, leaders and folks involved with upstream open source security and open source supply chain security.

Today, we have a real treat. We have Tara from the Sovereign Tech Agency, and they are here to talk about the amazing work within the upstream community for the last several years. So maybe could you introduce yourself and explain a little bit about the organization you’re working with?

Tara Tarakiyee (01:00)
Thank you. I work with the Sovereign Tech Agency. We are a GC that’s funded by the German government, specifically through the Ministry of Economy and Climate to essentially strengthen the open source ecosystem, which is our mission. And we do that by investing in the components of our open digital infrastructure that are, I’m sure as you know, like maintained by very few people, but relied upon by millions and millions, what we call the roads and bridges of our digital world.

CRob (01:33)
I like that. That’s nice phrasing. As I mentioned, you all went through a little bit of a rebranding recently. Could you maybe talk about the change for us?

Tara Tarakiyee (01:42)
Yeah. So we had the whole concept that was developed by our co-founders, Fiona Krakenbürger and Adriana Groh to provide like an investment fund to support this critical infrastructure. And that was sort of like our first, let’s say, vehicle of support for projects. But essentially, what we’re trying to do is meet the community where they are, providing what they need. And we know that, sure, investments are good, but support for something as complex as our post-request instruction needs to come in different forms and factors.

So since then, we’ve also introduced two other programs, what was called the Bug Resilience Program, which is now called the Sovereign Tech Resilience, as part of the rebrand, and also our Sovereign Tech Fellowship. We provide services. We work with the vendors in this space who have experience with vulnerability management, with reducing technical debt, with doing code reviews and providing audits, and also with setting up and running bug bounty programs. And we provide those vulnerability management services. to open source projects indirectly. So we pay for it, but the services go to the open source project.

And with the fellowships, we are looking for maintainers who are key people in their communities who support several projects that for them, like, it wouldn’t make sense to apply it through something like the Sovereign Tech Fund. Usually what we do with the Sovereign Tech Fund is these service agreements that are sort of like deliverable based.

With the fellowship, we’re providing like a different way of providing support for maintainers through our fellowship where we support maintainers who are key in their communities by providing either with a board contract or with a six-month fellowship, three-month fellowship.

Those are sort of the sort of a bundle of services that we’re providing and under the banner of the Sovereign Tech Agency. We all have the same mission. We’re still doing the same things. It’s just the name, name change was just to reflect that there’s like a big house now where all these different programs live in.

CRob (03:47)
Makes a lot of sense. Could you maybe just share a little about how the agency kind of executes on this mission? How does someone become aware of these programs and how does someone take advantage of them to participate?

Tara Tarakiyee (03:59)
For the fellowship, we issued a call on our website. Currently, the call is closed for this year as we sort of review through the application that came in. For the Sovereign Tech Fund, we are still accepting ongoing applications on our website. So if you go to sovereign dot tech, you will find our website, and there you can navigate to the apply section where you can learn about our criteria, what we look for in critical infrastructure, open source, and from there it will take you to our application platform.

CRob (04:32)
If one of the programs is open, are there any kind of limits on who can qualify to participate? Does it have to be an EU citizen or can it be anywhere from around the world?

Tara Tarakiyee (04:42)
Anyone in the world can apply as long as you’re maintaining open source critical infrastructure. The way we, it’s hard to define something as open source critical infrastructure, you know? So for us, we take four criteria. So we look at sort of the relevance of your open source project. Is it used in different places, in many places, by many people?

We also look at…sorry, that was prevalence…then relevance, is it used in particular sectors that are particularly important? Like it could be not be used by many people, but if it’s using like the energy sector or aviation or something that’s, like, highly critical, then that’s another factor that of balances that out.

And then we look at vulnerability. So, I mean, it’s not a nice question, but like what would happen if your software component would disappear tomorrow? Would like people panic? Like that’s probably a good sign that it’s infrastructure. But also we balanced the question out also by looking at different aspects of like, why is this not receiving funding?

Because I think that’s a fundamental thing for us. Like we exist to support infrastructure because in general, like those are things that are hard to fund. It’s something, it’s a resource that everyone depends upon, but very few people contribute to. And that’s, that’s sort of like our niche. So that’s also something we look at in vulnerability.

And finally, we do an evaluation, like, is this a software that’s in the public interest? So is it being used in applications where it’s generally good for society? So, based on our evaluation of these four criteria and also look at the activities, like is it more maintenance activities or generally like you want to develop new features? Would you occasionally fund or invest in new features? But that’s only when there’s like a strong sort of public interest argument for it and no one else would fund it. In general, we mostly focus on improving the maintainability and security of those critical software components.

CRob (06:35)
Thinking back, you all have been operating, whether it’s the fund or the agency, for a little over two years. And thinking back over that, are there any particularly interesting success stories or where you felt that the fund or the agency made a real difference?

Tara Tarakiyee (06:51)
I mean, it’s generally nice just to hear the feedback from the different projects. It’s hard for me to name, like, one particular example or pick a favorite. In general, think like, when I look back and see like projects where they struggled for a long time to get the people that depend on them interested in security. Even though, like, it’s a critical dependency for, like, many companies and stuff, but nobody wants to fund like a security team.

People would rather fund new features and, which just like sort of exacerbates the problem. Like it just creates more pressure on the maintainer and creates more technical debt and more potential for things to go wrong. You can actually hear the relief when we’re talking to maintainers about, yeah, like we’re interested in your security plans. Like how can you sort of get this kickstarted? How can we get maybe those other people also interested? Cause again, like it’s such a big lift sometimes and with some software that we can’t do it all on our own.

So we try getting the ball rolling and then hopefully those maintainers can also show the benefits of investing in security, investing in resilience to the people that depend on their software and get them to invest in it as well. I’m also very proud of our investments in, for example, Fortran, where it’s a technology that’s still very important. Like people hear about it and think like, remember it like maybe from their university days or reading about it on Wikipedia, but it’s still there. It’s still lots of code written in it.

I think Fortran developers deserve the ammenities that modern day developers have, like a good package manager having the developer tooling. So I was very proud of our investment there because, again, like, also considering the state of the world right now, Fortran is very vital in climate modeling and us understanding the world around us. So it’s a very critical time for investment in such technology.

CRob (08:50)
Excellent. Yeah, the older languages deserve the same love that the newer ones do. I totally agree. Getting out your crystal ball, it’s towards the end of 2024 here. What’s in the future for the Sovereign Tech Agency in your programs for next year? Any big plans or anything you’re very excited about to get to work on next year?

Tara Tarakiyee (09:09)
So for work, we learned a lot from the past two years. So I think now it’s time for us to also start exploring ways of bringing in more people into the field of open source. I think, like, a common concern is looking at open source technology, like, there are very few maintainers and not so many are able to come in. Like there’s a high barrier for entry. So maybe I think looking at ways of opening up the field and getting more people, because I mean, the door is open, but that doesn’t mean that people automatically come in. Like, people need help to be able to get into open source.

And also we work with some very complicated projects because their infrastructure, because they’re written in sometimes like high-performance languages that are harder to get into. So I don’t want to compare, but like it’s not maybe as easy as, like, web development where sometimes the languages are a bit more accessible and there are already like a plethora of resources existing to help people get into them.

So I think just getting more people through the door, getting more, let’s say communities that don’t have access to the resources to become open source developers, helping get to the door, get them to becoming the maintainers of the future, I would say, is, would be something I would be very interested in working on or a problem to tackle.

With open source, it’s important to consider that interoperability needs standards because that’s how you create sort of like a healthy technology ecosystem. Because you don’t want like sort of a monoculture where like one software becomes a dominant thing and then that just creates lots of issues. So you want to have a variety of implementations around the standard to solve a particular problem. That just creates healthier software.

I think exploring how maintainers interact with standards bodies that exist. Also, you have increasing regulation and standardization coming from governments. And finally, I think there are some not official standard bodies, but bodies that help certain technologies communities or programming languages sort of improve their work that the maintainers know about these, but most people don’t. And I think getting more involved in sort of supporting the work that happens there to create better specifications, move technologies forward and get more maintainers involved in the conversations about the technologies that they’re developing at standard bodies will be another area of interest for us.

CRob (11:42)
Very nice. Yeah, that’s an interesting vision. A docket of things that I think we’ll probably be working on together next year. Well, let’s move on to the rapid-fire part of the interview.

(Musical sound effect: Rapid fire, rapid fire!)

All right, I have a couple quick questions. I want you to just answer right off the top of your head. Spicy or mild food?

Tara Tarakiyee: (12:06)
Spicy, but I have a limit.

(Sound effect: Ooh, that’s spicy!)

CRob (12:12)
Excellent. From your perspective, what’s your favorite open source mascot?

Tara Tarakiyee (12:17)
Oh, I mean, have to give it to Penguin, like Linux Penguin.

CRob (12:22)
Tux! Very nice!

Tara Tarakiyee (12:24)
I do sometimes get jealous of the FreeBSD devil, because it’s slightly cooler.

CRob (12:28)
Absolutely! Thinking back on your career with interacting with open source, what was your first open source project you remember using?

Tara Tarakiyee (12:37)
I mean, the first one I actively used knowing it was open source was Firefox. I wa a big part of the Firefox community early on in university. So I think how I got my start into open source advocacy was by organizing. I think, back then we were throwing these Firefox launch parties in Jordan. And from there, I got into Linux.

CRob (13:02)
That’s awesome. Well, thank you for sharing. As we wind down, do you have any advice that you would want to share to either someone entering the open source development or security field or is currently a maintainer?

Tara Tarakiyee (13:15)
I think it’s important for people to start listening more to maintainers. From my experience, like for the past two years working with maintainers, they know what they want, know where the problems are. There are people who really care about all these critical pieces of infrastructure that we depend upon, and they do have a good sense of what the problems are.

It’s just that I think not that many people listen to them that someone who really cares about software development in a way that’s… I compare it a bit to being an artisan where it’s more about the craft of the software and you just want to create the best software ever and sometimes occasionally they create things that are very important and used in many places. Sometimes not accidentally, sometimes intentionally as well and then, yeah, when it gets to that scale.

I think my advice is also don’t be afraid to say you need help. I think many maintainers feel like they need to do it on their own or think that people don’t care about their issues, but there are people out there who care about giving the adequate support to maintainers and creating communities of care for them. Definitely don’t be afraid. My advice for maintainers is don’t be afraid to ask for help and people do care about the work that you do. And my advice for others is please listen to maintainers. They know what they’re doing.

CRob (14:42)
Excellent. That’s excellent advice. Thank you. And finally, do you have a call to action, whether it’s kind of personal, like you just mentioned about for maintainers or contributors, or kind of around the Sovereign Tech Agency?

Tara Tarakiyee (14:55)
We do see the significant need or the significant under supply of what level of resources we need to put into our digital infrastructure. And there’s a huge gap between how many resources we’re putting in right now compared to what’s actually needed to create like a healthy, vibrant system.

Like, we’re still far off at the moment that, and I don’t think that many people realize that. So my call to action would be, let’s take this problem more seriously. Let’s invest like real resources, solving, like, the very real problems. We can’t wait til the next Log4j to happen and then say, oh my God, this could have been avoided.

I’m sort of also…maybe because like I’ve been working, doing this work for like 15 years now, tired of like that cyclical nature of like something big happens, people start caring. And then two years later, things revert back. Yeah, let’s, let’s try to break that cycle a little and put, like, significant investment that’s more long-term into creating maintainable, like sustainable support systems for our open source infrastructure.

CRob (16:00)
Excellent. Thank you. I appreciate you coming in to share your wisdom and your experiences through the Sovereign Tech Agency. I wish you a great day.

Announcer (16:09)
Like what you’re hearing? Be sure to subscribe to “What’s in the SOSS?” on Spotify, Apple Podcasts, AntennaPod, Pocket Casts or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org slash newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org slash get involved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS?

What’s in the SOSS? Podcast #21 – Alpha-Omega’s Michael Winser and Catalyzing Sustainable Improvements in Open Source Security

By Podcast

Summary

In this episode, CRob talks to Michael Winser, Technical Strategist for Alpha-Omega, an associated project of the OpenSSF that with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code – and get them fixed – to improve global software supply chain security.

Conversation Highlights

  • 01:00 – Michael shares his origin story into open source
  • 02:09 – How Alpha-Omega came to be
  • 03:48 Alpha-Omega’s mission is catalyzing sustainable security improvements
  • 05:16 – The four types of investments Alpha-Omega makes to catalyze change
  • 11:33 – Michael expands on his “clean the beach” approach to impacting open source security
  • 16:41 – The 3F framework helps manage upstream dependencies effectively
  • 21:13 – Michael answers CRob’s rapid-fire questions
  • 23:06 – Michael’s advice to aspiring development and cybersecurity professionals
  • 24:44 – Michael’s call to action for listeners

Transcript

Michael Winser soundbite (00:01)
When some nice, well-meaning person shows up from a project that you can trust, it becomes a more interesting conversation. With that mindset, fascinating things happen. And if you imagine that playing itself out again and again and again, it becomes cultural.

CRob (00:18)
Hello, everybody, I’m CRob. I do security stuff on the internet. I’m also a community leader and the chief architect for the Open Source Security Foundation. One of the coolest things I get to do with the foundation is to host the OpenSSF’s “What’s in the SOSS?” podcast. In the podcast, we talk to leaders, maintainers and interesting people within the open source security ecosystem. This week we have a real treat. We’re talking with my pal, Michael Winser, AKA “one of the Michaels” from the Alpha-Omega project. Michael, welcome sir.

Michael Winser (00:52)
It’s great to be with you, CRob.

CRob (00:53)
So for those of us that may not be aware of you, sir, could you maybe give us your open source origin story?

Michael Winser (01:00)
I have to think about that because there’s so many different sort of forays, but I think that the origin-origin story is in 1985, I was at my first job. You know, I got the Minix book and it came with floppy disks of source code to an entire operating system and all the tools. And I’m like, wait, I get to do this? And I started compiling stuff and then I started porting it to different things and using the code and then just seeing how it worked. That was like a life-changing sort of beginning.

And then I think then at Google working in open source, you know Google has a tremendous history of open source and a community and culture of it and embracing it. And I got to my last part of my work at Google was working on open source supply chain security for Google’s vast supply chain, both in terms of producing and consuming. And so that’s really been another phase of the journey for me.

CRob (01:53)
So I bet things have changed quite a lot back from 1985. And that’s not quite the beginning of everything. But speaking about beginnings and endings, you’re one of the leaders of a project called Alpha-Omega. Could you maybe tell us a little bit about that and kind of what AO is trying to do?

Michael Winser (02:09)
Sure. So Alpha-Omega, it started out in, sort of, two almost distinct things. One was at the sort of, that moment of crisis when OpenSSF was created and various companies like Microsoft and Google were like, we got to do something about this. And both Microsoft and Google sort of never let a good crisis go to waste, put a chunk of money aside to say, whatever we do, how do we figure this stuff out? It’s going to take some money to fix things. Let’s put some money in and figure out what we’ll do with it later.

Separately, Michael Scovetta had been thinking about the problem, had written a paper titled, surprisingly enough, Alpha-Omega, and thinking about how one might, the how one might was looking at the Alpha, which is sort of like the most significant, most critical projects that we can imagine. And then the Omega is, what about all the hundreds of thousands of other projects?

And so that confluence of those two thoughts sat unrealized, unfulfilled, until I…I joined the ghost team at Google and someone said, you should talk to this guy, Michael Scovetta. And that’s really how Alpha-Omega was started was two guys named Michael sitting in a room talking about what we might do. And there’s been a lot of evolution of the thinking and how to do it and lessons learned. And that’s what we’re here to talk about today, I think.

CRob (03:31)
I remember that paper quite well in the beginnings of the foundation. Thinking more broadly, how does one try to solve a problem with the open source software supply chain? From an AO perspective, how do you approach this problem?

Michael Winser (03:48)
There’s so many ways to this question, but I’m actually just going to start with summarizing our mission, because I think it really, we spend a lot of time, as you know, I’m a bit of a zealot on the mission, vision, strategy and roadmap thinking. And so our mission is to protect society by, critical word here, catalyzing sustainable security improvements to the most critical open source projects and ecosystems.

The words here are super important. Catalyzing. With whatever money we have on tap, it’s still completely inadequate to the scale of the problem we have, right? Like I jokingly like to sort of describe the software supply chain problem as sort of like Y2K, but without the same clarity of problem, solution or date.

It’s big, it’s deep, it’s poorly understood. So our goal is not to be sort of this magical, huge and permanent endowment to fix all the problems of the open source. And we’ll talk more about how it’s not about just putting money in there, right? But to catalyze change and to catalyze change towards sustainable security. And so the word sustainable shows up in all the conversations and it is really two sides of the same coin. when we talk about security and sustainability, they’re almost really the same thing.

CRob (05:03)
You mentioned money is a potential solution sometimes, but maybe could you talk about some of the techniques to try to achieve some better security outcomes with the projects you’ve worked with?

Michael Winser (05:16)
Some of it was sort of historically tripping over things and trying them out, right? And I think that was a key thing for us. But where we’ve arrived, I think I’ll sort of rather than trying to tell all the origin stories of all the different strategies that we’ve evolved. Actually, I’ll summarize by, so Alpha-Omega has now come to mean, not the most critical projects and then the rest, but the highest points of leverage and then scalable solutions. And so I use those two words, Alpha effectively means leverage and Omega means scale. And in that context, we’ve developed essentially a four pronged strategy, four kinds of investment that we make to create change, to catalyze change.

And in no particular order, Category A is essentially staffing engagements at organizations that are able to apply that kind of leverage and to where adding somebody whose job it is to worry about security can have that kind of impact. It’s kind of crazy how when you make it someone’s job to worry about security, you elevate something from a tragedy to the commons where it’s everybody’s job and nobody’s job, nobody’s the expert, nobody can decide anything to something where, well, that person said we should do X, I guess we’re gonna do X, whatever X was.

And then having somebody whose job it is to say, okay, with all the thousands of security problems we have, we’re gonna tackle these two this year, and developing that kind of theme, and then working with all those humans to create a culture around that change. Again, if it’s someone’s job to do so, it’s more likely to happen than if there’s nobody’s job it is to do it. Category A, staffing engagements at significant open source organizations that have the both the resources to hire somebody and the leverage to have that person become effective. Right? And so there’s a lot of like packaged up in that resources to hire someone like, you know, they, like, humans are humans. They want to have, you know, jobs, benefits, promotions, other crazy stuff. Right? I’ve given up on all those things, but you know, that’s the world that people live in.

And we, we don’t want to be an employer, we want to be a catalyst, right? And so we’re not here to sort of create a giant organization of open source security. We’re here to cause other people to get there and ultimately to wean themselves from us and to have a sustainable model around that. And in fact, so for those grants, we encourage, we discuss, we ask, how are you diversifying your funding so that you can start supporting this as a line item on your normal budget as opposed to our sort of operational thing? And that’s, it’s a journey. So that’s category A.

Category B has some interesting overlap, but it really speaks to what I think of as the app stores of software development, the package ecosystems, right? There is no greater force on the internet than a developer working at some company with their boss is breathing down their neck and they’ve got a thing to get done. They got to get tab A into slot B. They can’t figure it out. They Google something, and it says do not use this code, it is terrible, you should not use it, but if you were to use it, npm install foo will get you tab A into slot B, right?

At this point, you can’t give them enough warnings, it doesn’t matter, they’re under pressure, they need to get something done, they’re installing foo, right? How can we elevate these package ecosystems so that organizations, individuals, publishers, consumers can all have better metadata, better security practices, and trust the statements that these packages are making about themselves and that other entities are making about these packages to start making informed decisions or even policy-based decisions about what is allowed or not allowed into a developer environment in some organization, right?

And then that’s just a tiny part of it. So like the whole package app store concept where you essentially, I am installing this thing and I expect some truths about that name to be not a name name-squatted thing. I expect the versions to be reasonably accurate about not being changed underneath me. And a thousand little things that we just want to take for granted, even without worrying about them somehow making it all be secure, is such a point of leverage and criticality that we find investing in that worthwhile. And so that’s a category for us.

Category C is actually where most of our conversations start. And perhaps I’m getting ahead of our conversation, but it’s with audits. And we love paying for audits into an organization that essentially is ready to have an audit done. And there’s so much that gets wrapped up in is an organization ready to have an audit? Do they want to have the audit? What are they going to do with the audits results? How do they handle?

And so as an early engagement, it’s remarkably cost-effective to like find out whether that organization is an entire giant, complicated ecosystem of thousands of projects and things like that, or three to five amazing hackers who work nights and weekends on some really important library. That audit tells everybody an awful lot about where that project is on their journey of security. And one of our underlying principles about doing grants is make us want to do it again. And how an organization responds to that audit is a very key indicator, whether they’re ready for more, could they handle it, what are they going to do with it, et cetera.

And then category D, you could name it almost anything you want. This is us embracing the deep truth that we have no idea what we are doing. Collectively as an industry, nobody knows what we’re doing in this space. It’s hard, right? And so this is an area where we think of it as experimentation and innovation. And it’s a grab bucket for things that we try to do. And one of our stakeholders pointed out that we weren’t failing often enough early on in our life cycle. And it was like, if you’re not trying enough things, you’re taking the easy money, easy bets and not learning important lessons. Like, okay, we’re gonna screw some things up, get ready!

Again, the journey of learning every step along the way. And it’s not like we are like, recklessy throwing money to see if you can just burn it into security that doesn’t work — we tried But we’re seeing you know, see what we can do and those lessons are fun, too.

CRob (11:16)
Excellent. So in parallel with your kind of your four strategies you’ve used you you and I have talked a lot about your concept of the “clean the beach.” Could you maybe talk a little bit more about your idea of cleaning the beach?

Michael Winser (11:33)
Absolutely. So one of our early engagements on the Omega side was to work with an organization called OpenRefactory that had developed some better than generic static analysis techniques. And I don’t even know how it works, and there’s probably some human that know there’s some humans in the loop to help manage the false positives and false negatives and things like that. They felt that they could scale this up to handle thousands of projects to go off and scan the source code to look for vulnerabilities previously not found in that source code. And then also to generate patches, pull requests for fixes to those things as well.

And this is, sort of, the of the holy grail dream of like, we’ve got all this problem, if only we just, we can just turn literally oil into energy into compute, into fixing all this stuff, right? And there’s a lot of interesting things along the way there. So the first time they did, they went and did a scan, 3,000 projects, and came back and said, look at us, we scanned 3,000 projects, we found I don’t know how many vulnerabilities, we reported this many, this many were accepted. There’s a conversation there that we should get back to about the humans in the loop. And after it, I’m like, okay, if I try to tell anybody about this work, I don’t know what difference it makes to anybody’s lives.

And I realized that it was the moral equivalent of taking a…some kind of boat, maybe a rowboat, maybe a giant barge, out to the Pacific garbage patch and picking up a lot of plastic and coming back and saying, look at all this plastic I brought back. And I’m like, that’s good. And maybe you’ve developed a technique for getting plastic at scale, but thousands of orders of magnitude off, like literally it’s gigatons, teratons of stuff out there. And you brought back a little bit. I’m like, I need to be more short-term in terms of getting work and impact. And we care about continuous results and learnings as opposed to like, great, we found a way to turn the next trillion dollars into like a lot of scans and things like that. And so we thought about this a lot.

And it was sort of around the same time as the somewhat terrifying XZ situation, right? And I realized that XZ showed us a lot about the frailty of projects because of the humanness of people involved. But it also showed us that, and I’m going to be kind of stern about this, open source projects that use upstream dependencies like XZ are treating those dependencies exactly the way that we complain about corporations using open source for free.

They assume that this source code is being taken care of by somebody else and that it comes down from the sky on a platter with unicorns and rainbows and whatever other…like how many people in these organizations that use XZ, whether they were for-profit entities or whatever we’re paying attention upstream and saying, hey, I wonder if any of our projects needs our help? I wonder if we should spend some more time working on our upstream. Said nobody ever.

And so coincidentally, we wanted to do some work with someone we met at PyCon, this gentleman named Jarek Potiuk who’s on the PMC for Apache Airflow. And he wanted us to talk about our security work at the Airflow conference. And I’m like, well, we’ve got to talk about something. And so we start talking about Airflow. And he was already down that road of looking at his dependencies and trying to analyze them a little bit. And we said, what can we do here?

And so bring this back to Pacific garbage patch, right? We’d all love for the Pacific garbage patch to go away, right? But day to day, we go to the beach. And wouldn’t it be nice if we could talk about a section of the beach as being not perfectly okay, but free of a common set of risks, right? So we thought about, so can we do that? And he’s like, well, I know exactly how many dependencies total Airflow has. It has 719 dependencies.

And we asked ourselves the question, has anybody ever done a complete audit across those dependencies? Where complete is across all 719, not a complete code analysis of every single piece of those projects. And the answer was no. And we said, well, we’re going to make the answer yes. And so we started a project to go and bring automatic scanning to that so that OpenRefactory instead of trying to scan 3,000 arbitrary projects or the top 3,000 or the top 3,000 dependencies, they pick 718 and scan those. And Jarek and his team put together some scripts to go off and pull key facts about projects that can be used to assess risk on an ongoing basis in terms of whether we need to get involved or should we do something or should we worry about this or not, right?

And it’s everything from understanding the governance to the size of the contribution pool to the project, to its vulnerability history, right? And just building up a picture where the goal is not to sort of audit the source code of each of these projects, because that’s actually not Airflow’s job, right? And they wouldn’t do a good job of it per se. But to understand across their dependencies where there is risk and where they might need to do something about it.

From that came another concept that is what I really like. Going back to the, let’s not pretend that this code came down from the sky on a silver platter with unicorns. What are we supposed to do about it if we see risk in one of our upstream dependencies? And from that, the framework that came out was essentially the three F’s. You either need to fix, fork or forego those dependencies. There’s another way of saying forego, but we’ll stick with forego. There’s a fourth one which is fund, and we’ll talk about why that is not actually something at the disposal of most projects.

The fixed part is kind of interesting. The fork part is an expensive decision. It’s saying, you know, they’re not doing it, but we need this and we can’t get something else. We can’t forego it because it’s whatever. So I guess it’s ours now, right? And taking responsibility for the code that you use, because every dependency you use, right, unless you’re using some very sophisticated sandboxing, every dependency you use has basically total access to your build environment and total access to your production environment. So it’s your code, it’s your responsibility.

So with that mindset, fascinating things happened. When an automated scan from OpenRefactory found a new vulnerability in one of the dependencies, they would report it through their private vulnerability reporting, or we had some editing that noticed that these people don’t have private vulnerability reporting.

And so one of the fixes was helping them turn on PBR, right? But let’s say they had PBR, they would file the fix or file the vulnerability. And because it looked like it came from a machine, right? Unfortunately, open source maintainers have been overwhelmed by well-meaning people with bots and a desire to become a security researcher with a lot of like, let’s just say, not the most important vulnerabilities on the planet.

And that’s a lot of signal-to-noise for them to deal with. So some of these reports were getting ignored, but then when an Apache Airflow maintainer would show up on the report and say, hey, my name is “Blah,” I’m from Apache, we depend upon you, would you be open to fixing this vulnerability, we would really greatly appreciate it. In other words, a human shows up and behave like a human. You’d be amazed at what happened. People are like, my God, you know I exist? You’re from Apache Airflow, I heard it, you guys. How can I help? I’ll put it right on like that, right? Like, the response changed dramatically. And that’s a key lesson, right?

And if I were to describe one of my goals for this sort of continued effort, right, is that within the Airflow community, there’s an adopt a dependency mindset where there’s somebody, at least one person for every dependency. And I mean, transitively, it’s not the top level. It’s the whole graph, because you can’t assume that your transitive people are behaving the same way as you and that. It’s easy when it’s like not a crisis, but when it’s a crisis, right?

Having somebody you know, talk to you about the situation, offer to help is very different than, oh my God, you’ve shown up on somebody’s radar as having a critical vulnerability and now everybody is dog is asking you about this. Lawyer-grams are coming. We’ve seen that pattern, right? But then Jarek from Apache Airflow shows up and says, hey, Mary, sorry you’re under the stress. We’re actually keen to help you as well. You know, who’s going to say no to that kind of help when it’s somebody they already know? Whereas the XZ situation has effectively taught people to say, I don’t know you, why am I letting you into my project? How do I know you’re not some hacker from some bad actor, right?

That mindset of let’s pick some beaches to focus on, understand the scope of that, and then take that 3F mindset, right? And so Airflow has changed their security roadmap for 2025 and that includes doing work with, on behalf for, towards their dependencies. They’ve taken some dependencies out, so they’ve done it forego. And some of the things they’re asking them to do is just turn on PDR or maybe do some branch protection, some of the things that you might describe in the open SSF space line for security, right?

That people don’t think they know they’re competent to do or haven’t worried about it yet or whatever. But when some nice, well-meaning person shows up from a project that you can trust, it becomes a more interesting conversation. And if you imagine that playing itself out again and again and again, it becomes cultural.

CRob (21:01)
Yeah, that’s amazing. Thank you for sharing. That’s some amazing insights. Well, let’s move on to the rapid fire section of podcast! First hard question. Spicy or mild food?

Michael Winser (21:13)
Oh, I think both. Like I don’t want to have spicy every single day, but I do enjoy a nice spicy pad Thai or something like that or whatever. I’m, you know, variety is the spice of life. So there you go.

CRob (21:25)
Excellent. Fair enough. Very contentious question: Vi or Emacs?

Michael Winser (21:32)
I confess to Vi as my default console editor. Along back in that 1985 time, did port Jove — Jonathan’s Own Version of Emacs. Still alive today. I used that. And then, in my Microsoft days, I used this tool called Epsilon that was an OS2 and DOS Emacs-derived editor. And the key bindings are all locked in my brain and worked really well. But then full-grown Emacs became available to me, and the key bindings were actually nuancedly different, and my brain skid off the tracks. And then as I became a product manager, the need became more casual, and so Vi has become just convenient enough. I still use the index key bindings on the Mac OS command line to move around.

CRob (21:19)
Oh, very nice. What’s your favorite adult beverage?

Michael Winser (22:23)
I think it’s beer. It really is.

CRob (22:25)
Beer’s great. A lot of variety, a lot of choices.

Michael Winser (22:28)
I think a good hefeweizen, a wheat beer, would be very nice.

CRob (22:23)
Okay, and our last most controversial question: tabs or spaces?

Michael Winser (22:39)
Oh, spaces. (Laughter) I’m not even like, like I am a pretty tolerant person, but there’s just no way it ends well with tabs.

CRob (22:50)
(Laughter) Fair enough, sir. Well, thank you for playing rapid fire. And as we close down, what advice do you have for someone that’s new or trying to get into this field today of development or cybersecurity?

Michael Winser (23:06)
The first piece of advice I would have is it’s about human connections, right? Like so much of what we do is about transparency and trust, right? Transparency happens, things that happen in the open and trust is about behaving in ways that cause people to want to do things with you again, right? There’s a predictability to trust too, in terms of like not doing randomly weird things and things like that.

And so, and then there’s also, you know, trust is built through shared positive experiences or non-fatal outcomes of challenges. So I think that anybody wanting to get into this space, showing up as a human being, being open about who you are and what you’re trying to do, and getting to know the people, and that sort of journey of humility of listening to people who you might think you know more than they do and you might even be right, but it’s their work as well. And so listening to them along the way, that’s personally one of my constant challenges. I’m an opinionated person with a lot of things to say. Really, it’s true.

It’s very generic guidance. I think that if you want to just get started, it’s pretty easy. Pick something you know anything about, show up there in some project and listen, learn, ask questions and then find some way to help. Taking notes in a working group meeting, it’s a pretty powerful way to build trust in terms of, this person seems to take notes that accurately represent what we tried to say in this conversation. In fact, better than what we said. We trust this person to represent our thoughts is a pretty powerful first step.

CRob (24:32)
Excellent. I really appreciate you sharing that. And to close, what call to action do you have for our listeners? What would you like them to take away or do after they listen to this podcast?

Michael Winser (24:44)
I would like them to apply the 3F framework to their upstream dependencies. I would like them to look at their dependencies as if they were a giant pile of poorly understood risk and not just through the lens of how many vulnerabilities do I have unpatched in my current application because of some, you know SBOM analyzing tool telling me. But from a longer-term organizational and human risk perspective, go look at your dependencies and their dependencies and their dependencies and build up just a heat map of where you think you should go off and apply that 3F framework.

And if you truly feel like you can’t do any one of those things, right, because you’re not competent to go fix or fork and you have no choice but to use the thing so you can’t forego it, right, then think about funding somebody who can.

CRob (25:34)
Excellent words of wisdom. Michael, thank you for your time and all of your contributions through your history and now through the Alpha and Omega projects. So we really appreciate you stopping by today.

Michael Winser (25:45)
It was my pleasure and thank you for having me. I’ve enjoyed this tremendously. It would be a foolish thing for me to let this conversation end without mentioning the three people at Alpha-Omega who really, without whom we’d be nowhere, right? And so, you know, Bob Callaway, Michael Scovetta, and Henri Yandell. And then there’s a support crew of other people as well, without whom we wouldn’t get anything done, right?

I get to be, in many ways, the sort of first point of contact and the loud point of contact. We also have Mila from Amazon, and we have Michelle Martineau and Tracy Li, who are our LF people. And again, this is what makes it work for us, is that we can get things done. I get to be the sort of loud face of it, but there’s a really great team of people whose wisdom is critical to how we make decisions.

CRob (26:32)
That’s amazing. We have a community helping the community. Thank you.

Michael Winser (26:35)
Thank you.

Announcer (26:37)
Like what you’re hearing? Be sure to subscribe to What’s in the SOSS? on Spotify, Apple Podcasts, AntennaPod, Pocket Casts or wherever you get your podcasts. There’s lots going on with the OpenSSF and many ways to stay on top of it all! Check out the newsletter for open source news, upcoming events and other happenings. Go to OpenSSF dot org slash newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight. And be a part of the OpenSSF community at OpenSSF dot org slash get involved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS?

What’s in the SOSS? Podcast #20 – Jack Cable of CISA and Zach Steindler of GitHub Dig Into Package Repository Security

By Podcast

Summary

CRob discusses package repository security with two people who know a lot about the topic. Zach Steindler is a principal engineer at Github, a member of the OpenSSF TAC and co-chairs the OpenSSF Security Packages Repository Working Group. Jack Cable is a senior technical advisor at CISA. Earlier this year, Zach and Jack published a helpful guide of best practices entitled “Principles for Package Repository Security.”

Conversation Highlights

  • 00:48 – Jack and Zach share their backgrounds
  • 02:59 – What package repositories are and why they’re important to open source users
  • 04:17 – The positive impact package security has on downstream users
  • 07:06 – Jack and Zach offer insight into the Prinicples for Package Repository Security
  • 11:18 – Future endeavors of the Securing Software Repositories Working Group
  • 17:32 – Jack and Zach answer CRob’s rapid-fire questions
  • 19:31 – Advice for those entering the industry
  • 21:28 – Jack and Zach share their calls to action

Transcript

Zach Steindler soundbite (00:01)
We absolutely are not looking to go in and say, OK all ecosystems must do X. But what we are is sort of this forum where these conversations can take place. People who operate these package repositories can say here’s what’s working for us, here’s what’s not working for us. Share those ideas, share those experiences and learn from each other.

CRob (00:017)
Hello everybody, I’m CRob. I do security stuff on the internet and I’m also a community leader within the OpenSSF. And one of the fun things I get to do is talk to amazing people that have input and are developing and working within upstream open source.

And today we have a real treat. I have two amazing people. I have Zach and Jack, and they’re here to talk to us a little bit about package repository security. So before we start, could I ask each of you to maybe give us a brief introduction?

Jack Cable (00:48)
Great. Thank you so much for having us on here, CRob. I am Jack Cable. I’m a senior technical advisor at CISA, where I help lead our agency’s work around open source software security and secure by design. For those unfamiliar with CISA, the Cybersecurity and Infrastructure Security Agency, is the nation’s cyber defense agency. So we help to protect both the federal civilian government and critical infrastructure, of which there’s 16 sectors ranging from everything like water to power, financial services, healthcare, and so on. And probably as no surprise to anyone here, all of these sectors are heavily dependent on open source software, which is why we’re so eager about seeing how we can really be proactive in protecting the open source ecosystem.

I come from a background in security research, software development, spent some time doing bug bounty programs, finding vulnerabilities in companies. Gradually went over to the policy side of things, spent some time, for instance, in the Senate where I worked on legislation related to open source software security and then joined CISA about a year and a half ago.

CRob (02:04)
Awesome. Zach?

Zach Steindler (02:13.869)
Yeah, CRob, thanks so much for having us. My name is Zach Steindler. I’m a principal engineer at GitHub. I have a really amazing job that lets me work on open source supply chain security, both for GitHub’s enterprise customers, but also for the open source ecosystem. CRob, you and I are both on the OpenSSF TAC. And in addition to that, I co-chair the Securing Software Repositories Working Group, where we had a recent chance to collaborate with us on the Principles for Package Repository Security document.

CRob (02:40)
Excellent, which we will talk about in just a few moments. And, you know, thank you both for your past, current and future contributions to open source. We really appreciate it. So our first question. Would you tell us what a package repository is and why that’s something that’s important to open source users?

Zach Steindler (02:59)
Yeah, this is something that comes up a lot in the working group, and what we’ve discovered is that everyone has slightly different terminology that they prefer to use. Here when we’re talking about package repositories, we’re talking about systems like NPM, like PyPI, like RubyGems or Homebrew — places that people are going to download software that they then run on their machine. And that’s a little bit in contrast to other terminology you might hear around repositories.

So here we aren’t talking about, like, where you store your source code like in a Git repository or a Mercurial repository, that sort of thing. These patch repositories are widely used. Many of them serve hundreds of millions to billions of downloads per day, and those downloads are being run on developer’s machines that are being run on build servers, and they’re being run on people’s computers who, know, whatever you’re doing on your mobile phone or your desktop device. And so the software that’s stored in these package repositories are really used globally by almost everyone daily.

CRob (04:07)
Thinking about kind of this critical space within critical software here, how does improving a package repository security affect all the downstream folks from that?

Jack Cable (04:17)
Great. And really to what Zach was saying, that’s in part why we picked this as a priority area at CISA, recognizing that regardless, really, of what, say, critical infrastructure sector, regardless of whether you’re a small business, whether you’re a large company, whether you’re a government agency, you’re heavily dependent on open source software. And in all likelihood, that software is being integrated into the products you’re using through a package repository.

So we wanted to see, where are the places where we can have the biggest potential impact when it comes to security and package repositories really stood out as central points where virtually everyone who consumes open source software goes to download, to integrate that software. So it is very central to essentially all of the software that our world relies on today. And we also recognize that many of these package repositories themselves are resource constrained, often nonprofits who operate these really critical essential services, surveying millions of developers, billions of users across the world.

So what kind of can be done to help strengthen their security? Because we’ve seen attacks both on package repositories themselves, whether it’s compromising developers’ accounts or kind of some of these underlying pervasive flaws in open source packages. How can package repositories really bolster their security to make the entire open source ecosystem more resilient? And that’s what we set out, which I know we’ll get much more into the principles of package repository security framework we created. But the goal is to really aggregate some of the best practices that perhaps one or two package repositories are doing today, but we’re not seeing across the board.

Things that can be as basic, for instance, as requiring multifactor authentication for developers of really critical projects to make sure that that developer’s account is much harder to compromise. So some of these actions that we know take time and resources to implement and we want to see how we can help package repositories prioritize these actions, advocate for them, get funding to do them so that we can all benefit.

CRob (06:52)
Well, we’ve touched on it a few times already. Let’s talk about the Principles of the Package Repository Security. Could maybe you share a little bit about what this document’s about, how it came to be, and maybe a little bit about who helped collaborate to do it?

Jack Cable (07:06)
I’ll kick it off, and then Zach can jump in. So really, as I was saying, we wanted to create kind of a common set of best practices that any package repository could look to to kind of guide their future actions, Because, kind of, what we’ve been seeing, and I’m sure Zach can get much more into it with the work he’s led through the Securing Software Repositories Working Group, is that there’s many software repositories that do care significantly about security that really are taking a number of steps that, like we’ve seen for instance, both Python and PM requiring multi-factor authentication for their maintainers, Python even, shipping security tokens to their developers. Some of these actions that really have the potential to strengthen security.

So what the Principles for Package Repository Security Framework is, is really an aggregation of these security practices that we developed over the course of a few months collaboratively, both between CISA, Securing Software Repositories Working Group, and then many package repositories, and landed on a set of four buckets really around security best practices, including areas like authentication, authorization.

How are these package repositories, for instance, enforcing multi-factor authentication? What tiers of maturity might go into this to then, for instance, if they have a command line interface utility, how can that make security really seamless for developers who are integrating packages?

Say, if there is no vulnerabilities in those packages, is that at least flagged to the developer so they can make an informed decision around whether or not to integrate the version of the open source package they’re looking at? So maybe I’ll pass it over to Zach to cover what I missed

Zach Steindler (09:08)
Yeah, the beauty of open source is that no one’s in charge. And people sometimes misunderstand the Securing Software Repositories Working Group, and they’re like, can I come to that and, sort of like, mandate all the package repositories implement MFA? And the answer is no, you can’t, first because it’s against the purpose of the group to like tell people what to do. But also, it’s not a policy-making group. It’s not a mandate-creating group, right? Participation is voluntary.

Even if we were to, you know, issue a mandate, each of these ecosystems has like a rich history of why they’ve developed certain capabilities, things they can and cannot do, things that are easy for them, things that are hard. So we absolutely are not looking to go in and say, OK, you know, all ecosystems must do X. But what we are is sort of this forum where these conversations take place.

People who operate these package repositories can say, here’s what’s working for us, here’s what’s not working for us. Share those ideas, share those experiences and learn from each other. And so when it came to writing the Principles for Package Repository Security document, the goal was not to say, here’s what you must do, but these different ecosystems are all very busy, very resource constrained. And one of the items often on their backlog is to create a security road map or to put together a request for funding for like a full time security in residence position. But to do that, they need to have some idea of what that person is going to work on.

And that’s really where the principles document comes in, is where we’re creating this maturity model, this roadmap, whatever you want to call it, more as a menu that you can order off of and not a mandate that everyone must follow.

CRob (10:50)
That sounds like a really smart approach. I applaud your group for taking that tactic. The artifact itself is available today. You can go out and review it and maybe start adopting a thing or two in there if you manage repository, but also it took you a lot of time and effort to get there. But describe to us what’s next on your roadmap. Where does what does the future hold around your group and the idea around trying to institute some better security practices across repos?

Zach Steindler (11:18)
Yeah, I could start out to talk about the Securing Software Repositories Working Group. I’m not sure I would have had this grand plan at the time, but overtime it sort of crystallized that the purpose of the working group is to put together roadmaps like the principles document that we published. I gotta plug that all the work that we do is on repos.openssf.org. So it’s a great place to review all these documents.

The second thing that the working group is focused on, other than just being this venue where people can have these conversations, is to take the individual security capabilities and publish specific guidance on how an ecosystem implemented it, and then give sort of a design and security overview to make it easier for other ecosystems to also implement that capability. We have a huge success story here with a capability called Trusted Publishing.

So to take a step back, the point of Trusted Publishing is that when you are building your software on a build server and you need to get it to the package registry, you have to authenticate that you have the permission to publish that package namespace. Usually in the past, this has been done by taking someone’s user account and taking their password and storing it in the build pipeline. Maybe you could use an API key instead, but these are really juicy targets for hackers.

So Trusted Publishing is a way to use the workload identity of the build system to authorize the publish. And then you don’t have a API key that can be exfiltrated and broadly used to upload a lot of malicious content. And so this capability was first implemented in PyPI, shortly thereafter in RubyGems.

And then we asked Seth Larson, who’s a member of the working group and the Python Software Foundation security residents to write up implementation guidance based on what his team at the PSF learned and also based on what the RubyGems team learned. And it so happened that NuGet, the package manager for the dot net Microsoft ecosystem, was also interested in this capability, and the timing just just happened to work out perfectly where they started coming to the working group meetings.

We already had this drafted guidance on implementation, and they were able to take that and kind of accelerate their RFC process, adapt it so that it was relevant to the different concerns in their ecosystem. But they’re much further along on this track of implementing this capability than they would have otherwise been if they had to start a square one. So in addition to roadmaps, I think we’re going to be focusing more in the near future on finding more of these security capabilities to publish guidance on to help the package repositories learn from each other.

Jack Cable (14:08)
Yep, and just to add on to that, I think it’s super great to see some of the work that is coming out of the working group. We at CISA held a summit on open source software security in March, whereas part of that we announced actions that five of the major package repositories, including for Python, JavaScript, Rust, Java and PHP are taking in line with the principles for package repository security framework. And we know that this is going to be an ongoing journey for really all of the package repositories, but we’re encouraged to see alignment behind that. And we hope that can be a helpful resource for these package repositories to put together their roadmaps to make funding requests and so on.

But I do want to talk about kind of one of the broader outcomes that we want to help achieve at CISA, and this is in line with our secure design initiative, really where we want technology manufacturers to start taking ownership of, for instance, the security outcomes of their customers, because we know that they’re the ones who are best positioned to help drive down the constant stream of cyber attacks that we seem to be seeing.

As part of that, it’s essential that every technology manufacturer who is a consumer of open source software who integrates that into their products, who profits from that open source software is a responsible steward of the open source software that they depend upon. That means both having processes to responsibly consume that. It also means contributing back to those open source packages, whether financially or through developer time.

But what this also entails is making sure that there’s kind of a healthy ecosystem of the infrastructure supporting the open source communities of which package repositories are really a core part. So I encourage every software manufacturer to think about how they are helping to sustain these package repositories, helping to foster security improvements, because again, we know that many of these are nonprofits. They really do rely on their consumers to help sustain them, not just for security, but for operations more generally. So really we want to see how both we can help spur some of these developments directly, but then also how every company can help contribute to sustain this.

Zach Steindler (16:50)
Jack, I just wanted to say that we are sort of like maybe dancing around the elephant in the room, which is that a lot of this work is done by volunteers. Occasionally it is funded. I wanted to give a special shout out to Alpha-Omega, which is an associated project of the OpenSSF that has funded some of this work in individual package repositories. There’s also the Sovereign Tech Fund, which is funded by, I think, two different elements in the German government.

But, you know, this work doesn’t happen by itself. And part of the reason why we’re putting together this guidance, why we’re putting together these roadmaps is so that when funding is available, we’re making sure that we are conscious of where we can get the most results from that investment.

CRob (17:32)
Thank you both for your efforts in trying to help lead this, help make this large change across our whole ecosystem. Huge amount of downstream impact these types of efforts are going to have. But let’s move on to the rapid fire section of our interview. (Sound effect: Rapid fire!) I have a couple of fun questions. We’re going to start off easy, spicy or mild food?

Jack Cable (17:55)
Spicy.

Zach Steindler (17:57)
In the area that I live, there’s quite a scale of what spicy to mild means, depending on what kind of restaurant that you’re at. I’d say I tend towards spicy, though.

CRob (18:05)
(Sound effect: Oh, that’s spicy!) That’s awesome. All right. A harder question. Vi or Emacs?

Jack Cable (18:16)
I’m going to say nano — option number three.

CRob (18:20)
(Laughter) Also acceptable.

Zach Steindler (18:24)
CRob, always joking about college football rivalries, and I don’t feel a strong personal investment in my text editor. I do happen to use Vi most of the time.

CRob (18:37)
It is a religion in some parts of the community. So, that was a very diplomatic answer. Thank you, Another equally contentious issue, tabs or spaces?

Jack Cable (18:48)
Spaces all the way, two spaces.

Zach Steindler (18:52)
I’m also on team spaces, but I’ve had to set up my Go formatter and linter to make sure that it gets things just right for the agreed-upon ecosystem answer. That’s the real answer, right? It’s good tools, and everyone can be equally upset at the choices that the linter makes

CRob (19:09)
That’s phenomenal. (Sound effect: The sauce is the boss!) I want to thank you two for playing along real quickly there. And as we close out, let’s think about, again, continuing on my last question about the future. What advice do either of you have for folks entering the industry today, whether they’re going to be an open source developer maintainer, they’re into cybersecurity, they’re just trying to help out what advice do you have for them?

Jack Cable (19:31)
I can kick that off. I’d say first of all, I think there’s lots of great areas and community projects to get involved with, particularly in the open source space. The beauty of that, of course, is that everything is out there and you can read up on it, you can use it, you can start contributing to it. And specifically from the security perspective, And there is a real ability to make a difference because as Zach was saying, this is primarily volunteers who are doing this, not because they’re going to make a lot of money from it or because they’re going to get a ton of recognition for it necessarily, but because they can make an actual difference.

And we know that this is sorely needed. We know that the security of open source software is only going to become more and more important. And it’s up to all of us really to step in and take matters into our own hands and drive these necessary improvements. So I think you’ll find that people are quite welcoming, that there’s a lot of great areas to get involved and encourage reading up on what’s going on and seeing what areas appeal to you most and start contributing.

Zach Steindler (20:51)
I have two pieces of maybe contradicting advice, because the two failure modes that I see are people being too afraid to start participating or being like, I have to be an expert before I start participating, which is absolutely not the case. And then the other failure mode I see is people joining a 10-year old project and being like, I have all the answers. I know what’s going on. So I think my contradictory advice would be to show up. And when you do show up, listen.

CRob (21:19)
Excellent advice. I think it’s not that big a contradiction. As we close out, do you gentlemen have a call to action? I think I might know part of it.

Zach Steindler (21:28)
Yeah, my call to action would be please go to repos.openssf.org. That is where we publish all of our content. That also links to our GitHub repository where you can then find our past meeting minutes, upcoming meeting information, our Slack channel in the OpenSSF Slack. Do be aware, I guess, that we’re very much the blue hats defenders here. So sometimes people like, do you need me to, you know, report more script kiddies uploading, you malware to NPM? It’s like.

The folks who are sort of like operating these systems, and so we recognize it’s a small audience. That’s not to say that we don’t want input from the broader public. We absolutely do, but to my point earlier, you know a lot of these folks have been running these systems for a decade plus. And so do come, but do be do be cognizant that there’s probably a lot of context that these operators have that that you may not have as a user systems.

Jack Cable (22:17)
And please do check out the principles for package repository security framework. It’s on GitHub as well as the website Zach mentioned. We have an open ticket where you can leave feedback, comments, suggestions, changes. We’re very much open to new ideas, hearing how we can make this better, how we can continue iterating and how we can start to foster more adoption.

CRob (22:43)
Excellent. I want to thank Zach and Jack for joining us today, helping secure kind of the engine that most people interact with open source with. So thank you all. I appreciate your time and thanks for joining us on What’s in the SOSS? (Sound effect: That’s saucy!)

Zach Steindler (23:00)
Thanks for having us, CRob. I’m a frequent listener, and it’s an honor to be here.

Jack Cable (23:04 )
Thank you, CRob.

Announcer (23:05)
Like what you’re hearing? Be sure to subscribe to What’s in the SOSS? on Spotify, Apple Podcasts, AntennaPod, Pocket Casts or wherever you get your podcasts. There’s lots going on with the OpenSSF and many ways to stay on top of it all! Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight, and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS?

What’s in the SOSS? Podcast #19 – Red Hat’s Rodrigo Freire and the Impact of High-Profile Security Incidents

By Podcast

Summary

In this episode, CRob talks to Rodrigo Freire, Red Hat’s chief architect. They discuss high-profile incidents and vulnerability management in the open source community. Rodrigo has a distinguished track record of success and experience in several industries, especially high-performance and mission-critical environments in financial services.

Conversation Highlights

  • 01:08 – Rodrigo shares his entry into open source
  • 02:42 – Diving into the specifics of a high-profile incident
  • 06:22 – How security researchers coordinate a response to a high-profile incident
  • 10:33 – The benefits of a vulnerability disclosure program
  • 11:57 – Rodgiro answers CRob’s rapid-fire questions
  • 13:43 – Advice for anyone getting into the industry
  • 14:26 – Rodrigo’s call to action for listeners
  • 15:53 – The importance of the security community working together

Transcript

Rodgrigo Freire soundbite (00:01)
Who do I ask and to grab by the arm? Man, I need you to, right now, please assess this vulnerability! It’s very important asset to have that Rolodex of contacts and to know the ones to ask for help. You don’t have to the information — have to know who knows.

CRob (00:18)
Hello everybody. Welcome to What’s in the SOSS? The OpenSSF’s podcast where I and Omkhar get to talk to some amazing people in the open source community. Today, I’ve got a really amazing treat for you. Very special guest. My friend Rodrigo from Red Hat. I’ve known Rodrigo for awhile, and we’re here to talk to about a really important topic, kind of, both of us have worked a lot with.

Rodrigo Freire (00:44)
Thanks Chris. Hello. Yes, I had the pleasure to work with CRob for a good number of years and I was in charge of the vulnerability management team at Red Hat. Yes, it was five definitely fun and character-molding years.

CRob (01:01)
So maybe you could share with our audience a little bit about your open source origin story. How did you get into this amazing space?

Rodrigo Freire (01:08)
It’s funny. When you say that I worked with a Linux version 1 dot something, well that pretty much disclosed the age, right? It was back in the 90s. I was working on an internet service provider and there was that multi-port serial adapters for moldings, and that was pretty much the backbone of the ISP. And then sendmail, ISC buying DNS server. And back in the day there was not radios for authentication — it was Cisco stack hacks, so yeah. (Laughter)

I started on the classic ISP admin back in the 90s. That’s when I got involved and then worked in the Brazilian government promoting the open source, and it was interesting time. When the government was shifting from mainframes and going to the to the low platform. And then the Linux as a security thing, and then the Linux was more focused on performance and the security. So this is where I started to wetting my toes in open source software.

CRob (02:22)
So let’s dive into the meat of our conversation today, my friend. We’ve all seen them, and maybe you could share with the audience from your perspective — what is a high profile incident? You know, sometimes it’s called celebrity vulnerability or a branded flaw. Could you maybe share like what is that?

Rodrigo Freire (10:33)
Yeah, definitely. I don’t know how does that translate to English actually. So I live all the way down here in Brazil, but I like to perceive them as like creating commotion. So that’s going to attract media audience and Twitter clicks and engagement and, h my God, look what I found! And in the end, that might be somewhat another Brazilian saying for you guys: trimming the pig.
A lot of cries for very few actual hair.

So you create all that commotion, all that need and so that comes escalating from CEOs, whatsoever, security teams for something that in the end might be some moderate impact or sometimes even something that does not affect some customer systems. So it’s a lot of brouhaha, I would say. However, on the other hand, there are some security events that are definitely something that you should pay close attention to.

So for example, we had the Heartbleed and then there was Shellshock and ghosts. I’ve been over the course of the years, a number of GLIBC vulnerabilities that can elevate you to root, even to the extent that it was even used as a tool to get a root on the system that someone forgot the password. Yes, that happened once, to a customer that shall be renamed unnamed.

And then finally, I think the mother of all incidents that I worked with, it would be the XZ security incident that happened a couple of months ago. More often than not this is something that just created distress with the security people with the good people managing the data center without something that’s really putting the customer at risk. However, on the other hand sometimes, some less often there, will be definitely something that’s really of concern and because the customer should pay close attention for that.

CRob (04:52)
So what do you think the motivation is that last year there were like 25,000 vulnerabilities? What’s your perception of why some of these get a celebrity treatment and others don’t that may be more severe?

Rodrigo Freire (05:08)
I have read somewhere on the internet, over the internet, something more like in the lines that over promoting something for personal gain. That resonated very well with me. On the community industry, there’s a lot of effort that’s put for you to render your portfolio, your reputation across the industry. And so, someone shows on the resume, hey, I was a guy who found the Heartbleed or the Ghost vulnerability.

A lot of people are going to recognize you, oh my God, you found that vulnerability, So yeah, it might be something like that. Sometimes it might not be that intent, but in the end, Chris, I really don’t think that’s not something that’s changed the tide on the security landscape for a good impact, I would say.

CRob (06:00)
Yeah, I would agree. Thinking about you managing some of these high-profile incidents, for our audience, maybe you could shed some light on what goes on behind the scenes when a security researcher comes to an open source project or a vendor like Red Hat. How do you get all the stakeholders together? How do you run these types of things? How do you keep the team focused?

Rodrigo Freire (06:22)
Internally at Red Hat we have some internal prioritization of the CV based on the scale. We use a four point scale. We are not attached to the CVSS score or the ranking. We focus on the product rank for the security issue. Say for example, I use HTTP server, for example, Apache HTTP my system. Alright, so there’s a vulnerability affecting CVSS score in 10, a perfect 10 on CVSS for that.

However, this functionality it’s not exposed on my system or is not use it is not enabled is not supported. Why would I score that as a 10 since it’s not a valid usage on my product? So yes, I would just lump something as not a factor or even a factor, but the impact is low. Putting the customers at a heightened risk, we take that, so this is a Red Hat score as a product. I strongly believe that the the way we rank these vulnerabilities on our product is how the customers should actually be paying attention instead of taking the worst -case scenario in whatever possible use of the component.

I’m not saying that this is not important. It is, it is key. However, we do have people, we have a human operator that’s taking into account how that vulnerability is actually exposed on the product. So I think that’s something very important for the vendors to do. So they take a general vulnerability and then you issue a score for your product. How is that actually exposed on our product? So that said, this is how we select how and went to fix something.

And then, let’s say for example, in the case of a high-profile event, oh man, there was a very ugly vulnerability that showed at the eve of 2022 to 2023. It was December the 21, something like that. It was on the 20s. So we had the company at a freeze and I was working. So the…sorry, this still has to be taken, right? And then there was a KSMDB, it was a kernel SMB server vulnerability. Actually, it was a stream of them that was disclosed by Zero Day Initiative.

That was an uphill battle because in the end it was not affecting RAN because we don’t enable KSMDB on our kernels. So it was not affecting us. However, I needed to get all the techies, all the specialists to assure and ensure because customers questions were starting to pile up. It’s not only RAN had that runs 24-7, our customers as well were surprised. So we have to provide the answers. And then finding the right resources. This is one of the key abilities for everyone managing any security program. So it’s this vast network of contacts and who to ask and who to grab by the arms. Man, I need you to right now to please assess this vulnerability.

It’s a very important asset to have that disclosing the age again that Rolodex of context and to know the ones who ask for help to get information. You don’t have to know the information, you have to know who knows.

CRob (09:55)
Right, and I think it’s really important that some people in the supply chain, like a commercial Linux vendor, are able to contextualize that. Vulnerability may be abstract or not applicable, and I love that, that a lot of folks do that within the supply chain. Thinking about a vulnerability disclosure program, what we colloquially refer to as VDP, it’s important for large projects, and it’s required for a large commercial enterprise.

Could you maybe talk to some of our listeners about what the benefits to their downstreams would be to put the pieces in place to get some type of vulnerability disclosure program together?

Rodrigo Freire (10:33)
So Red Hat has a VDP in progress, so we credit for every finder that comes to us disclosing a vulnerability, we’re going to acknowledge, we’re going to point towards the person who finds this CVE. This is an integral part of our workflow for giving credit to the finder. Of course, we ask the finder, would you like to be credited? How would you like to see that credit get credited?

And also, that’s not only for the CVEs, however, for findings on our infrastructures as well. So for example, on the customer portal or on some catalog or webpage or whatever else they find something at Red Hat, we give credit to every finder. We don’t do bug bounties. However, we have this VDP, so someone is working their way to have a portfolio as a finder, as a pen tester, as a CVE finder. That’s 100% fine. We will give credit.

And then, this is getting adjusted, we will negotiate with the finder how much of time would you want to have that under embargo? So we have all this negotiation with the finder to make something that can accommodate everyone’s need.

CRob (11:48)
So it’s some good points. Well, let’s move on to the rapid-fire part of the interview. (Sound effect: Rapid fire!) Yeah!

Rodrigo Freire (11:56)
Here we go!

CRob (11:57)
First question. Here we go! Are you ready? Spicy or mild food?

Rodrigo Freire (12:03)
Definitely spicy, man. I’ve been to India in November on the end of last year, man. It was the time of my life eating any spicy food to the point of sweating in my head, man! That was a trip!

CRob (12:20)
Nice! (Sound effect: Oh, that’s spicy!) What’s your favorite whiskey?

Rodrigo Freire (12:26)
It’s Talisker. And I tell you what, if you’re having a Talisker and then you drink Blue Label, I’m sorry, Blue Label, that’s going to fade. Blue Label is just going to fade away. Talisker for the win.

CRob (12:42)
Very nice. Next question, Vi or Emacs?

Rodrigo Freire (12:46)
Vi, come on man!

CRob (12:48)
(Laughter) Nice! Rodrigo, what’s your favorite type of hat?

Rodrigo Freire (12:55)
Type of hat? Man, I actually found that, well, my favorite one is actually a Red Hat, right? But after I got a decision to become a bald person, I actually liked being bald and I seldom use any kind of hat, right? So I’m a proud bald, I’d say. On the other hand, it would be just a baseball cap.

CRob (13:17)
OK, fair enough. And last question, tabs or spaces?

Rodrigo Freire (13:22)
Tabs! Show some finesse!

CRob (13:26)
Nice, excellent, excellent. Well, now. (Sound effect: That’s saucy!) As we wind up, do you have any advice for someone that’s looking to get into the field, whether it’s cybersecurity incident response or open source development? What advice do you have for these newcomers?

Rodrigo Freire (13:43)
First of all, play nice. Show respect and make your due diligence. I think everyone is going to embrace you wholeheartedly because no one likes vulnerability. So if you’re going to find new stuff or even help to fix this stuff, show the attitude. So be positive, make your relationship network. That’s important because without it you’re not going to succeed or you’re going to earn some bad reputation as well. Everyone’s already fighting a hard battle, so play nice.

CRob (14:15)
Nice. That’s excellent, fantastic advice. And our last question, do you have a call to action that you want to inspire our listeners to go do as soon as they listen to this?

Rodrigo Freire (14:26)
Yeah, definitely. So, take into account your environment. So, no one likes emergencies. Emergencies are expensive. No one likes emergency maintenance windows. So, get to understand your environment. So, is this CVE, is this vulnerability really affecting? So, can you be that trusted advisor on your organization so you actually can be the person who sets the expectation, the needs of the company?

There’s some pressure from these high profile events from the upper floor asking hard questions. So get to understand your real need so you can actually schedule something that will not hurt your team or your availability or even the stability of your environment. And finally, I would say ask questions. So ask your vendor or your account reps or your consultants. So yeah, if you’re in doubt, go ask your questions. And I think I am positive that they are going to ensure you that you have a secure and stable environment.

CRob (15:38)
Excellent. That’s, I think, some great advice from someone that’s been there on the front lines helping fight the good fight for downstream and representing its customers. Rodrigo, thank you for joining us today on What’s in the SOSS? Really appreciate you coming and talking to us.

Rodrigo Freire (15:53)
Thank you, Chris. And one last word I would like to stress here. So on the security discussion, there’s no Red Hat. There’s no Canonical. There’s not Oracle. No. We all collaborate very closely when it gives regard to security issues. We are in close touch to everyone. Everyone knows each other. So there’s no, Red Hat’s only playing ball alone. No such a thing. I got to tell you guys, the XZ security incident was first disclosed to Debian and then Debian got in touch with us and then we started the coordination. So, yeah.

CRob (16:32)
I love that about our community, the fact that we all come together and able to put our colored hats to the side and come together and collaborate.

Rodrigo Freire (16:37)
Exactly, mister!

CRob (16:39)
Excellent. Well, thank you, Rodrigo. Have a great day.

Rodrigo Freire (16:42)
Thanks, Chris.

Announcer (16:43)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at openssf.org/getinvolved. We’ll talk to you next time on What’s in the SOSS?