Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea

search
Category

Podcast

Jul 01
Love0

What’s in the SOSS? Podcast #34 – S2E11 From Lockpicking to Leadership: Tabatha DiDomenico on Security, Open Source, and Building Community

By Podcast

Summary

In this episode of What’s in the SOSS?, host Yesenia Yser sits down with open source security engineer and community leader Tabatha DiDomenico for an inspiring conversation about her unexpected path into open source, the vibrant communities behind security, and her role as president of BSides Orlando.

From discovering Netscape in the early days to shaping security strategy at G-Research and OpenSSF, Tabatha shares how her career evolved from necessity to purpose. She talks about the power of DevRel, the invisible work behind sustainable open source, and the magic of volunteering – pro-tip: working the registration table is great for networking.

Whether you’re new to the ecosystem or a seasoned contributor, this episode is packed with insight, warmth, and practical advice on getting involved and staying connected.

Topics Covered:

  • The accidental beginnings of an open source career
  • How DevRel supports healthy OSS ecosystems
  • Building internal open source culture through innersource
  • The impact of local security communities like BSides
  • Advice for contributing, volunteering, and thriving in open source

Conversation Highlights

00:00 The Journey into Open Source
06:10 Current Projects and Roles in Open Source
11:57 Involvement with B-Sides Orlando
18:07 Understanding Developer Relations in Open Source
27:08 Rapid Fire Questions and Final Thoughts

Transcript

Intro music (00:00)

Tabatha (00:04)
I immediately felt at ease. And I was like, oh gosh, people think, just like me, they, you know, they are curious. They want to break things, they want to put things back together again, and they’re just so generous with their time.

Yesenia (00:18)
Hello and welcome to What’s in the SOSS? OpenSSF’s podcast where we are talking to interesting people through the open source ecosystem. My name is Yesenia Yser. I’m one of your hosts and today we have an incredible treat. I’m talking to a close colleague and an open source extraordinaire, Tabatha DiDomenico, a security engineer that works on our open source. Welcome Tabatha. Welcome to introduce yourself to the audience.

Tabatha (00:47)
So thank you so much for having me today. My name is Tabitha DiDomenico. I am an open source security engineer at G-Research. And it’s been exciting to be a part of OpenSSF in various working groups and capacities over the past couple of years.

Yesenia (01:04)
Welcome. So glad to have you and we’ll start off with one of my favorite questions. Can you tell us about your journey in open source? What sparked your interest and just how has it grown over time?

Tabatha (01:14)
So this is an interesting question. feel like when I reflect on my journey in open source, it doesn’t quite look like a journey because it was not an intentional thing. When I first began using open source, it was out of necessity. It’s what was available, probably thinking back to Netscape days. And that’s probably my first actual awareness that something was an open source project. A lot of the work that I did at the time, the organizations that I was with, the products that we used internally to power various organizations, we selected them because they were free and happened to be open source. when I think back to how has it been a journey over time, it’s become more intentional. My interest in open source has definitely become an intentional direction that I have set for my career.

You know, when I think back to those early days and using open source out of necessity rather than a desire to be, give back or to be part of something larger than myself or, and there was none of those sort of in intrinsic, lovely motivators that we had. was really just out of necessity. and over time I was fortunate enough to, to be in a position to work with WordPress. and that was sort of the next evolution of, of my engagement in open source. I had built a small agency for myself during WordPress development, website development, and also maintenance, and just getting familiar with the community and the resources that were available. It was not something that I had ever seen from any commercial software that I had been a part of. The large corporations don’t necessarily build these beautiful communities around their paid products. Some do.

But it’s incredibly rare, right? And so when I’d seen this, you know, that there was these word camps and that there was these hyper local conferences and events that people came together because of love for the product, love for the community, that was really compelling to me. From there, I had the incredible opportunity to actually get paid to work on open source through a product called the Dradis Framework, which pen testers in the security community may be familiar with, because it’s an open source penetration test writing tool – where it kind of got at start. The founder of the company is originally a pen tester, wrote this tool in-house. All of the other pen testers began using it. it was one of those products that once he open sourced it, the community thought, wow, this is really great. You’ve got something incredible here. Other people begin using it. It sort of became the case of, you know, if you build it, they will come, your users will come, but then the problem began of, how can you support this product in your spare time and still have a life? know, so that’s when, when he began to look into, you know, releasing it as a commercial product as well. and so that, you know, seeing the, that how community can build around open source and having a hand and starting to shape a community around a product and build a community around a paid version of a product, it further expanded my understanding of how open source can work and how open source can work in business. And then, and now I’m here with G-Research and working with organizations like the Linux Foundation and OpenSSF, going to events like FOSDEM and seeing the scale of open source and, you know, in our world and, and knowing that I I’ve involved somehow, it feels really cool. So, you know, now it’s definitely intentional. get paid to work in open source. it doesn’t necessarily look like me just, you know, writing PRs and pushing them all day long. Cause my work looks different. and that’s great. Cause it’s needed. Yeah. I’m not sure what else to add to that except for it’s been an incredible opportunity to witness the scale of open source and to get an understanding of the breadth of it. It’s fascinating to me and a lot of the challenges that we face in security around open source are complex and not easily solved and I like those kind of problems.

Yesenia (05:53)
Yeah, and just like you said, the scale of it just from, I think my first open source conference to like the latest, like just the number of tendons and people that are aware of them. It’s really great to see in the community. you know, thank you for your contributions and impact to make that happen. With that, I know you just mentioned earlier that you’re starting, you know, a new role. So I’d love for you to share any projects you’re currently working on and just what excites you the most about it.

Tabatha (06:22)
So a lot of my role, a lot of the work in my organization is, I feel like more of like an ecologist than anything else, an open source ecologist. How do I, while my title is open source security engineer, a lot of the work that I do is to support and be good, help our organization be good stewards of the open source projects that are important to us or that we value in some way. And so how do I speak for an open source project in their community and ensure that how we’re interacting with that community is appropriate, that our vision aligns with the vision of the community itself and the direction of the product of the open source component and how do I, know, how can I best connect our internal resources with projects that I see could benefit by that support is sort of the crux of my work and to making it, how do we responsibly and securely contribute and participate in open source ecosystems? It is, it is. And especially if you have a culture and an organization that’s not necessarily

Yesenia (07:42)
It’s big challenge in scenarios today.

Tabatha (07:45)
the most familiar with working in an open source way. So some of our recent projects have been, you know, looking at, you know, perhaps an inner source initiative and getting our starts start there and, and encouraging folks that have never contributed to an open source project before a bit of confidence in working and collaborating with others in an open source way internally before they take that next step and start thinking about pushing things upstream.

Yesenia (08:20)
Yeah, because it’s interesting because it’s a whole different culture when you’re going from internal into an external phase. so building that culture inside to then take it out, I think is a smart way and approach to do it. Yeah.

Tabatha (08:34)
Yeah, yeah. So that’s been, that’s been one of the very fun project to work on and just like I said, connecting folks with projects and solutions that I believe will solve the challenges they’re having or can help point them in a better direction to solve the challenges that they’re having.

Yesenia (08:53)
Yeah, and outside of that, it just sounds like you do a lot for open source, but you know folks like us we just add more hats to ourselves. You are the president of BSides Orlando. It was a great conference. Definitely attended last last year’s and I’m sure you are preparing for this year. How did you get it? You have to your head. How did you get involved with the organization and what’s next on your agenda for that like?

Tabatha (09:21)
So this is a fun story and speaks to more how I really embraced that I was working in security already without it being so much of a title as I was invited to attend Security BSides Orlando 2014. And just to back up for our audience here, that may not be familiar with the Security BSides framework. It was born, I believe, in 2011. And it comes from the desire to elevate additional voices, to get folks involved in participating in information security, and to create space for newcomers and to bring smaller, have smaller events that are more local to a community, to bring speakers in to that community. I’m not explaining it well. I’d like to probably try that again. So the BSides security BSides framework started in around 2011 and it was a group of individuals that recognized that there was a number of speakers that kept returning to the stages of the larger security conferences. And so they looked to have a BSides version of those larger security conferences that was organized by the community that brought people in and speakers and information in that the local community wanted to hear or needed to hear by the, by the judgment of the organizers, and has grown from there. It is not an official organization that’s like run globally. There’s no, you know, contract that we have to sign. don’t pay dues up to any sort of umbrella organization. It’s a, while there is an organization in, know, that’s registered as Security BSides each Security BSides event. And I believe the last count or last look.

I looked at it was over 200 events annually around the world is organized by the community in that area. So it’s, it makes it it’s a community’s conference is how I think about it and how I discuss it when we’re, when we’re talking about planning security besides Orlando. So as I was, I was getting back to wanting to share was my story is how I got involved.

I was invited to attend. A friend of mine had been telling me for a while that I was doing security, that I should consider looking into security as a career change for myself and to maybe go that direction. And if nothing else, that I would enjoy the community. So I attended BSides Orlando 2014. And I’ve shared this story on stage a couple of times. I picked my first lock at that conference and it’s like the lockpicking village to information security job pipeline just took hold. But it was more than that. It was more than just picking lock. It was the willingness of the other attendees and the organizers to share information. It was, I’m getting chills now thinking about it.

Yesenia (12:01)
You got me chills. like, I’m gonna, I am like,

Tabatha (12:03)
That’s how I felt as I walked in and I was greeted by John Singer Who who I don’t know if you know John Singer But he it feels like everybody knows him at least yeah, especially if you’re in the Florida cyber security world It’s hard not to know John Singer but either he was just so welcoming and here’s this guy who was organized this this huge conference in this area and and my first interaction with him was nothing but just welcoming and it’s so, it can be so scary when you’re walking into a new environment like that, a new space, even if you have somebody encouraging you to be there and with you. but I immediately felt that ease and I was like, my gosh, these people think just like me, they, know, they, they are curious. They want to break things. They want to things back together again. And they’re just so generous with their time with the goal of.

Yesenia (12:57)
Mm-hmm. helping others.

Tabatha (12:58)
Helping others, yeah. mean, there’s no, yeah, hacking is, you know, that’s cool and it’s a cool thing to be involved in, but it’s more than that. know, for the folks that I’m drawn to and for the communities that I’m drawn to, there is this sense of, yes, I need to do this work and also I’m doing this work because it is meaningful to me and I recognize that this meaningful work, despite our differences, is bettering your life too. And I think that’s great.

Yesenia (13:31)
Yeah, it’s one of my favorite things about the security communities. You one of the first communities I got involved in was security and everyone was so welcoming that I was just, I was always applauded when they’re like, you know, they knew all the negatives in the space. And I was like, really? Everyone’s been so welcoming and nice and the tech community and open source like that. So I definitely resonate with that. And lockpicking was one of the first things when I started security, they’re like, you can’t start.

You can’t start your first ticket until you lockpick this. So they gave me like a kit and like three different locks and levels and they’re like, all right, we’ll start you off though. So if anyone’s interested in security, you you got to pick your first lock. You got it.

Tabatha (14:20)
Yeah, I think that’s the, that’s, that’s the direct route I took all the time, but I, I’m sure that there’s others out there that have gotten their start in cybersecurity after, after picking their first lock at a BSides event, just like I did. but yeah, it’s, it’s, I know that, that it exists. know that toxic behavior exists in information security and obviously, know, in my time, you know, in the years that I have been involved, in, this industry I have seen the numbers improve with regards to diversity and folks being accountable for their actions and holding others in the community accountable for their actions. So I don’t want to discount that it can be a difficult place sometimes, both working in security and working in the open source world. But by and large, that has not been my experience. My experience has been more similar to yours, where most of the folks that I have engaged with have been more than happy to sit with me and explain a difficult concept or a new approach or most of the time they’re just excited to share whatever thing they’re nerding out about and yeah.

Yesenia (15:27)
That’s it, we just wanna geek out with one now. Like, my god, did you see this new cool thing? Let’s play with it.

Tabatha (15:33)
Yeah. Yeah. We figured out this new way of doing things. can enumerate blah, blah, blah faster. Like, let me show you to do. Okay, great. You know, um, or if I’ve got questions, they’re, they’re always more than, more than willing to, to jump in and help. Um, and from, yeah. So from there, uh, I, I think that was, like I said, it was 2014 later that year. went to my first DEF CON, which is a whole, uh, a whole thing. It’s a, and I found much the same thing. You know, I found, I found that.

The community was very welcoming and here’s all these people that, you know, have lived very different lives and have very different experiences from my own. And still we’re, we’re aiming to solve similar problems and working together seems like the best way to do that. that year, funnily enough, I had worked with others that had been working. So I went to hacker summer camp that year, that first time.

with others that were paid to do security. That was their job, right? I was still there on my own dime. And there’s a conference, there’s a couple of conferences earlier in the week. One of them is Black Hat, and Black Hat is, you know, the more corporate version of the security week, other security conferences out there. And I couldn’t afford to go. So I looked around and I was like, well, surely there has to be a BSides or something. So I looked at the BSides Las Vegas and they were still receiving volunteer applications. I applied and I volunteered that first year at BSides Las Vegas and I was hooked. That was all it took for me to just fall in love even further with the security community. And from there, it was a couple years before I could come back and get engaged. it was 29 BSides Orlando 2019. I came on as staff and I ran registration desk for the event that day. And night.

If you want to meet everybody at the conference that you are attending, I recommend volunteering to work at the registration desk, because that is a fast track networking opportunity. And from there, I became on board in 2020. And then I was nominated and elected to take over as the president of BSides Orlando. I think it was the next year. We were still not quite cleared from COVID to be able to have an on-site event.

But 2022, we returned on site and have been organizing an event annually since then. this year will be my fourth BSides Orlando event as the president. Yeah.

Yesenia (18:09)
Nice. Yeah, it was a great event. I had so much fun there. I did the badge soldering. I went to everything. Thank you for sharing that. was such a… And for those that… I know you had mentioned Hackers Summer Camp, just for those that aren’t aware, Hackers Summer Camp is a week long in Vegas where there’s multiple security conferences. You have Black Hat, BSides, Def Con, Squid Con.

Tabatha (18:33)
Dianna Initiative.

Yesenia (18:35)
And Diana initiative there, there might be others that pop up. I know hacker in heels. They have their own salon that kind of runs there too, for like women networking events in cybersecurity. So if you’re a security professional, those are. Yeah. Worth the money.

Tabatha (18:48)
So definitely check it out. There’s a lot of ways to get out there too if you don’t have the funds to attend and maybe we can share some of those resources at some point.

Yesenia (19:00)
Yeah, maybe in the description, we’ll figure that out. I know you just transitioned over to security engineer, but before that you were doing dev rel developer relationships. And this is kind of like a new space just over on the industry with the last couple of years. What role does dev rel play in open source ecosystem? just someone new that’s coming in, if this is something that interests them, how could they get started and start contributing meaningfully?

Tabatha (19:22)
That’s a great question. DevRel is a bit challenging to sort of define, because each organization does Developer Relations a little bit differently. I know for our organization it, it really, like I said before, it’s sort of acting as the ecologist between the open source ecosystems that we’re involved in, our internal communities and engineers and, you know, acting as sort of the steward between the two, for what that actually looks like in practice, it’s for my job. Up it was it is to be good stewards of the projects that we publish and to ensure that the work that we’re putting out in the world is as high quality as possible, that it makes it that, that the project is ready to receive users, contributors, even would be lovely for many of these projects, and those sorts of the sort of work that needs to be done to in court, encourage new adoption of a project, or to encourage new contributors, or to encourage an existing contributor, to consider Thinking about becoming maintainer and taking on additional responsibility. It requires somebody who’s not necessarily bogged down in doing triaging PRs and doing code reviews. It takes time away. It takes time to sit down and be thoughtful about how do we want to encourage contributions? Do we have a solid contributing guide? Do we have it? Do we make it clear how to get started with even an issue? Do we make it clear on how to be involved in this project? Advocacy for a project, if you recognize that there’s a project that needs just more awareness, like I said before, not all projects are like greatest where you build it, they will come oftentimes, projects you know, that are either a hobby project or something that’s new. It needs that, that awareness building you need. It’s difficult to stumble across a new project, sometimes, just because of the there’s so much out there, you know, how do you make heads or tails of it. So doing work for advocacy, doing work where I’m advocating for various frameworks, perhaps that like open SSF has established through something like s 2c 2f to understand how to best consume open source into your into your organization, advocating internally for using additional things like salsa, you know, and understanding the different different paths to Sally and how that could interplay in your organization. Or even, you know, going out and talking about Sally so other or people at that work at other organizations have knowledge of these various tools, frameworks and projects that are to are there to enable folks to do the work of building open source and being secure while doing while working in open source.

Yesenia (22:36)
Yeah, it’s awesome. I know OpenSSF has the DevRel community meeting that happens once a month. I think it’s a great call for folks that are interested to come in and see what the group is working on.

Tabatha (22:49)
Yeah. And there’s lots of opportunities. know, each of the, each of the working groups that OpenSSF has, there’s brilliant people working on solving really challenging problems. Once those problems are solved, technically there’s still is this, this bit of advocacy that needs to happen there. You you have to take that project and then promote it a bit to get more adopters because without feedback on how this actually works in practice, it’s, you know, it’s not always, you’re not getting the best product project or outcomes because the diversity of opinion is so low. And there’s many different ways to solve all of these problems. So the more of us that come together to share how this works in practice, the better we can make it for all of us.

Yesenia (23:31)
And test it too, I think you just got into a good point. Sometimes we just need people to use it and see, does the guide make sense? Like that was one of the things that hurt me the most when I would pull a new open source tool was the user guide. And I’m just like, they had all these dependencies installed and I had to figure out which ones to install. And I’m like, can we just add this? Like, what do I need installed before? If I got a brand new computer, what do I need? know, just to start. cool.

Tabatha (24:00)
Yeah, that’s one of those things. We work with major league hacking, MLH, and I have a Developer Relations fellow each semester. Yeah, great Org If your organization has the ability to get involved with MLH, I encourage you to do so. And if you’re listening to this and you’re a candidate to become an MLH fellow, I encourage you to do it. It’s been, every single one of the fellows that has come through our doors has been just top notch.

So that aside, it can be a challenge to introduce DevRel to somebody who’s young and excited about working in open source and they’re chomping at the bit to solve their first technical issue and get to coding, right? And then you have to break it to them. That’s not what we’re doing. We’re doing all of the other stuff, the in-between stuff that has to get done in order for people to actually use this.

Uh, and then, you know, they’re just kind of like, Oh, well that, that doesn’t sound nearly as interesting. And then I, I’ve, then I, you know, I kind of do this thing where I’m like, well, do you use any open source in your, know, in your own time and your hobby projects? Have you ever released anything? Do you, you know, have you ever gone and tried to play like an open source game? Is there anything that you’ve seen before? And sometimes they’ll come in and we’ll have, you know, definitely a very clear opinion about open source.

And sometimes they’ll come back and look at it, you it just kind of is the thing. But inevitably I always hear back that they have a greater appreciation for good documentation after having worked with us to do DevRel because they see the value in it now. They understand that it doesn’t just happen. There’s no just like running AI on it to generate, you know, quality documentation. Maybe somebody out there has a tool that does it brilliantly now.

But it’s unlikely. There’s always nuance to these things. So I think that exposure to DevRel creates a different sort of appreciation for the invisible work, the labor that has to go into open source in order for it to flourish and thrive and to give open source projects the best chance at success in the environments that they’re in.

Yesenia (26:16)
There’s so much behind it people just think it’s coding. I’m like no we can use so much more help Great let’s move on to the rapid-fire part of the interview I’m gonna shoot the questions first comes mine and we’ll keep flowing. So first question Star Wars or Star Trek?

Tabatha (26:21)
Star Wars.

Yesenia (26:30)
Early bird or night owl.

Tabatha (26:42)
Ooh, both, depends on the day.

Yesenia (26:45)
Okay, I’ll take it. get that. get that books or podcasts.

Tabatha (26:51)
I would say, see, I finished a master’s program a couple years ago and I’m still recovering from having to read all of that. That’s happened to every time I’ve gotten a degree. So I’m going to go podcasts, but normally in better, not, not graduate level brain still, it would be books. Yeah. Yes.

Yesenia (27:10)
Yeah, your brain burns out. I get that. Like, it’s just recent where I’ve been able to like pick up a book and like, pretty much become addicted to it. Like, I can’t do anything else until I’m done with the book. It’s great.

Tabatha (27:21)
That’s great. I miss being at that level with a new book. So hopefully soon.

Yesenia (27:27)
Took me years. I couldn’t pick up books, but I have a huge library. Last one, spicy or mild food.

Tabatha (27:33)
spicy, absolutely spicy. Yeah. Yeah. I grew up between, I grew up between Texas and South Florida. So it’s spicy all the way.

Yesenia (27:44)
You got it, best of both worlds. Well, thank you for your time. I want to give you space to leave any last minute advice, thoughts for the audience.

Tabatha (27:54)
I’d say any last minute advice or thoughts. I would say get involved. Don’t be afraid. It’s not as scary as it seems and show up in person if there’s an event near you. Excuse me. Let me try that again. So I think that.

Tabatha (28:39)
I think my final thoughts on this would be to get involved in the community because that’s really where I have found the most benefit for myself personally. Reach out, get an understanding of the project. If you’re curious about getting involved and you’re a little nervous to get started and are unsure, even if those good first issues look too scary to you, hop on a community call. If there’s a contributing call, just go and lurk. Attend something where you are engaging in other people engaging with other people and not only the code base because that’s really where you’re going to get more insights on how everything gets put together, how everything works, how the project works and how the community works together and whether or not you actually want to be a part of that community before you get involved. So I say jump in.

Yesenia (28:39)
Totally jump in and volunteer for events too. think that’s another great volunteer. Well, thank you for your leadership and contributions to our communities. You know, many thanks to our listeners and our open source contributors and the community of folks that help drive all of our projects forward. Tabatha, I appreciate your time today and I look forward to seeing all your impact in 2025. Thank you.

Tabatha (28:44)
Volunteer friends. Yeah, absolutely.

Tabatha (28:47)
Thank you, Yesenia, It was great chatting with you today.

Jun 17
Love0

What’s in the SOSS? Podcast #33 – S2E10 Bridging DevOps and Security: Tracy Ragan on the Future of Open Source

By Podcast

Summary

In this episode of What’s in the SOSS, we sit down with longtime open source leader and DevOps champion Tracy Ragan. From her early days with the Eclipse Foundation to her current work with Ortelius, the Continuous Delivery Foundation, and the OpenSSF, Tracy shares her journey through the ever-evolving world of open source security.

We dig into the importance of configuration management, what DevSecOps really means, and how projects like the OpenSSF Scorecard and Ortelius help make our software supply chains more transparent and secure. Plus, we tackle the education gap between security pros and DevOps engineers — and how we can bridge it.

If you’re curious about building more secure pipelines or just want to geek out about SBOMs and OpenSSF Scorecard, this episode is for you.

Conversation Highlights

00:25 – Welcome + Tracy’s Open Source Origin Story
02:00 – Early Days at the Eclipse Foundation
03:10 – DevOps + DevSecOps: Why It Matters
04:20 – Explaining the DevOps “Factory Floor”
06:00 – DevOps Pipelines as Security Data Engines
07:50 – What Is the OpenSSF Scorecard?
09:30 – Ortelius: Aggregating DevOps + Security Insights
11:20 – The DevOps Budget Problem + Exposing Insecure Packages
13:00 – Why DevRel Is Critical for DevOps Security Education
15:40 – Crossing the Divide Between DevOps and Security Teams
16:10 – Rapid Fire: Editors, Mascots & Spicy Food
17:30 – Final Call to Action + How to Get Involved

Transcript

CRob (00:25.07)
Welcome, welcome, welcome to What’s in the SOSS. The OpenSSF podcast where we talk to the amazing people that help make this open source ecosystem for the benefit of everybody. Today we have a real treat: friend of the show Tracy Ragan is here to talk with us about several topics near and dear to her heart. But Tracy before we dive into the exciting technology, can you maybe give us a little bit of information about your open source origin story?

Tracy Ragan
man, which one? When I first started getting involved in open source was the Eclipse Foundation. The Eclipse Foundation was my first foundation in open source and was really the beginning of me understanding what open source was and why it’s important. This was during my Open Mac software days and I think IBM was looking for a woman to be in the room.

To be honest. one of them reached out to me and said, hey, we need somebody technical to add to this board. Would you be interested? And I said, sure. So I went on an honesty of, I always think I was number five or six on the original Eclipse board. I actually even did the help doing the interview and chose Mike as our fearless leader. So I’ve been doing open source for some time, really, and been on these boards for a good part of my career.

CRob
That’s awesome. And it’s like super helpful being able to steer a significant part of the ecosystem through that board membership.

Tracy Ragan (02:07.234)
Yeah, and open source boards are a beast of their own to be quiet on. Because they get so big, and that’s good, but sometimes it can be bad and it can be hard to navigate, but it seems to always work out.

Right.

CRob (02:21.038)
That’s great. So you’ve been doing open source for quite some time and what types of projects are you engaged with more frequently this time right now?

Tracy Ragan
So, you know, I keep my foot in two realms. One foot is in the open source security foundation and the other is in the continuous delivery foundation. I’m a DevOps person. That’s who I am. I have been doing configuration management and whatever you want to call it over the years has gone through so many ridiculous acronyms. But when we really boil it down, it’s still configuration management and getting code from Code to Cloud, let’s just call it that. So I lead an open source project at the Continuous Delivery Foundation called Ortelius, and we’re going to talk a little bit about that. But I also try to keep involved in the open source of the OpenSSF as much as I can. And of course, I get involved in things like the Security Tooling Working Group.

I’m working with Ryan Ware over there too, because that really falls into my area of expertise, right? If it has the word tooling, I’m interested. Because I’m a DevOps person, you know? Is there something I should be adding to my DevOps practice? And then I’ve been involved in DevRel and I’m on the marketing committee and I help lead some of the initiatives at the OpenSSF is working on. But really where my heart is is in between, it sits in between DevOps and open source security. And we can call that DevSecOps if you want, we could all call it DevOSSOps. So that’s what I’ve been working on for the last four years.

CRob (04:21.805)
To go a little bit off script since you opened the door for our audience. Could you maybe explain a little bit more about DevOps and kind of why it’s important for open source communities to have this capability?

Tracy Ragan
So we all have a factory floor that we run. moving code from, if we talk about the software supply chain, let’s just talk about it from that perspective. We are pulling in packages, whether it be an enterprise piece of enterprise code or open source code or something the government’s writing, we pull in these packages, these transitive dependencies that we don’t necessarily understand. We just know we have to have them.

And that’s the way life is. We’ve built this ginormous, I like to call it a Death Star of open source packages and dependencies that we use. We’ve done that over the course of the last 15 years, and we’re not going back. So DevOps, the idea of continuously integrating and continuously deploying code out to end user consumers. We won’t identify what that consumer is. It could be a developer consuming your code, or you could be delivering software to an end user that’s running a mortgage application. When we do that, we have traditionally focused on just being able to execute build and deploy scripts, which is really important.

Gathering the information from the build and deploy scripts is really critical right now in where we are right now in tracking vulnerabilities. Because it shows two things. The build scripts, if we’re doing an SBOM, and please do, shows us the packages we’re consuming. And the deploy script shows where we’re deploying them. So the DevOps, you know, the DevOps pipeline is important, but the data that it generates is critical right now, absolutely critical. So we should all be doing some level of DevOps, but in my mind, we should all be gathering the DevOps information and making it actionable. So we have a lot to do in terms of evolving where we are in the CI, CD world and the continuous delivery foundation and where we believe this kind of technology, how it should evolve.

In my mind right now, we have so many things that we’re working on. AI is chasing us. We have vulnerabilities we’re worrying about. And right now, we haven’t done a whole lot to evolve the DevOps pipeline. So that’s why I talk about it as much as I can. Because that’s where we’re going to find vulnerabilities and fix them. Otherwise, we’re not going to do that.

CRob
Absolutely. And to bridge these two worlds, you recently helped write a blog about our OpenSSF Scorecard, which is a tool that consumers can use to kind of understand the security qualities of software. Could you maybe talk a little bit about your blog and what you were trying to educate folks about?

Tracy Ragan
So we have several really awesome tools at the OpenSSF, one of which is one of the first ones that we came out with. Jamie Thomas kind of spearheaded this called the OpenSSF Scorecard. And what it does is it goes through and it evaluates your repo on certain characteristics.

if I can think about them, dependency management, security configuration, your quality of your code, access control, documentation, if you’re using a CI-CD tool, if you have actions, security practices. And it gives a score for each of those areas to try to define what the… This is the closest we’ll have to compliance in the open source community. Compliance is critical.

Tracy Ragan (08:26.754)
but how do you enforce compliance? But one way is we can evaluate it. So OpenSS Scorecard, I have found to be a very interesting project and as I have pointed out, one of the first of the OpenSSF, which doesn’t mean it was new and it needed extra work. It is about as complete as you can get for doing compliance around open source repos. So…

We at Ortelius, so Ortelius is an open source project incubating at the Continuous Delivery Foundation. We started incubating there before the OpenSSF was formed. And what we do is we gather all that critical DevOps data from the pipeline. Okay, so we like to call us an evidence store. And part of what we gather is the OpenSSF Scorecard.

So if you’re a consumer and you want to know the score of the packages that your application is consuming, Ortelius can provide that information to you. And not only that, what it does is it aggregates. So if you’re working in a decoupled architecture, you’ve got 100 containers that you’re building, and each one of those containers has code, and each one of those containers have an OpenSSF Scorecard, and the packages within them have a scorecard.

We’re aggregating that data up to the logical application level so that you begin seeing what you’re consuming at the time that you consume it. Now there are a lot of tools out there that help manage open source packages. The secure software development framework tells us we should have a repo of the packages that we want to make sure that people are not using and people are the ones that we are approved to be using, but they still need their scorecard. We still need to understand that. And to be quite honest, not every organization out there is using a repo that tracks your open source that you’re using. What can we, you know, the way we looked at the problem was what can we do to, you know, most DevOps engineers don’t have budget.

They have no budget authority. In fact, I’ve seen a t-shirt that says that, no budget authority, right? So what can we do to make open source more secure through open source? Well, OpenSSF scorecard is one of those ways. And one way to see it, because it’s hard to aggregate this information unless you try to dig down to every package and look at their scorecard, is to expose it.

And by exposing it, we are showing people that the packages that they’re consuming, are they trying to be compliant or not? And unfortunately, CRob, most of them are not trying to be compliant yet. And I don’t want to be like, you know, I go to hockey a lot. And one of the things you do at hockey, if you get a penalty, you do shame, shame, shame. But in a way, you know, if you’re looking at Ortelius and you’re seeing all these packages with a zero scorecard value,

We’re kind of exposing it. And I would like to be able to, you know, we could evolve a scorecard to say, you know, let’s highlight the packages that have a seven or a six and above. Because to be quite honest, it’s a test to be able to achieve it. But every single one of those in that test, except for maybe, I think fuzzing can be really, really hard, is totally doable.

And I would encourage any open source community or if you have a package that you’re managing, know, give it a scorecard, go through it. It’s not hard to install. It’s going to start tracking things. But then when you go to have to do all the things that it’s tracking, it’s much more difficult to comply. But we need you to do that at this point in time.

CRob (12:27.64)
So you touched a little bit about your involvement with our DevRel community and it kind of touches into DevOps. Why is DevRel important and how does it help us encourage things like scorecard use?

Well, to be quite honest, I think the person who’s doing the best DevRel right now is Mr. Wheeler with all of his education, right? Education is what we need to do right now. David has done an amazing job of getting his education out on cybersecurity. DevRel has been in OpenSSF for me. It’s been really hard. And one of the reasons is because the tools, this is where I see the disconnect.

The tools that the OpenSSF is creating, and we have created a bunch. There’s SBOM tools. There’s a ton of new open source projects. They need to be consumed by the DevOps professional, because many of them are command line driven. They have to be executed for every workflow, like an SBOM, for example.

But on the flip side, to be quite honest, I talk to DevOps engineers all the time and they haven’t even thought about what it would look like to add a SBOM to the pipeline. We don’t have that big of an adoption of many of the security tools that’s coming out of the OpenSSF and it’s hard to keep track. It’s hard to know what they do. And it’s hard to update DevOps. Jenkins workflows or a CircleCI workflow, whatever tool you’re using, it’s hard to update those workflow files.

Tracy Ragan (14:11.884)
And there’s a lot of them. There’s thousands of them.

So if you’re in a monolithic environment and you want to add an S-bomb to your workflow, that’s fairly easy. But if you’re in a decoupled Kubernetes microservice container environment, you’ve got a lot of work to do to do some simple things like an S-bomb, much less scorecard. So these conversations are really important to the DevOps. We need to educate the DevOps engineer. It’s not necessarily just educating the developer.

We push so much stuff on the developers lap, even though the education that’s coming out of OpenSSF is great. However, we’ve got to do the same thing now for DevOps engineers.

CRob
Absolutely. initiatives like DevRel can help provide that education and give a forum where folks can talk through some of these issues, correct?

Tracy Ragan
Yes, but oftentimes what I have found that in our, in security dev rel, we’re almost, we’re in an echo chamber. So when we talk about security, we get people who are interested in security and they like to talk about SBOMs. It’s probably our favorite thing to do. But the one thing that we’re not doing is getting DevOps engineers to talk about SBOMs and why they’re important.

Tracy Ragan (15:40.524)
So somehow we have to cross the divide and we have to get a handshake between these two organizations. And you know what? It’s not just within the Linux Foundation with the CDF and the OpenSSF. It’s in every single company I have ever spoken to, there is a divide between these two teams.

Tracy Ragan
Well, I look forward to collaborating with you to try to see how we can help adjust that. Let’s move on to the rapid fire part of our interview. Are you ready for rapid rapid fire? Got a couple of wacky questions for you. First off, very contentious. Vi or Emacs.

Yes.

Tracy Ragan (16:12.642)
WRAP

Tracy Ragan (16:24.94)
V.I.

CRob
Excellent. And to be clear, there are no wrong answers. Just some answers are better than others. Like VI.

Tracy Ragan
Yeah, I mean, I wouldn’t even know what to do with anything else except for brief. Remember brief? I used to love brief. wow. Yes.

CRob
Yeah, that’s a blast from the past. Tabs or spaces?

Tracy Ragan
spaces.

CRob (16:51.022)
Very popular answer. What’s your favorite open source mascot?

Tracy Ragan
Well, you know, how could you not love the goose?

CRob
Excellent, and our last question, mild or spicy food?

Tracy Ragan (17:11.937)
You know, when I first moved to New Mexico, I only ate mild food. And now I love spicy. It took me 20 years, but I finally started eating spicy food. So spicy now. That red chili taught me better.

CRob (17:31.49)
Nice. I love green chili. Thank you. And as we wind up for the interview here, do you have a call to action to our audience where they might be able to pick up some of these ideas or participate and collaborate to help move these wonderful projects forward?

Tracy Ragan
You know, I would say if you’re a security professional, to go sit down and talk to a DevOps engineer and really understand how they see the world. And take the time to say, could you show me what it would take to add an SBOM to a single pipeline? And if you’re a DevOps engineer, start taking a look at some of the tooling that’s coming out of the OpenSSF.

The Continuous Delivery Foundation did start a SIG recently called the CI/CD Cybersecurity. And what we’re doing is we’re going through every single, we’re starting with a secure software development framework and we’re going through all the tasks and we’re identifying the task by number that needs to be added to the DevOps workflow. And we’re adding open source tools that you can use to achieve that task. So.

If you’d like to get involved in that as a DevOps engineer and learn more about these things, look up the CD Foundation’s CI/CD Cybersecurity SIG, because it’s becoming an education for all of us to go through that process.

CRob
That sounds amazing. I look forward to checking that out. Tracy, thank you for your time today and thank you for everything you do for developers and DevOps folks and cyber people. We really appreciate all of your contributions to open source and thank you for joining us today.

Tracy Ragan (19:17.08)
Thank you, it’s my pleasure.

CRob
Well, happy open sourcing everybody. That’s a wrap.

Like what you’re hearing? Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, AntennaPod, Pocket Cast, or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it. Check out the newsletter for open source news, upcoming events, and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight, and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS.

Jun 03
Love0

What’s in the SOSS? Podcast #32 – S2E09 Yoda, Inclusive Strategies, and the Jedi Council: A Conversation with Dr. Eden-Reneé Hayes

By Podcast

Summary

In this enlightening and entertaining episode of What’s in the SOSS, host Yesenia Yser sits down with DEI strategist, social psychologist, and Star Wars superfan Dr. Eden-Reneé Hayes. From her academic roots to her entrepreneurial journey, Dr. Hayes shares how diversity, equity, inclusion, and accessibility (DEIA) drive sustainable growth—and how she found inspiration for her TED Talk in the wisdom of Yoda. The two discuss the myths around DEIA, how the Jedi Council reflects ideal collaboration, and why unlearning old beliefs is key to progress. Plus, stay for the rapid-fire questions and discover if Dr. Hayes is more Marvel or DC.

Conversation Highlights

00:00 – Introduction
01:30 – Career Journey
03:10 – Navigating DEIA in Today’s Landscape
07:49 – TED Talk Inspiration: Star Wars & DEI
11:31 – The TED Experience
13:12 – The TED Talk Message
14:38 – Favorite Yoda Quote
16:34 – Rapid Fire Round
18:37 – Final Thoughts
19:10 – Outro

Transcript

00:18 Yesenia Yser:
Hello and welcome to this podcast where we talk to interesting people throughout the open source ecosystem. My name is Yesenia Yser, I’m one of your hosts, and today we have an amazing treat. I’m talking to a very, very dear friend of mine and someone that comes from a galaxy far, far away, Dr. Eden-Renee Hayes. Eden-Renee, please introduce yourself to the audience and tell us a little bit about yourself.

00:45 Dr. Eden-Reneé Hayes:
I just have to say how fun it is to be announced as an amazing treat and from a galaxy far, far away. Not taken from your TED Talk, was it? So again, I’m Eden-Renee, or Dr. E is also totally fine. But basically, I’m in that dirty little acronym, DEI, diversity, equity, and inclusion. But I basically help companies to drive sustainable growth through inclusive strategies, aligning people, purpose, and performance, which basically leads to them keeping their employees longer.

01:20 Yesenia Yser:
Nice. And then we’ll start with the first question. I’ll continue on from that. For those who may not be familiar with the background, can you share your career journey with us?

01:30 Dr. Eden-Reneé Hayes:
Sure. I have been in academia for a really long time, but now I am an entrepreneur, so I’ll fill in the gaps. So I was a tenured professor. My area within psychology is social psychology. So I’m not a clinician. I’m more studying the research. I’m working in research and understandings around what happens with people in different situations. And with that, I always focused on the ideas related to diversity, equity, and inclusion. So from academia, I moved into administration, but still in colleges. And I liked doing that because I had a much greater impact on what was going on at each school. I was also the director of a multicultural center, but then I decided to branch out and become a solo. entrepreneur, where I have that opportunity to help companies to be able to use my vast knowledge within social psychology to be able to figure out what they need to do in order to have more equitable hiring practices that are fair for everybody, to be able to keep their employees with inclusive practices and lots of other things in between. 

02:38 Yesenia Yser:
Nice. And that brings you here to today. I believe you own your own, you run your own consulting business, if that’s what I understood. That’s right. Nice. Given that, and with the recent shifts in the U.S., I’m sure that’s kind of taken a little change in the way you approach now, especially with the U.S. administration stance on DEIA, diversity, equity, inclusion, accessibility. What challenges have you observed in the industry?

03:10 Dr. Eden-Reneé Hayes:
And if you want to speak more on that. course. Yeah, no, it feels like a lot of people are worried. Yeah, absolutely. I mean, I think it’s important to think about all of the things that they were doing previously, and is that consistent with the legal landscape? And actually, it is. DEIA is not illegal. As stated by 16 different attorney generals, and to make it very, very clear that all of those best practices are still 100% legal because they’re consistent with the things that have been placed into law that are much harder to overturn than with just an executive order. What’s also very interesting to me is the executive order’s focus on merit and fairness, and so does DEIA. So that is one of the wonderful things is just really reiterating to people, this is what’s going on. We were always about fairness. We were always about ensuring that the person that has the greatest merit gets the position. But DEIA is not just about hiring and just about, like, talent acquisition. There’s more to it, because DEIA also focuses on those external things, like the way that we present our companies to the masses. So how is it that we can do that in a way that is inclusive, that is reaching all of our potential clients? Because we have a very, very diverse world, and it’s getting more and more diverse by the minute. Literally, each, you know, like, there’s a new baby born every minute. A lot of those babies, they’re all people of color. And what we see now is, what is it? I think something like 46, 49% of Generation Z are people of color. So Generation Alpha, who are currently in elementary school, are even more diverse ethnically. But that’s not the only diversity we can have. DEIA is also not just about what’s going on with ethnic groups. It’s also gender. It’s gender identity and expression. So that’s a big part of it. And so I think that’s a big part of it. And I think that’s thinking about our trans and non-binary friends. It’s also disability. What about neurodiversity in the workplace? What about well-being in the workplace? It’s also about different people and their needs regarding the different languages that we speak, the different passports that we may hold. It’s so many different, of course, sexualities, so LGBTQ. And there’s so many different demographics to be thinking about. If you were actually to try to put everybody in a demographic, it’d be a minority of people that basically don’t fit within one of those, what we call underprivileged or minoritized or basically what tends to be undervalued groups. So it’s a lot more likely that we are going to be thinking a lot about the full human being in all the demographics that we inhabit and what that great benefit is. So I think that’s a big part of it. And I think that’s a big part of it. is to our various workplaces. So the changes that I’m seeing is really more helping people to understand that to be the truth instead of those myths that people believe about DEI not being about fairness and about having quotas, which aren’t actually legal and weren’t before, about trying to hire people because of their demographics instead of their skills and experience. So it’s a lot more likely that we’re going to be thinking about that. So a lot of the changes that I’m seeing is really just making DEI more clear so that people know that this is what it is. And that’s one of the reasons why I did my TED Talk.

06:59 Yesenia Yser:
Oh, there you go. You’re ready for the next one. I wonder why. But yeah, it just sounds like for DEI, I’m used to saying DEI. So just like my brain’s like, there’s an A. It’s just an umbrella of things because you said it very nicely. It’s the human aspect. And as a human, we identify in different aspects from our gender, from where we live, from the culture’s experiences. But moving on to the next question, you and I actually met at a TED Talk cohort that has continued into this fabulous group. And you recently delivered your TED Talk. Congratulations. It’s one of my favorites. Share with the audience what inspired you to speak on that particular idea. Share what the idea is. And what was the overall experience like?

07:49 Dr. Eden-Reneé Hayes:
Okay, so this is an unexpected answer about what inspired me. What inspired me was actually the failure of my partner to watch Star Wars as a child.

08:04 Yesenia Yser:
Tell us more. I still remember in like college, my first, I’m going to sidetrack real quick. My first job, I was there for like a couple months. They found out that I didn’t watch Star Wars. So they’re like, you cannot work until you watch Star Wars. I spent literally a whole week at work. They paid me just to watch Star Wars. And they’re like, okay, now we’ll give you IT tickets. And I was like, sure. I’m educated now.

08:25 Dr. Eden-Reneé Hayes:
I love that they paid you to do it. And yes, you are educated now. So by the time I, it’s pretty funny. I’m such a Star Wars geek that immediately when my friends found out that he didn’t watch Star Wars, they’re like, oh my gosh, are you going to break up with him now? And it’s like, no, they’re just movies. You just have to sit down and watch them. So we finally did like sit down and start watching. And for the Star Wars geeks out there, we watched in episode order, not chronological release order. That’s a general question that many people will ask. So we start with episode one. So not when they were released, but basically when you’re starting with Baby Anakin. So just watching the movies again in the, the climate that we’re in, in, uh, in being an entrepreneur and trying to help people to understand what DEI is and how it’s valuable. And just being in that space, like while watching it next to someone who’s never seen these before and only has like cursory idea of what might happen. And I just starting putting two and two together. It’s just like, oh my goodness. I knew that I’m in DEI because like, and I start my, Ted talk this way. My mom sat me down and like Yoda was my babysitter. So that, that is how I learned in the first place. And of course I get the education. I literally have a PhD in DEI. I, I really do have the, like both the lived experience, the, um, the sci-fi knowledge as, as well as the, the educational academic background that comes all together in one, but watching it with him, like I had to go grab my phone and pull up the notes app. And start like really typing in that. There’s all of these different ideas and quotes that just like, of course, this is where I am now because this seed in star Wars, all the diversity that we see. I mean, even look at the Jedi high council. It’s like, everybody’s from a completely different species and what are they doing? They are working together. Think about a boardrooms look like that. You know, if everyone’s coming in from a different angle of their upbringing and of their educational experience, and then, like they’re in the same space, trying to reach the same goals, you’re able to attack that problem with those angles that you need in order to figure out, okay, how can we get to the best place? And most efficiently in with as few hiccups as possible, because you don’t want something to be unrolled. And then it’s like, oh my goodness, we forgot this. And we didn’t think about the impact on this group. And now we’re getting a lot of negative press that you want to think about all those things and ensure that that’s not like, oh, we’re not going to be able to do this. That’s not likely to be the problem. And that you’re not likely to waste time, like trying to go and fix something that shouldn’t have been an issue in the first place. If you had more voices in the room. 

11:31 Yesenia Yser:
Yeah, it’s really great. And then what was your experience like with the TED talk? 

11:35 Dr. Eden-Reneé Hayes:
Oh my gosh, it was so much fun. For me, it was the epitome of that thing people say about enjoying the journey just as much as the destination. I enjoyed every minute of sitting and writing down, like practicing it and talking about ideas with our TED cohort, with practicing –  because one of the things about TED that’s less likely known is that it’s not like, oh, I write down what I want to say. And I get up on the stage and I say it’s like, no, there’s, there’s training, there’s editing, there’s, there’s time, there’s a pretty long runway from you’re going to have a TED to actually being on the stage. It’s not like three days and you’re on the stage. It’s people helping you to figure out how to really, like kind of, act it out a little bit. So that, that was one of the wonderful things. Like I had like a speech coach to help me to make sure that I’m bringing my best self out there. And that’s the great thing, because it’s like, of course, being a professor, I was on plenty of stages, but TED stage is a completely different place than a classroom. So it, there’s a different way to impart information. And it’s still also about kind of like, how you find your writer’s voice. Like you find your, it’s your voice on the stage as well. So that’s totally fun.

12:58 Yesenia Yser:
It’s, it’s a big journey. I can’t wait for mine. I’m so excited, but I’m so glad yours was one of the first, would you like to share with the audience for those that haven’t seen it yet a little bit about what your TED, your TED talk idea was?

13:12 Dr. Eden-Reneé Hayes:
Sure. Of course. So if you haven’t placed two and two together, I talked about Star Wars and DEI at the same time. So what I did was, I specifically focused on quotes from Yoda, because there’s a lot of things you can draw from, but TED, technically you’re allowed to go 18 minutes, but we all know what attention spans look like. So the best case scenario, yeah, best case scenario is your TED talk is in the neighborhood of 10 minutes. So I organized it using Yoda’s quotes, but basically I highlighted, this is what DEI really is, dispel all those myths. I didn’t spend time on like, this is how you define each letter of DEI. Instead, I just, I decided to be a little bit more like fun and animated and like make it not like, no, it’s, it’s TED. It’s, it’s not my class. I’m not going to give you a, like a paper that I’m grading or quiz afterwards. I’m trying to give you all the information that is really applicable in a way that’s also entertaining so that you can see it all there. And, and know that, no, this is really about respect and fairness and being the human being that I know that you want to be too.

14:31 Yesenia Yser:
That’s great. I love your TED talk. And with our last question, what’s your favorite Yoda quote and why did it resonate with you?

14:38 Dr. Eden-Reneé Hayes:
Oh my gosh. There are so many great ones to choose from. I feel like I should refuse to answer. Um, but basically, um, no, my favorite one is, uh, Yoda is training Luke. And and Yoda says to Luke, he’s like, Luke kind of gets really frustrated. And Yoda says like, no, like “only different in your mind, you must unlearn what you have learned.” And that’s one of the most fundamental things that we all really need to be doing a better job of is in an unlearning and trying to figure out, okay, what are these messages that I keep receiving that are not satisfying? And I think that’s one of the most fundamental things that I keep receiving. And are not helping me to be the human being that I want to be. And instead are moving us into a place where we have greater division.

15:31 Yesenia Yser:
Nice. I’m going to butcher this one, but you can, you can fix it. You can fix it. “Luminous, luminous beings, are we” that one is one of my favorites, especially the way you delivered it. Um, and then I forgot what the ending of that was. 

15:47 Dr. Eden-Reneé Hayes:
Not this crude matter. 

15:48 Yesenia Yser:
Not this crude matter. That was one of my favorites.

15:50 Dr. Eden-Reneé Hayes:
Yes. “Luminous beings are we. Not this crude matter.” And yeah, that’s, I use that one to help us to think about how we are, we’re focused on, on ourselves and we’re focused on someone else fitting into a box unless we already know that person and not focused even on ourselves being luminous. And that’s part of DEI too, is stopping and thinking like, no, you are amazing. You are worthy. You are valuable. And you bring value to this space. And so does everybody else that you are encountering. So luminous beings, are we not this crude matter.

16:34 Yesenia Yser:
Love it. I got goosebumps all over again. And with that, we’re going to move over to our rapid fire interview part. So hold your breaks. Don’t get off on your millennium Falcon just yet. All right. First question. This one, this one might be an easy one. Marvel. Marvel or DC?

16:53 Dr. Eden-Reneé Hayes:
Marvel, but no, no, I’m just going to double down on Marvel, but I, but I do love them both. We go to all, all the movies, except for Venom.

17:05 Yesenia Yser:
All right. For you Venom fans. I’m sorry. Sorry. Next question. Coke or Pepsi? 

17:13 Dr. Eden-Reneé Hayes:
Pepsi. 

17:15 Yesenia Yser:
Okay. 

17: 16 Dr. Eden-Reneé Hayes:
More delicious. 

17:18 Yesenia Yser:
Okay. We’re a little different there. 

17:22 Dr. Eden-Reneé Hayes:
Specifically cherry. 

17:23 Yesenia Yser:
I do love the cherry. I’ll give you that one. Books or podcasts?

17:30 Dr. Eden-Reneé Hayes:
Books. I’m an audio book lover.

17:32 Yesenia Yser:
Yeah. I like the physical. I’ll have to listen to like audio books, like self-development audio books, but I just, there’s something about physically holding it and the smell. I don’t know.

17:42 Dr. Eden-Reneé Hayes:
No, I’ll never get through a book if it’s physically there, unless. No, I need audio because I need to read it while I’m like driving and I’m totally destroying the rapid fire-ness of this. You know, while I’m like cutting vegetables or anything, oh, that’s, that’s mindless. So I need the audio books.

18:02 Yesenia Yser:
That’s fine. We’re making this rapid the way we are. Spicy or mild food? 

18:06 Dr. Eden-Reneé Hayes:
Oh my gosh. Spicy. Who would go with mild? I mean, like. 

18:11 Yesenia Yser:
<Laughs> You didn’t listen to mine then. I said neither, just seasoned. 

18:17 Dr. Eden-Reneé Hayes:
No, it needs to be spicy. Yes. No.

18:21 Yesenia Yser:
Must be spicy. Well, thank you for giving us a lovely rapid conversational fire interview. This is, you know, towards the end. Do you want to leave the audience with any last minute words before we close out?

18:37 Dr. Eden-Reneé Hayes:
Oh, just that we really do all need to foster that wonder and curiosity. Instead of believing the things that we already believe, we need to do a better job of venturing outside of our comfort zone and venturing into that learning zone instead.

18:58 Yesenia Yser:
Beautifully said. Well, thank you, Eden-Reneé, for joining us. Thank you for those listening. We’ll catch you on the next episode.

19:10
Like what you’re hearing? Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, AntennaPod, Pocket Cast, or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it. Check out the newsletter for open source news, upcoming events, and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight, and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS.

May 20
Love0

What’s in the SOSS? Podcast #31 – S2E08 Cybersecurity Framework Launch

By Podcast

Summary

In this episode of What’s in the SOSS, host CRob interviews Clyde Seepersad from the LF Education Department. They discuss Clyde’s journey into open source, the role of LF Education in supporting the community, and the importance of cybersecurity education. They also delve into the development of the Cybersecurity Skills Framework, emphasizing the need for continuous learning and community engagement in the tech industry.

Conversation Highlights

00:00 Introduction to Open Source and LF Education
02:59 Clyde’s Journey into Open Source
05:54 The Role of LF Education in Open Source
09:00 Cybersecurity and the Global IT Cyber Skills Framework
11:59 Framework Development and Industry Collaboration
15:13 Continuous Learning and Community Engagement

Transcript

Intro Music (00:00)

Clyde Seepersad (00:02)
Five years ago, eight years ago it was “What are these container things and how are they going to make a difference?” Fifteen years ago it was “What is this hypervisor and how’s it going to make a difference?” We’re having a moment now where there’s this combination of security’s super important in every single aspect.

CRob (00:20)
Welcome back to What’s in the Sauce, the OpenSSF’s podcast where we talk to interesting people that are involved in open source development and standards and supporting our amazing communities. And this is the season two we’re quite excited to have graduated on to the next level. I’m CRob, I’m one of your hosts here at the OpenSSF.

I’ve had the pleasure to be involved with this community for just under five years and I get this amazing chance to interview some amazing, interesting luminaries. And today we have a real treat. We have Clyde from the LF Education Department and they specialize in helping people understand.

open source tools and methodologies and techniques. So, Clyde, can you give us maybe a few minutes of your open source origin story and kind of explain a little bit about what LF Education does?

Clyde Seepersad (01:19)
Thanks, CRob. I’m excited to be here. I’m excited to have education be talked of as a luminary because often when we do materials, people start looking very intently at their toes and hoping that somebody else will do it. Always happy to get a platform to encourage more folks to come on in. The water is fine. I am sort of a latecomer to open source. I’ve been involved for the past 10 years or so and was off on the dark side doing my thing.

And one day a headhunter called up and said, we have this interesting opportunity. We think you’d be good for it. And at the time I was in Austin, Texas. And I thought, well, know, Austin is not that big a town. It was great to meet extra people. We’ve scheduled a 20 minute coffee and no harm, foul. And it took two and a half hours to wrap up the conversation because we just kept going and I kept thinking, I had no idea that dot, dot, dot.

And so I left that meeting, went home, told my wife that the coffee I had told her about ended up being a two and a half hour conversation and I was going to leave my job and go do this non-profit thing that she had never heard about and that I had only barely heard about several hours earlier. And it just…

CRob (02:35)
must have been some great coffee.

Clyde Seepersad (02:37)
It was good coffee. I think it got cold several times. So the refresh cycle on the coffee was good, which, you know, is important. And, It’s just been such a phenomenal ride, right? Obviously, we’re recording this, whatever, 10 days after the deep seek drop, and cool things just keep happening in collaboratively developed spaces, which is, maybe not ever was thus, but certainly ever will be thus. I think that is the new way that stuff gets done. And of course, one of our big priorities along with everybody else on planet Earth in the last few years has been the security space and trying to think about what more could and should we all be doing.

CRob (03:18)
Mm hm. So a lot of people might not be aware that the Linux Foundation has a whole group dedicated towards training and education. So maybe could you talk a little bit about your group and kind of the things that you all do for the community and our members?

Clyde Seepersad (03:33)
Technical folks like to work on technical problems, right? They like to spin up new projects. They like to work on road maps and get from beta versions to release candidates to GA to one to two to X. Some of them like to go to meetups and connect with other folks. Not terribly many like to step back and think about how will I onboard the next person who isn’t currently super excited about this. And I think that’s where this team shows up as we say, as we show up and we say, listen, we can help you with the instructional design. We can help you with the development of quizzes, with the multimedia, with the video, with the, you know, the multilingual stuff, with the production value, with the sort of mapping out of the process, with the handling of the tools that author the content.

If we, if you can work with us, because the one thing we’re not as experts in, fill in the blank, right? There’s a thousand projects at the LF. A lot of what seems scary in terms of putting education together and not just putting it together, but importantly, getting it into the hands of the right people quickly is what we can do. And so that’s what I like to brag on this team is we’re doing a lot of things that aren’t central to any one open source project or initiative, but we’re bringing a set of skills and capabilities that you typically don’t find in kind of the core maintainer community, but they’re very complimentary and we can say, we’ve got all the folks and the tools and the processes to do all the stuff that makes your, know, makes your hair hurt. Let’s work with you. Let’s work with you to get the story out. And importantly, let’s get the story out not just to the people who are already excited and way down the weeds in the GitHub repo.

Let’s get the story out to the next folks out there who, if you ask the question, and I always say to the team, the most important question we can help folks answer is what is that tech and why do I care? And that is very much about, you know, what are these technologies? What did they do that were impossible yesterday, was much easier to do, was able to do in a way that is more cost effective because it’s a shared license. Because that’s where we help, but that’s where we can really help is to bring new people into these ecosystems.

CRob (05:53)
So thinking back of your journey with the LF Education crew, what are some of the timely topics? Like what are some of the most requested things or what are you all working on? What’s your priority lately?

Clyde Seepersad (06:06)
Well, you’ll be shocked to hear that AI is on the list.

CRob (06:13)
You’re right I am shocked.

Clyde Seepersad (06:14)
Pretty much the only two topics I hear currently are security and AI. Five years ago, eight years ago, it was what are these container things and how are they going to make a difference? 15 years ago,it was what is this hypervisor and how is it going to make a difference?
And then you get the most specialized conversations and things like networking. But I think it is definitely true that we’re having a moment now where there’s this combination of security is super important in every single aspect and trying to figure out what exactly the Gen.ai future is going to look like and where we never ever have a junior software developer ever again because, quote, GitHub is pretty good at first pass stuff. You know, I think there’s a series of really active conversations around trying to envision what our future is going to look like. And both those components are front and center.

CRob (07:09)
Very nice. Well, one of the things that you and I have been collaborating on most recently is the global IT cyber skills framework. Could you maybe talk a little about where this idea came from and kind of what you’re intending to do with this project?

Clyde Seepersad (07:25)
Sure, and really appreciate all the support you’ve provided on this. It really started with a very simple observation, which is, as I listen to folks talking about cybersecurity, a lot of what the pattern we kept hearing was there are specific job functions and areas of responsibility related to cybersecurity that everybody wants to be very focused on. So whether that is intrusion detection, pen testing, there’s a lot of specialized focus on cyber. And it’s a little bit like the Sherlock Holmes story where the key clue was the dog that didn’t bark. What about all the people who aren’t cyber security specialists? They’re app developers, they’re network people, they’re database admins, getting up every morning thinking about where the latest vulnerability is going to come from. But they have not been part of the conversation.

And so I think that’s really what we’re trying to do here is to say, we have to find a way to make everybody who touches these systems part of the conversation on cybersecurity and make it easy for them to figure out what their part in the broader strategy is. security is not something you can inspect in at the end, right? It has to be there from the get-go. And that has not been…a big part of the conversation, which is not surprising when the fire is hot as you put in the water on the most immediate source of the flames, but you’re not paying as much attention yet as to where the fuel load is building up. And so think that’s really what we’re trying to, hoping to catalyze is a broader conversation around just how extensive the concept of cybersecurity is when you think about all these different roles in technology. And so it’s great that we’ve started with the specific folks that are in a CISO’s office, but we have to make sure we don’t stop there.

CRob (09:32)
Yeah, I love that kind of looking at the framework, the fact that we looked at many different job types and kind of thought about it from somebody’s career at the beginning of their career, they needed to have certain experiences. And as you evolve and kind of get more, you level up, so to speak, there’s more increasingly complex tasks that you’re asked to do with. you talk a little bit about – just give us kind of a sneak peek into the framework and kind of what went into some of this thinking.

Clyde Seepersad (10:01)
Yeah, think we, there were two things we were trying to make sure that we use as our North Star. The first was it had to be easy to use. We have to make it easy for people to have this conversation. So how can we develop something that is not intimidating, easy to use, people can see their way to the end goal where they’re using it. And the second is, can we make something that is not a special snowflake, that is industry agnostic, that’s geography agnostic? Because what you, and to have those two things be true, and you know, we worked with hundreds of folks who volunteered their time and expertise on this. Where we ended up was saying, to make it easy, we have to have it be, simple for folks to figure out where different people in their organization might slot in. So how can we group like with like? And so we went through this exercise with a group of experts and then validated it through a large form field study survey in the field. And we ended up with 14 or 15 job categories or job families.

Clyde Seepersad (11:23)
That’s not to say that there aren’t people out there who straddle lines, and there will always be, but we felt pretty good about having these categories as sort of people who are grouped together. So things like network specialists, things like database administrators, things like software developers as distinct from app developers, so smartphones. And then from a career perspective, as you alluded to, CRob, there’s this concept that there are things you need to know when you’re just starting out.

And there’s more things you need to know when you start taking more individual responsibility and yet there are more things you need to know, especially as you take on managerial responsibility and start supervising the works of others. And so what we ended up with, if you envision sort of a two by two framework, a set of job families where we have examples, we can help people visualize, oh yeah, I’ve got folks in that box. And then this continuum of experience where newer folks, there’s topics and we’re very, you the topics are quite specific and so they’re somewhat opinionated, but we wanted it to not be a hand wavy feel good.

We wanted people to be able to look into that framework, see things they violently agreed with, maybe see some things they violently disagree with because maybe it’s not relevant and that’s okay, right? It’s very much meant to be a alaqaat, Kanban style. I like this, I want to use it. I don’t like that, I want to take it out. I think this is missing because I’m in industry X and I want to add it in. But I think we’re hoping that the concept of it’s a simple framework. You can print it on one page. It’s a way to start and then make it your own. Make it relevant to your department. Make it relevant to your industry. Move stuff left, move stuff right, blend stuff between buckets, but use it as a accelerant, right? Instead of staring at the blank white board. This is the collective wisdom of hundreds of folks who spent decades in this space – stand on their shoulders, right? Use it as a jumping off point.

CRob (13:20)
I loved the kind of practitioner perspective that the framework brought. Could you maybe talk about, I know we’ve had some conversations with other folks within the ecosystem. How does this work alongside or complement other similar efforts?

Clyde Seepersad (13:37)
Yeah, I think our view is that this is meant to be a entry point for people to think about cybersecurity for their broad audiences and not to replace. There are some very good, more specialized frameworks that already exist out there, right? So you have things like SOFIA, you have things like the NICE framework. And our take was we look around and we listen.

And those are not being as used, used as much and implemented as much as you might have thought. I think part of the reason is they’re so sophisticated and there’s so much detail that they’re a little maybe intimidating if you’re starting kind of at the, at the, at the starters pistol. And so we’re envisioning this really as a gateway exercise to say, here’s a way that you could start. It’s not saying that it’s fully comprehensive of everything you’d ever think of, but it’s saying these are the lowest common denominator pieces, right?

And so it’s a discrete, easy to wrap your head around, printed on a page starting point. And hopefully what we see is that once people start their journey, they gravitate towards some of these bigger frameworks that already exist according to what makes sense for their organization, for their industry, for their geography. And so we’re very much seeing this as complimentary of frameworks that are more specialized that exist, really as a way to get more folks far enough down the path that they start using those frameworks with confidence.

CRob (15:14)
I love the effort. I’m really looking forward to kind of unleashing this and sharing it with the broader ecosystem and then starting to the devils in the details. I want to start building my own little Kanban board and kind of mapping out my journey and seeing what I and others might want to start exploring education wise next.

Clyde Seepersad (15:33)
Yeah, and that’s exactly what we’re hoping to happen, right? This is going to be a publicly available royalty free resource sponsored by OpenSSF and the LF. We want everybody to use it. We want companies, we want education providers to use it. And importantly, we want this to be an ongoing effort. So, you we’ve had a ton of people volunteer their time and expertise to get to V1. We’re very much intending to have this be an ongoing effort where we’re constantly reviewing this, you know.

At least twice a year stepping back and saying, is this still right? Because the one thing that we know is true is yesterday’s threats are not tomorrow’s threats, right? So we cannot have these be static. We have to constantly be asking ourselves, is this still relevant? Is there something else that we need to add? Because that’s the only way that you can really, if we’re trying to get people to think holistically about the security implications up and down the food chain, we have to help them keep track of stuff as it evolves. And so I think one of the beauties of doing this collaboratively is we do have the ability and the intention to continue revving, right? Just like any release schedule, right? That the 2026 version is gonna go look different and the second half of 2025 version might look different.

CRob (16:50)
Excellent. Well, let’s move on to the rapid fire part of the conversation. All right. I got a couple of wacky questions. I just want your first answer right out of the gate. What’s your favorite open source mascot?

Clyde Seepersad (17:06)
You know, it’s still Tux. It’s just, you know, I’ve got a dozen of them on my desk and it’s an oldie but a goodie.

CRob (17:19)
Excellent. Good, good, Spicier mild food.

Clyde Seepersad (17:23)
I grew up in the Caribbean, so definitely spicy.

CRob (17:30)
Ooh, that’s spicy. Excellent. What’s your favorite adult beverage?

Clyde Seepersad (17:34)
Rum and Coke.

CRob (17:35)
Classic. I love that as well. So as we wrap up here, what advice might you offer someone that’s just getting into, whether it’s open source development or cybersecurity, how can you help them start their journeys?

Clyde Seepersad (17:50)
You know, the key thing I say to folks anymore is that the world has really changed. Even when I started my career, you could pick a spot and say, I wanted to be an X. I wanted to be a database person. I wanted to be a Cisco switch person. I wanted to be an Oracle person. Because we used to have these long runways of technology staying pretty stable.

And that’s just not true anymore. I think everybody should be coming into tech and even those of us who’ve been in it should be thinking about it as an ongoing journey of lifelong learning. You’ve got to stay on your toes. The thing that made you successful three years ago probably is not going to be the thing that makes you successful this year. And so committing to this idea that it’s your responsibility to figure out the things you’re passionate about and learn them and implement them and stay on this sort of continuous journey.

That’s going to be what the foreseeable future looks like, is all of us just cross-skilling, up-skilling, feeling like we’re always slightly behind, but making that commitment to our own learning and development.

CRob (18:58)
I like to learn something new every day. And finally, what call to action do you want to give the community right now? What actions can people take to help make the world a little bit better place?

Clyde Seepersad (19:09)
Yeah, I would say for everybody who touches a tech stack, step back and start inventorying where do you think in your day-to-day job you could do one thing better that would narrow or close a security gap. We all have goals and the targets we’re trying to meet and we’re on the treadmill. Take a moment to step back.

Get off the goals treadmill. Try to find one thing, one thing that you can do better that helps narrow the surface, the attack surface, and find a way to make that happen.

CRob (19:52)
Excellent. Well, thank you. Sage advice learned over your journey. Thank you, Clyde, for coming today and sharing about the IT skills matrix and about LF education.

Clyde Seepersad (20:03)
Thanks so much for having me, CRob

CRob (20: 05)
Cheers

Outro Music (20:05)
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

May 13
Love0

What’s in the SOSS? Podcast #30 – S2E07 Scaling Security: Inside the GitHub Securing Open Source Software Fund

By Podcast

Summary

In this episode of What’s in the SOSS?, CRob sits down with Kevin Crosby and Xavier René-Corail from GitHub to unpack the GitHub Secure Open Source (SOS) Fund – an innovative program that combines funding, education, and community to strengthen open source security. Learn how this unique initiative connects maintainers with training, resources, and a $10K stipend to scale security best practices. The trio also shares the origins of the fund, surprising takeaways from the first cohort, and what’s next for this rapidly growing initiative.

Conversation Highlights

00:00 – Introduction
00:58 – Meet the Guests
02:26 – Open Source Origin Stories
06:10 – The Spark Behind the SOS Fund
10:19 – What Participating in the Fund Looks Like
12:39 – Inside the Curriculum
14:50 – Unique Program Design & Outcomes
16:23 – Key Learnings from the First Cohort
19:09 – Feedback & Areas to Improve
21:50 – What’s Next for the Fund
23:00 – Rapid Fire Round
24:23 – Call to Action

Transcript

Intro Music (00:00)

Kevin Crosby (00:04)
I think that that was one of the most impressive things is just seeing these maintainers emerge out of a program and say, wow, you know, we live security now, you know, I think that that was pretty cool.

CRob (00:18)
Welcome to what’s in the sauce. The open SSF’s podcast where I talk to maintainers and developers, security researchers and experts all around the open source security ecosystem. It is my pleasure to be your host. My name is CRob. I’m the security architect for the open source security foundation and one of our co-hosts for this amazing little endeavor. And today I think we have a real treat. We have some people that have been deeply involved in upstream open source security for a very long time. And they have a pretty innovative idea that they’re going to be talking about this program we’re collaborating on together. So please let me welcome my friends, Kevin and Xavier from GitHub.

Kevin (01:04)
Thanks for having us today. It’s exciting to join the podcast and get to share this journey. And also very thankful for the partnership that you’ve brought through this program as well. Just quick background, Kevin here from GitHub. I lead our open source funding programs, specifically focused on things around GitHub sponsors that enable developers to get paid for their open source work. Think of things like hobbyists that are working on open source part-time to even full-time careers, or even folks that are starting to build companies around open source. And then programs beyond that through the secure open source fund as well as get up fund with with Microsoft’s venture fund as well

CRob (01:44)
and Xavier. Want to introduce yourself?

Xavier René-Corail (01:45)
Hey, Crob. Yes, I’m Xavier René-Corail from GitHub. I’m a Senior Director of Security Research and I lead the GitHub Security Lab. Our mission is to help secure open source. I’ve got a team of hackers who are doing security research. Another team who is in charge of creating the GitHub advisory database and managing our CNA. And, well, also, I’ve been with you, Crob, one of the…kind of initial members of the open source security foundation. We work together in the best practices working group and we are continuing to work together on securing open source.

CRob (02:26)
Yeah, I know Xavier, he and I used to be one of like 15 people that attended all the OG meetings five years ago when we got started off. I’m very glad to continue our partnership with this new evolution of kind of GitHub’s engagement with helping improve open source security.

Xavier René-Corail (02:34)
Haha right.

Xavier René-Corail (02:41)
Yes.

CRob (02:44)
So before we jump into the the SOS program, let’s talk a little bit and explore your open source origin stories. How did you get into open source and you cannot know why what drives you to keep participating here?

Kevin (02:57)
Xavier, you want to go first?

Xavier René-Corail (02:59)
Yeah, I can. So my first step in open source, let me check. So first of all, I started programming in the 80s. I think I started with Tron and I think, yes, my two first games were a snake and a pong. But then, after, you know, during high school, teenage years, I forgot a bit about that then got back to…to coding during college. And then after that, started my career as a developer. And then very quickly, I came into being in charge of development practices. And as part of that, I created the open source policy for the company I was in. And this is how I discovered open source by…um empowering the developers of my company to take advantage of open source and also of course to give back to open source and to contribute to open source. So this is how I came to work in open source.

CRob (04:11)
Awesome. What about you, Kevin?

Kevin (04:13)
Mine’s kind of an interesting story. So I’m non-technical background. Originally, I was in economics, almost did a PhD and freaked out right at the housing bust and decided to go into corporate finance. So a little bit different of an experience. But during that journey, I started working with some early stage startups and venture firms and they were building open source tools coming out of university labs and innovation. And so I got the first flavor through that and really understanding how do you leverage this technology to build innovative products, sometimes even companies around it. And then fast forward a couple of years when I was at Amazon, my next touch point was we were building products that leverage things like OpenFire and Hazelcast to build messaging applications.

One of the coolest things was because we were building with it, I wanted to make sure our engineering team was able to contribute back to that open source project. And so we were actually shipping alongside the community and making sure that they were getting some of the innovations, which was super, super cool to see. And then fast forwarding a little bit further is kind of staying within tech and venture. I was in the Alexa fund. We got to work with early stage startups investing in early stage open source AI companies got to evaluate and meet folks like Hugging Face, for example, and just kind of understanding where this ecosystem was going. And all that kind of brought this view of when I came to GitHub of how do you bolt on funding for open source, make it sustainable, drive innovation, and also create new pathways of funding for these maintainers through their journey. And so that’s what I came here to do. And it’s been super exciting over the past almost two years to think about how we can build new funding models for open source maintainers and projects. So excited for this new addition to that as well being kind of a next iteration of all of the career touch points I’ve had with open source.

CRob (06:10)
Totally didn’t arrange it, but that is an amazing transition. So let’s talk about GitHub Securing Open Source Software Fund. You know, why have you all decided to kind of organize and run this program?

Kevin (06:25)
Yeah, maybe kicking it off with an interesting insight that we had from the GitHub accelerator last year. One of the key modules that I was thinking about, and this was a brainstorm with Xavier, was do we actually know how much security education and training do people have for these emerging, fast growing projects? And even some of the ones that are becoming vital to the ecosystem.

And so I just literally threw it out to Xavier as an experiment. Like, can we try to run this content and engagement with these projects and see what the results would be? And so we did it. And maybe Xavier, if you want to talk about that initial experience, it’d be great to just kind of get your point of view from it as well.

Xavier René-Corail (07:08)
Yeah, well, it was exactly as you said, it was an experiment at first, right? And part of the accelerator and it came a bit last minute, right? But we, but I mean, at GitHub, we are ready to pivot fast and to try to think fast. And so we did some, we did some office hours, we did some one-on-one audits of this project and we did some basic training about security posture. And yes, and the results were great. mean, the engagement of the maintainers and the result, the impact that it had on them was great. So, so Kevin came again.

Kevin (07:58)
I came asking again, like, can we make this bigger? you know, I think the learning that we had is when you connect funding with time training and expertise, you’re able to maximize the impact of the training and education. so, and it also kind of dovetailed with a lot of the needs around security within the open source supply chain. So you kind of had this serendipitous moment of

high need, both in terms of like a macro level, but also high need from a developer level to make this work. And also lining that up with the incentive structure of funding and education that make it really special for these maintainers. so that actually is what kind of seeded this idea of let’s build a programmatic open source fund targeting security that links the funding to the outcomes of security specifically. And so we tested that hypothesis.

Honestly, I’ll say it took us, I think, 30 days round trip from like the seed to actually getting the program previewed at GitHub universe, bringing folks along, getting funders to commit to the program, lining up what a scaffolding curriculum might look like. And so we had that in like 27 days to preview it at GitHub universe. And I actually think that was the first time you and I spoke about it too, because we were like, hey, what do you think?

CRob (09:26)
Great, that was exactly.

Xavier René-Corail (09:27)
Yeah. I mean, it was great because so my team, the security lab, you know, we’re already doing these trainings, these free training, these additional content, this office hours. It was already part of what we do for open source. But with this program, we had the opportunity, you know, to have the, yeah, the programmatic power, know, and the marketing and the partnership and the funding, et cetera. So when Kevin came to me with that, said, yes, please, yes, let’s do that. And I must say that, yes, the turnaround was impressive. And in particular, thanks to partners like OpenSSF, who, I mean, CoreView, immediately said, yes, let’s do it. And yes, it went pretty fast indeed.

CRob (10:19)
So for our audience that may not be familiar, could you just broadly describe if a project is participating in the fund? How does that? What does that look like? What do they do?

Kevin (10:30)
Yeah, that’s a great question. Maybe I’ll tee this up really quickly by saying the overall architecture of the fund brings together funders, organizations, community partners like OpenSSF and some others that actually bring resource expertise and kind of shape the program and then GitHub as well as our maintainers. And so we kind of have this ecosystem surrounding this. And so what we’ve done as a program, as a maintainer that gets brought in,

You go through a standard application process, highlighting things around what your project is, what you do with your project, what your project does for the ecosystem, level of security awareness and education, the benefit of the funding specifically, what it can do to unlock resourcing, et cetera. And that’s kind of the process to bring them in. And once we’ve done that, we architected what I would consider a really unique structure. And I’m excited to talk about it for variety of reasons, but…

It’s effectively a three-week boot camp focused on security fundamentals, thinking about things that you need to have at day zero of building a project, all the way up to the lifespan of your project, thinking about implementing some of these techniques within the project itself, and then also some of the frontier stuff around AI. And so this three-week boot camp is around security fundamentals, best practices, but then we bolt on things like six months check-ins, 12 months check-ins.

community engagement with experts throughout the program to make sure that we actually line up all the resources that a maintainer would need, not just to learn it, but to actually embed it and embody it in their culture, make it scale out to their contributors, their communities, and even their consumers of their software. So I’m really excited about how the program’s been shaped. And a big kudos to Xavi, and I want him to talk about this in depth.

the security lab team is what bolts this together. And so I want to make sure like the impact of like how this all comes together is really focused on the security lab and the work they do. So Xavier, I would love you to kind of like jump in on the curriculum and education.

Xavier René-Corail (12:39)
Yeah, thank you, Kevin. Well, again, I mean, this is things that we were doing, but this program really brought the opportunity to amplify it. So it’s not only, it’s really together that we that we are, that we managed to put that up. So, so in terms of curriculum, yes, we, are trying during this free week bootcamp to, to, to, to have a mix of, you know, basic security posture and some advanced training on, for example, on fuzzing, on static analysis, things like that.

So you really have to mix because you have a mixed audience first. you need to, I mean, not everyone is at the same moment of their security journey, right? So you have to mix of that. We are trying to address all aspects from coding to incident response to vulnerability management.

So again, a mix of that. And of course, the important thing is that we are in continuous improvement mode. from the feedback from the first cohort, we will get to add more content. We have some people who are coming to us and proposing new content. And we’re like, yes, please come in.

So yeah, that’s in a nutshell, yes, that’s how we built this program. We are trying to get experts giving these training. So from us, but also from our partners, from the great David Wheeler, for example, from OpenSSF. So this is adding…

This is adding something to the learners, to maintainers, to have these great presenters who know what they’re talking about, giving them these presentations and answering the questions. So yes, that’s it.

Kevin (14:53)
I was gonna say, and just to double click on that a little bit, I mean, I think the uniqueness of it, to Xavier’s point, is how we framed and packaged it. So if we zoom out and say, what does a maintainer get? It’s three weeks security bootcamp with all of the education and expertise with these topics really focused on the programming. They get access to the security lab. They get access to the maintainer community.

They get access to the ecosystem partners that we’ve brought in and the funding partners as well. And then on top of that, they get embedded with like the data of like, how are we progressing in our own security journey? Like, we making progress? Are we embedding it in our community? How are we collaborating with other projects and maintainers through that as well? And so that’s kind of what the maintainers get. And the last thing that I think, you we didn’t really touch on, but the funding is really, you know, aligning the maintainers to spend the time commitment on it. So we provide a $10,000 stipend to the projects.

CRob (15:52)
Wow.

Kevin (15:52)
Most of that comes upfront, you know, the $6,000 upfront of the program to really solidify the three week boot camp. And then the others are to align onto the reporting and kind of the touch points and making sure they’re continuing on their security journey. so by aligning the funding and linking it to the outcomes that we’re trying to get with security, it becomes a really great model that is helpful for maintainers and for the projects that are being improved with security throughout the program.

CRob (16:20)
That’s awesome. So Xavier touched on it. We are just coming towards the end of the first cohort. Could maybe you share what’s been some of the most surprising things you’ve learned so far in interacting with both the funders and the maintainers and projects?

Kevin (16:41)
Maybe Xavier, do you want to go first?

Xavier René-Corail (16:44)
Well, yeah, my big surprise was the enthusiasm of everyone. I mean, I know this is something that is a passion for me, but I was, I mean, I don’t know, I wasn’t expecting that level of enthusiasm and of engagement from everyone. Really, you know, I was expecting some of the projects to be already quite advanced on the…you know, in their journey and then to be, to react a bit like, okay, there is content that is interesting for me, but some of the content is too basic. I was expecting that, right? No, everyone was really, really super engaged and super enthusiastic. So that was the big positive surprise for me. What about you, Kevin?

Kevin (17:41)
Yeah, I echo that. I kind of bucket them in three different functions. One is I think there was a very strong level of trust from the outset because they were all shared alignment on security within their project. And so I think everyone walked in and this kind of drove the enthusiasm of like, we’re all here for the same thing and having the same impact. So that was great. Two, I think the community lens was very fascinating to me just to see folks across different sizes of projects, stages of their growth or in kind of like distribution, as well as their own maturity journey within security, and like just seeing that community fuse really well together to cut across different frameworks, languages, et cetera, was really powerful. And I think the last thing that I’d say on this is the outcomes that we see is meaningful. Like not just from like, did the…things go red to green or anything like that, but really like you see them embody this change of what it means to be a steward of security with an open source. And that’s really unique. don’t think, and we kind of saw glimmers of that within the accelerator, but I didn’t think we’d, I didn’t know if we’d see it at this scope and scale. And I think that that was one of the most impressive things is just seeing these maintainers emerge out of a program and say, wow, you know, we live security now, you know, I think that that was pretty cool.

CRob (19:09)
Awesome. So on top of this, sounds like you’ve gotten a lot of great feedback. Is there anything that kind of stands out that you’ve got a maintainer or project kind of shared something really valuable to you all back from this experience?

Kevin (19:23)
I have a lot. I think one of the things that stands out in feedback is kind of going to the point of maturity curve is that it’s a very meaty subject. And so being able to scale content and education appropriately to meet maintainers where they are in their own journey is like one of the most critical things. And I think we’re we’re, you know, adjusting to that is like one one thing to think about. And then to Being able to touch upstream and downstream projects within their own Ecosystems is another area where I think that that’s a big opportunity for us to engage and kind of think about securing through the program as well. So those are just two immediate ones that I’m pretty excited about Xavi, what about you?

Xavier René-Corail (20:17)
Yeah, will double down on what you said Kevin: scaling to more projects, this will be the big challenge. And one other thing that I will add that I want to focus on also, because that was a positive feedback from participants, is adding some fun to the training. All of the training that were interactive and fun and with quizzes, et cetera. worked very well. so, yeah, you know, I used to say that boring is the arch enemy of learning. And so, yeah, I, I think that I want to add a bit more fun to the to the curriculum. So..

CRob (20:58)
I for one, totally agree with that. I think security is a lot of fun.

Xavier René-Corail (21:02)
It is.

Kevin (21:02)
The security is a lot of fun. You know, it was super interesting to see the modules I’d say that had interactive coding engagement. Like people really love just diving into it. And the other thing that was kind of unique that I don’t think it’s super surprising, but this concept of like see one, do one, teach one. Like it’s people coming through this journey and like, as you emerge, the first time you see it, like, my gosh, like this is overwhelming. The next time you do it, like I can actually do a coding exercise on this and actually implement some changes.

And then you see people a day later that are teaching like, this is how I did it, or this is how I’m thinking about it. It’s really cool to see that like, transpire throughout the program. And people loved it. Like to your point on fun, that made it fun, you know, to be able to teach people and engage is really unique.

CRob (21:50)
So let’s gaze out over the horizon, kind of what’s coming down the pipe for the GitHub Securing Open Source Software Fund. What do you have in your bag of tricks next?

Kevin (22:00)
Bag of tricks, that’s always a great question. As Xavier said, I mean, we have to scale. So we did the first session. Our objective is to do 125 projects this year. So we have multiple sessions that will be going on throughout the back half of the year. Session two will be kicking up in the next couple of months. And so we’re rapidly preparing for that. Yeah, I think that that’s where we’re looking forward to just in the back half of the year.

CRob (22:28)
Mm-hmm.

Xavier René-Corail (22:30)
Yeah. And in terms of curriculum, as I said, I’m receiving a lot of proposals to add content. going through that, going to add this content, I’m in particular interested if I have some ecosystem partners who are listening, I’m interested in language specific training for security. So if anyone has them, please reach out.

CRob (22:56)
Patches welcome, right?

Xavier René-Corail (22:58)
Yes, always.

CRob (23:00)
Nice. Well, let’s move on to the rapid fire part of our session. Are you ready for rapid, rapid, rapid fire? I have some wacky questions I’m going to ask you. Just give me the first thing that comes out of your on top of mind. First question and potentially controversial, VI or Emacs.

Xavier René-Corail (23:04)
Ha

Kevin (23:04)
Love it.

Xavier René-Corail (23:24)
Emacs.

Kevin (23:25)
I’m going to go the opposite just to say VI

CRob (23:29)
There are no wrong answers. Some are better than others, though. Also equally contentious, tabs or spaces.

Xavier René-Corail (23:30)
spaces.

Kevin (23:31)
I like tabs.

CRob (23:45)
You guys are balancing each other out very well.

Xavier René-Corail (23:45)
Right?

Kevin (23:45)
Yeah.

CRob (23:47)
Ice or neat?

Xavier René-Corail (23:50)
Neat.

Kevin (23:51)
Neat.

CRob (23:52)
excellent, excellent answer. Who’s your favorite open source mascot?

Xavier René-Corail (23:58)
Mona, of course.

Kevin (24:00)
Yeah, you can’t go wrong with Mona.

CRob (24:04)
That is perfectly fine. And finally, the most important question, mild or spicy food?

Kevin (24:12)
I’m all about spicy food.

Xavier René-Corail (24:12)
Spicy for me. Yeah, good, spicy. I’m from the Caribbean and yeah.

CRob (24:22)
Ohhhhhh….that’s spicy. Nice. Excellent. Well, thank you all for playing along. And as we wrap up, do you have any call to action or anything you want to ask our audience to potentially think about in regards to your program?

Kevin (24:33)
Certainly, I mean, right now, any maintainers that are interested in joining to up level their security, we’re welcoming applications. They’re rolling on going throughout the year. As you know, we have a robust pipeline of projects to go through in multiple sessions. So always feel free to apply. And then for funders, if they’re interested in helping secure their own dependencies, welcome those conversations. I think it allows us to unlock more opportunities and projects with with funders. They also bring unique insights and resources from their own ecosystems and Xavier said it too, and ecosystem partners that are ready for the journey to provide education, curriculum, engagement with maintainers. Some of them are even unlocking referrals for their maintainers that are coming through the program, things like that. So we would certainly welcome those opportunities throughout the year. It’s not just today, it’s not just tomorrow, but it’s an ongoing journey.

CRob (25:18)
Very nice.

CRob (25:27)
Xavi any advice for the audience to have or a call to action?

Xavier René-Corail (25:30)
No, honestly, nothing to add. I already made my cultivation. I need some language specific training for security. So if you want to help open source projects, please reach out to me.

CRob (25:48)
love it. Thank you gentlemen for helping shepherd this amazing project program together to help the ecosystem. And I really am excited to see the results as you are engaging directly with these maintainers. So thank you all for coming and I will wish everybody a happy open source and out there. Thanks all.

Xavier René-Corail (26:08)
Thank you, Crob.

Kevin (26:08)
Thanks for having us.

Outro (26:10)
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

May 06
Love0

What’s in the SOSS? Podcast #29 – S2E06 Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey Potter

By Podcast

Summary

In this special episode of What’s in the SOSS?, we welcome Stacey Potter, the new Community Manager at the Open Source Security Foundation (OpenSSF). Stacey shares her winding journey from managing operations at a vitamin company to becoming a powerful advocate and connector in the open source world. We explore her community-first mindset, her work with CNCF and Platform Engineering Day, and her passion for inclusion and authenticity. Whether you’re curious about how to get started in open source or want insight into how community shapes security, this episode is for you.

Conversation Highlights

00:00 – Welcome + Introduction
01:34 – Stacey’s Origin Story in Open Source
03:18 – Discovering Community Management at Weaveworks
04:19 – Projects and Evolution Across CNCF and Beyond
06:13 – Co-Chairing Platform Engineering Day
10:15 – Being Openly Queer in Open Source
13:38 – What Stacey Hopes to Bring to OpenSSF
16:23 – Rapid Fire Round
17:53 – Final Thoughts

Transcript

Intro music (00:00)

Stacey (00:02): “It’s given me a deep understanding and appreciation for inclusiveness and being a welcoming community – I have always felt embraced here, these spaces have empowered me to show up fully as myself”

Yesenia (00:021)
Hello and welcome to What’s in the SoSS? Open SSF’s podcast where we talk to interesting people throughout the open source ecosystem, sharing their journey, experiences and wisdom. So Yessenia, I’m one of our hosts and today we have a special announcement and introduction. I am talking to OpenSSF’s Community Manager, Stacey Potter. Welcome to the open source community. Stacey, please introduce yourself to the audience.

Stacey Potter (00:48)
Hey, everyone. Thanks, Yesenia. So I’m super happy to be here. I just joined and think this is week four that we’re recording this right now. So by the time this gets posted, I might have been here for a little bit longer. But I am the new community manager here at OpenSSF. So I am here to facilitate events. I’ll be managing budgets in the background. And in general, just promoting the foundation and all of our technical initiatives. So super stoked to be here. Can’t wait to meet everybody either in person, online, in Slack, et cetera. So super happy.

Yesenia (01:25)
Super, super happy to have you and we’ll kick it off with our first question. Tell us about your journey in the open source world and just what sparked your curiosity.

Stacey Potter (01:34)
Yeah, so honestly, my path into software was more a result of circumstance than intention. I transitioned into the industry a little bit later in my career. Before that, I was working as an operations manager at a small family-run vitamin company based out of Oakland, California. And after I left that role, I applied for an office manager position at a San Francisco startup focused on what we now call Software Composition Analysis or SCA. Though I don’t even know if it was called that back then in 2009. And at the time, our tagline was something like open source software security for enterprises or something like that. I think a lot of people will know our main competitor, which was Black Duck Software. But we were just a tiny little startup having fun in San Francisco.

And that role was really like my first exposure to the world of open source, but not in a really direct way because I wasn’t working with it. And I almost felt like we were kind of pulling open source out of enterprises or making it more restrictive in certain ways. Cause it was like we were bringing to light all the open source licenses and if you should or shouldn’t use them in an enterprise, right? So it felt a little ambiguous, right?

But I spent seven years there working with the CEO and gradually kind of moved through different roles at that company. I was great about working at a startup. I was the sales operations manager. And then later I transitioned into marketing. And then that company got acquired and I stayed on for a couple more years doing marketing things. And then I transitioned out of there in 2019 and went to Weaveworks where I feel like my true journey with open source really began. I started working at Weaveworks and as a community manager at that point, transition from marketing went into community management. Thanks to general good faith in my boss at the time, which was Tama Nakahara. She’s amazing and an amazing mentor. And she was like, I have marketing, you’re fine. You’re personable. You’ll be great as a community manager and really took me under her wing and taught me everything I needed to know. And learning all about Flux and Flagger in that CNCF ecosystem and really being embraced within those communities was where I feel like it really truly began.

Yesenia (04:09)
Nice. It’s nice little journey to start and then just what brought you here now to OpenSSF? Did you come from there or have you explored other open source projects that you would like to mention?

Stacey Potter (04:19)
Yeah. So Flux and Flyer were my true introduction. Been in and around the CNCF for a while. After Weaveworks, I went to Dynatrace and worked on the Open Feature project and the Kept project, which are both CNCF projects as well. Super great communities there as well. And then after Dynatrace, I went to Stacklok, which is another startup. And they had a project called Minder, which we donated to the OpenSSF. And I had kind of heard musings of the OpenSSF when I was kind of in that CNCF ecosystem before, but didn’t really know a whole lot about it. And when I worked at StackLock, kind of became more familiar with the community. We donated that project. I went through the entire process of like what donating a project looks like within the OpenSSF ecosystem. So that was fun and interesting.

Yesenia (05:11)
Interesting.

Stacey Potter (05:18)
And yeah, that’s StackLock like switched positions. It kind of is going a different route now. And so I came to OpenSSF just almost a month ago, not quite a month ago, so three weeks ago now. And yeah, that’s how I got here.

Yesenia (05:31)
That’s amazing. Here you are. Perfect. Yeah, it sounds like a good experience exposure with community building and open source projects for CNCF and OpenSSF, which are big, big organizations when it comes to open source. So very interesting, very interesting indeed. So we’ll move on to the next question. This is during my online recon, we’ll say, consented recon. I discovered you are the co-chair of Platform Engineering Day. Can you share with the audience what this is, what the event is, and what excites you the most about working with this community?

Stacey Potter (06:13)
Yeah, absolutely. So Platform Engineering Day, mean, well, as internal developer platforms, IDPs, really help dev teams move faster by giving them tools and frameworks that they need, right? So Platform Engineering Day is all about sharing real world tips on building great internal platforms, not just the tech, but the people and the processes as well, right? So it’s a chance for platform folks from all different job titles and job roles to trade stories, lessons, and ideas on making the dev experience awesome. So what excites me about working in this community? I think there’s just so many passionate people involved in this space. I know Platform Engineering Day has become kind of this buzzy word of late, right?

Yesenia (07:11)
Marketing.

Stacey (07:13)
Exactly. But I mean, to the people who are in it, they, from my perspective, as I’ve gotten involved in it, they’re super passionate folks, right? And they really want to make this experience, you know, as good as they can. But after chatting with Paula Kennedy, who is my co chair, and Abby Bangser, whom I got to know through an old Weavework’s colleague, we felt the need for not just a bunch of tech talks on the topic. But really, we wanted to provide, as I said before, a place where platform engineers, product managers, solutions architects, and other folks could come together and share lessons learned in building and managing internal platforms, measuring platform maturity and improving these golden paths and the developer experience as a whole.

Yesenia (08:04)
Nice, do you want to do a quick plug on when the next platform engineering day is?

Stacey Potter (08:08)
Well, it’s a colo with KubeCons. So if you’re going to the next KubeCon, which I believe is North America in Atlanta, Georgia, for all those folks who are outside of the States, I’m sorry, that you may or may not be able to come here based on a number of different things. But we’re trying to do it co-located in general with KubeCons, because it kind of fits there and makes sense. And we’ve had a great response so far, right? The first one, we got more CFPs than any other co-located event had ever gotten at any KubeCon, colo event before. And I think we had hundreds and hundreds of folks in the seats listening to all these great talks. And I’ll also just highlight the platform’s working group within the CNCF too. This is a great team of people working on all things platform related. And if you’re interested in learning more about platform engineering in general, the platforms working group within the CNC app is really a great place to go.

Yesenia (09:15)
Yeah, I didn’t know that it was in KubeCon. I’m hoping to go my first year this year in Atlanta.

Stacey Potter (09:21)
Yeah. Yeah. I think Paris was our debut. Yeah. Yeah. Right. Not bad. And we just had our last one in London. Yeah.

Yesenia (09:24)
Hmm, that’s a good debut. Fashion debuted there. there you go.

Stacey Potter (9:31)
We’re so fashionable. Who knew?

Yesenia (09:36)
Talking about fashionable. During my cyber roots, I found your GitHub profile, which I loved and made me giggle and smile in several locations. But you noted you’re queer and for recording purposes, AF. I’d love to hear your perspective on how this has transformed your journey and influenced you being involved in these open source communities and anything you want to share with the audience.

Stacey Potter (10:15)
Sure. So being openly queer in tech and the open source space has been a pretty powerful part of my journey, I guess, in retrospect. It’s given me a deep understanding and appreciation for inclusiveness and being a welcoming community, regardless of what the, I guess, we’re going to call it difference is for whomever is coming into your community.

I think something I’ve been lucky to experience in the Kubernetes and cloud native and broader open source ecosystems is that welcomeness, that feeling of belonging. I’ve never felt like I didn’t belong here, right?

Yesenia (10:45)
Yeah.

Stacey Potter (10:48)
Which I think is pretty special. I mean, it’s a privileged place to be, I think in certain ways too, right? Like I am a cis white woman, right? But I present as butch and I’m you know, that’s my that’s what I call myself, right? That’s how I identify. And some people could be put off by that. But I have always felt embraced here. And, you know, like these spaces have empowered me to show up fully as myself, which has not only boosted my confidence, but also allowed me to connect with and, you know, mentor, I guess, others navigating similar paths, whether that’s being queer or being a woman or whatever.

I think visibility matters and I found that authenticity can be a bridge, right? Whether it’s in a code review, which I don’t do by the way, community calls or just, you know, contributing to projects that reflect shared values that you have, right?

Yesenia (11:48)
Yeah, it’s great because that’s the underlying foundation of open source. It’s just a community of anyone that can come in and contribute and make a project, move a project and make it successful and gave me a little bit of goosebumps there as you were speaking on that one. But because I feel the same when it comes to like the open source space is just they’re very welcoming. Every time folks are like, I’m just so scared. I’m like, trust me, don’t just go ask the questions. Like this is the place to ask the technical quote unquote “this is a dumb question…”

Stacey Potter (12:15)
Yeah, and I mean, they’re just so happy. What I have found is everyone in these communities is just so happy for people to notice them to want to get involved in the first place, right? Like they’re so stoked that you’re there. Like whatever your skill set is, they’re willing to bring you into the fold, right? They’ll make it work.

Yesenia (12:22)
Yeah.

Yesenia (12:41)
We’ll figure it out.

Stacey Potter (12:41)
You don’t need to know how to code, right? Work on docs, work on…community management, promote our events, like make us a poster or a cool logo or I mean, there’s so many different ways you can contribute if you don’t write code. I don’t write code and this is my job now. I would have never thought, right? Yeah.

Yesenia (13:00)
Yeah. Who would have thunk it? Yeah, I haven’t written code in such a long time. I write for my own like fun, so I don’t lose the skill. You know, it’s like riding a bike. I’m hoping it’s like riding a bike that you never forget, but I forgot because once again, short term memory issues.

Stacey Potter (13:12)
Yeah, right, right.

Yesenia (13:17)
Ah, this is great. Moving on to the next. You are the newest member of OpenSSF. I’m sure other folks have been hired, so I’m sorry if there’s anybody that’s newer, but as far as his recording, this is what I know. And now the Community Manager, what would you like to see in the upcoming months with the impact you plan to ripple through this ecosystem?

Stacey Potter (13:38)
Wow, that’s a big question. So as the newest member of the OpenSSF team and like you said, the community manager here, I’m really excited to help grow and connect this vibrant ecosystem. In the coming months, I think I want to focus on making it easier and more inviting for people to get involved. Whether you’re seasoned security pro or just a curious first timer, I think a lot of people don’t even know that we exist maybe – the OpenSSF. So I think just awareness in general is also something that I’d like to help promote. But know, like smoothing out the onboarding journey, launching programs like the Ambassador Initiative. I think there’s been a lot of talk internally about trying to ramp that up and get that going and supporting mentorships that help contributors thrive. I’d love to see more stories, more collaboration across projects within the OpenSSF and externally within other communities like maybe CNCF, since that’s where my prior history is, right? And more representation from folks who may not traditionally see themselves in the security space. OpenSSF already has amazing technical initiatives. My goal is to amplify the voices behind them, create inclusive pathways into our work and build bridges to other communities who share our mission. So whether it’s through meetups, events, or even just a warm welcome in Slack, I want everyone to feel like there’s a place for them here.

Yesenia (15:15)
I love it. You’re full of the goose bumps today. I love that warm welcome on Slack. You had mentioned the ambassador program. I personally haven’t heard of it. Is there any, I know you guys are just, it’s in the works. Anything you want to share about it.

Stacey Potter (15:29)
Well, it’s gonna be a top priority for me as soon as I sort of get my feet, find my feet here, right? It’s only week four. But it’s definitely a priority that we want to get this out as soon as possible. And there’s already been so much work done before I came. So it’s getting me up to speed and then, yeah, I’m just super excited. think it encourages more people to join sort of.

Yesenia (15:37)
Yeah

Stacey Potter (15:56)
Also celebrating those who have made us who we are so far as well. But then, you know, lots of people would love to become an ambassador that don’t know how to get started or things like that, right? And bringing more people into the fold.

Yesenia (16:09)
Love it, love it. Well, I look forward to seeing the announcement news and learning more about that. So for those folks listening, hopefully it’s released. Hopefully it’s in the works by the time you listen to this. All right, cool. We’re going to move over to the rapid fire. I just make noises because I don’t get, Krobe’s a fancy noise maker. So we’ll go with the flow with whatever my ADHD brain decides to do. And our first question, Disney or Pixar?

Stacey Potter (16:40)
Pixar for sure. I used to live like around the corner from Pixar, so, and I’ve always been a huge Pixar fan, but this is an acquired Pixar, so they’re one and the same now,

Yesenia (16:52)
In my heart, are they really?

Stacey Potter (16:55)
Yeah, no, in our hearts we know the truth, but Pixar, yeah.

Yesenia (17:02)
Dark or light mode?

Stacey Potter (17:05)
Dark.

Yesenia (17:06)
Dark as my soul.

Stacey Potter (17:09)
Black is the night.

Yesenia (17:11)
Cats or dogs? as she takes a sip of coffee.

Stacey Potter (17:15)
Both. I have two cats and a dog, and they’re all amazing. I love them both for very different reasons.

Yesenia (17:22)
Yeah, I can’t choose between my five, so.

Stacey Potter (17:26)
Oh wow. That’s a lot.

Yesenia (17:29)
Alright, this next question and it may cause chaos to our listeners, alright? Linux Mac or Windows?

Stacey Potter (17:38)
Well, I’m a non-coder, so, and I’m a Mac gal.

Yesenia (17:44)
Mac, there it is. Well, there you have it folks. It’s another rapid fire. Any last minute advice or thoughts for the audience you’d like to share?

Stacey Potter (17:53)
Well, I’ll do some shameless plugging of our upcoming events because I’d love to connect with you all in real life and these events are great places for our community to get together and share ideas and progress on the capabilities that make it easier to sustainably secure the open source software on which we all depend. You can find all of these listed on our website at openssf.org/events

So, we’re going to be hosting some upcoming events:

  • We’ve got Community Day Japan (in Tokyo) on June 18 – which is a colo event after KubeCon’s main event
  • CD North America will be in Denver on June 26 (as a colo event after Open Source Summit, which we are sponsoring so we’ll also have a booth at Open Source Summit)
  • CD India is August 4 in Hyderabad Co-located with KubeCon + CloudNativeCon India
  • CD Europe will be in Amsterdam on August 28 (Open Source Summit, which we are sponsoring so we’ll also have a booth at Open Source Summit)
  • And Open Source SecurityCon is November 10 (colo event pre-KubeCon NA) which is a new event that fosters collaboration and shares innovation in cloud native security and open source software security. The Call for Proposals for this one opens mid May – so be on the lookout for that.

We’ll also be attending & sponsoring events for the remainder of the year as well:

  • We’re sponsoring, and thus have a booth at Open Source Summit North America in June (Colorado) Europe August 25-27
  • Blackhat & DefCon in Vegas in early August
  • We’re sponsoring, and thus have a booth at Open Source Summit Europe August 25-27
  • Sponsoring Open Source in Finance Forum in NYC October 21-22

I can’t wait to meet you all. I’m super excited to be here. And if you join us in Slack, please say hi. If you have any interest in any of our projects, I just encourage you to just jump in, right? Say hello. And usually that’s all it takes to get a really warm welcome from anyone in this community. And I look forward to working with all of you.

Yesenia (20:16)
There you have it from Stacey Potter. Thank you for your impact and contributions to our open source communities. I’m looking forward to the impact that you’ll have and how your ripple effects the open SSF being a part of it. Stacey, I appreciate your time and thank you.

Apr 22
Love0

What’s in the SOSS? Podcast #28 – S2E05 Secure Software Starts with Awareness: Education & Open Source with the Council of Daves

By Podcast

Summary

In this episode of What’s in the SOSS, host CRob is joined by the “Council of Daves” – Dr. David A. Wheeler of the OpenSSF and Dave Russo from Red Hat – for a deep dive into the intersection of secure software development and education. From their open source origin stories to the challenges of educating developers and managers alike, this conversation covers key initiatives like the LFD121 course, upcoming resources on the EU Cyber Resilience Act, and how AI is shifting the landscape.

Whether you’re a developer, manager, or just open source curious, this is your crash course in why security training matters more than ever.

Conversation Highlights

Intro & Meet the Council of Daves (0:16)
Open Source Origin Stories (1:22)
The Role of the Education SIG (4:05)
Why Secure Software Education Is Critical (6:30)
Inside the LFD121 Secure Development Course (8:01)
Training Managers on Secure SDLC Practices (12:24)
Why AI Makes Education More Important, Not Less (13:53)
What’s Next in Security Education: CRA 101 and More (16:04)
Rapid Fire Round: VI vs. EMACS, Tabs or Spaces & Mascots (20:20)
Final Thoughts & Call to Action (22:04)

Transcript

[Dave Russo] (0:00 – 0:16)
If you’re a people manager, understanding the amount of time and effort and skills that are needed to perform these different activities is vital to know.

[CRob] (0:16 – 0:46)
Hello and welcome to What’s in the SOSS, the OpenSSF’s podcast where we talk to interesting people from around the amazing open source ecosystem. I’m Krobe, your host. Today we have a real treat.

I’m joined by the Council of Daves and we’re going to talk about a topic that is near and dear to both our hearts, but let’s start off with some introductions. I’ll go with David Wheeler first, and then we’ll go to Dave Rousseau. So David, why don’t you introduce yourself real quick?

[David Wheeler] (0:47 – 1:03)
Okay, sure. David Wheeler. I work at the Open Source Security Foundation, OpenSSF, which is part of the Linux Foundation, and I’ve been involved in how do you develop secure software or developing open source software for literally decades.

[Dave Russo] (1:03 – 1:20)
My name is Dave Russo. I work at Red Hat on the product security team. I’m the governance portfolio manager.

I don’t have quite as long a history with open source as Dr. Wheeler does, but I’ve been working on SDLC related activities for quite some time.

[CRob] (1:22 – 1:33)
Awesome. I think we’re gonna have a great chat today about secure software development and education, but let’s get your open source origin stories. Dave Rousseau, how did you get involved in upstream open source?

[Dave Russo] (1:34 – 2:18)
So I was not directly involved in open source for very long in my previous arrangement. I did do some work in the software industry, then I was working in an industry that was not around development. So around 2016, when I joined Red Hat, my good friend Krobe introduced me to a lot of the awesome open source stuff that was going on in and around Red Hat and the upstreams a little bit prior to that.

And a lot of the conversation was aligned with SDLC activities, specifically secure development practices, which is an interest of mine. And then after joining Red Hat, obviously I became much more involved in a lot of different areas of open source, primarily around, again, secure development.

[CRob] (2:19 – 2:24)
Cool.

David Wheeler, how did you get involved? What’s your origin story?

[David Wheeler] (2:24 – 3:46)
That one’s a little challenging because I’ve been involved in it for such a long time, I don’t even remember the first time I gave, you know, I just just contributed to release some, well, what wasn’t called open source software, because the term hadn’t been invented yet.

People were occasionally sharing around source code. Since before I was born, frankly, they just didn’t use these terms. And, you know, necessarily have figured out some of the legal stuff.

So I think the big change to me, though, was the first time I held a very, very early version of Red Hat Linux in my hand. This is back when it was being distributed on CDs. Because at the time, there was a general agreement that yes, of course, people can share source code on, you know, on bulletin boards, and maybe this internet thing, but you couldn’t build something big with it.

And all of a sudden, an entire operating system was open source, and useful. And I think this is where instead of the, oh, sure, we can sometimes share with this, oh, this can be used for building large scale systems. And that was kind of the, and I later on did analysis of this and been doing things involving open source for quite well, since before the name was created.

[CRob] (3:46 – 4:04)
Cool. Well, thanks for sharing, gentlemen. So let’s dive into it.

Dave Russo, you are the current chair of the OpenSSF’s Education SIG, which is part of the BEST working group. Could you maybe talk a little bit about what the Education SIG is and what you all get into?

[Dave Russo] (4:05 – 4:27)
Sure. So the Education SIG is obviously around educating our open source developers to do a better job of incorporating security practices in the development and delivery of these projects. Now, a lot of my previous life experience was in development, so I’ve got a fairly good amount of experience in this area.

[David Wheeler] (4:28 – 4:39)
It is very obvious to a lot of people who’ve been doing this for a while that education has not been a focus area when it comes to developers, especially around security.

[Dave Russo] (4:40 – 6:17)
Developers are mostly interested in creating cool new stuff, which I completely agree with. That is the primary purpose is to put new features and functionality in their software to make it do more cool things, better, faster, stronger, etc. However, security for the longest time was not even a consideration for a lot of software development and delivery.

And over the past 10, maybe 15 years, there’s been a little bit more attention paid to it. But there’s been a movement to try and provide good education courses that talk about secure development practices to the development communities themselves. So at the Education SIG, what we are trying to do is help address that need.

We’re trying to help understand what kind of information and materials we can provide to our upstream communities to help the developers understand what it means when we talk about developing and delivering software more securely and specific techniques and ways that they can incorporate this into their projects, such as hardening guides, delivery guides, compiler rules, general awareness of some of the reasons behind having security, not only from a risk based perspective, just making the project a little bit more robust, but now also because of a lot of international regulations and expectations by different industries and geos that are compelling developers of various types to provide very specific attestations or statements of conformity when it comes to doing things in a certain way while they’re doing their development delivery.

[CRob] (6:17 – 6:30)
Awesome. So it sounds like, Dave, you touched on it a little bit. But David, could you maybe expand a little bit about you know, why do you feel it’s important to get this type of content in the hands of developers?

[David Wheeler] (6:30 – 8:01)
Well, I think the short answer is that if developers don’t know how to develop secure software, they won’t develop secure software. It really is that simple. I often tell people that we get software that’s more secure than we deserve.

Because why should we expect that software be secure when for the most part, developers aren’t told how to do that? It’s it’s it’s not a magic trick, but it does require some knowledge. By the way, we actually did a survey of developers about the state of secure software development education last year.

And I mean, we found that overall, you know, 28% of the professionals weren’t familiar with secure software development. It jumped up to 75% for those who had less than a year of experience because the colleges and universities for the most part, are not requiring it. And so yes, they they increasingly get it over on the job.

But the on the job is often spotty, it has holes. And by the time they become more knowledgeable, there’s more that have come in, again, with that lack of knowledge. And so we’re just constantly on this treadmill of people who don’t know how to do it.

And lack of training was the was one of the primary reasons that people gave for why don’t you know how to do this.

[CRob] (8:01 – 8:17)
So I’m aware that the SIG has a couple artifacts that they work on. The first thing we’ll talk about is the LFD 121 course. So maybe Dr. Wheeler, if you could give a little taste about what that is all about.

[David Wheeler] (8:18 – 8:30)
Absolutely. I’ll quickly note, by the way, both of my participants have used my title doctor, I do have a PhD. But my experience is when people use my title, they’re just yanking my chain.

[CRob] (8:30 – 8:32)
So we love you, sir.

[David Wheeler] (8:33 – 10:14)
Well, thank you. Yeah, so the so we’ve got a course called LFD 121, developing secure software.

Now, we’re here talking about open source. But I want to make sure everybody knows that this is absolutely for open source software. It’s also for closed source software.

It’s for anybody who develops software, because the frank reality is attackers don’t care what your license is. They just don’t. They just want to take over things and do bad stuff and make everyone stay miserable.

So we’re here to help developers deal with that. I just looked at the numbers and we have including, you know, up to now, for both our Japanese and English through edX and through TI, all these are, we’ve had over 30,000 in [Crob: Wow], in that course, which is, you know, fantastic. That’s a lot of people.

That’s a lot of people. So we’ve got a course, we very much focus on the practical, how do you do stuff. And we have optional hands on labs, they’re not required.

But we do encourage people at least do a few. Because doing things hands on is really, really helpful. I’ll do a quick note.

Some people have gotten the wrong impression that security is always expensive. Generally, that’s not true. It’s retrofitting security.

That’s expensive. And so what we should be doing is stopping the retrofit. It’s not hard to do most of the stuff if you just know ahead of time what you’re supposed to do.

But once you once you’ve dug the hole deep, it’s very hard to get out.

[CRob] (10:15 – 10:21)
Speaking of security, not being expensive. This sounds like an amazing class. How much does it cost to take?

[David Wheeler] (10:23 – 10:48)
Oh, what a pitch. Of course, as you know, it’s completely free. The course is free, the labs are free, whole thing’s free.

So, you know, please don’t please don’t make costs a limiting factor for this. You know, it’s basically important for us all around the world that anybody who develops software knows the basics. And that’s what this this particular course covers.

[CRob] (10:49 – 11:08)
So a big part of your world, Dave Russo, is, you know, secure software development and SDLC, secure development lifecycle. From your perspective, you’ve looked at the LFD 121 class. What do you find that to be a useful artifact as you’re sharing it with your engineers?

It is.

[Dave Russo] (11:08 – 12:23)
The content in the course does a very good job at talking about what the different activities that should take place along the different times of the software lifecycle should be. And again, to kind of repeat from what we said earlier, awareness is a big problem that we have. A lot of developers don’t understand what it means when we say we should develop things securely.

And then you start using words like risk assessment, penetration testing, threat modeling, attack surface analysis, and people’s eyes just kind of glaze over because they have no idea what you’re talking about. The course is able to go into these topics and provide a good amount of information, provide an understanding to a developer what we mean when we talk about these sorts of things. And additionally, to David’s point earlier, making the developers aware of this early so they can build it into the plan instead of trying to go back and do it after certain things have been done, makes adopting and implementing these things much, much easier.

So the combination of knowing what these activities actually are, the amount of effort that is needed to complete them, and when to insert them into the lifecycle make the course absolutely invaluable for people who are doing software development.

[CRob] (12:24 – 12:38)
That was one of the OG projects that David Wheeler brought into the foundation. Let’s talk about some of the more current work. Who would like to talk about the security for developer manager class we’ve all been working on?

[Dave Russo] (12:38 – 13:52)
So I’ll go and I’ll start off from a general level. And then I’ll let David go into some things a little bit more in depth. So the intent of the secure software development for managers course is to again, inform.

Awareness is a problem. If I’m a development manager, and someone says to me, you need to do your stuff securely, what does that mean? There’s a lot of different factors involved.

From a risk perspective, if we don’t do these activities, what does that mean? What does it mean for the actual software itself? What does it mean for the organization or company that I work for?

What kind of risk may be exposing the company to? More importantly, if you’re a people manager, understanding the amount of time and effort and skills that are needed to perform these different activities is vital to know. You need to understand when to put these things into roadmaps and timelines, how much time to allocate for them.

And does anybody on your team actually know what it means to do, for example, a penetration test? If not, you’re going to need to find some additional resources to help you with that. So again, not necessarily diving down into the deep weeds on a lot of these topics.

This is meant to provide additional awareness and understanding to someone who’s in a development manager position.

[David Wheeler] (13:53 – 16:04)
And if I can jump in with some additions. Fundamentally, if management’s not on board, it’s probably not going to happen.

And unfortunately, some managers are kind of assuming things like, well, the the IT security department will somehow take care of it. Well, no, they won’t. They certainly do have an important role to play.

There are things that they that they will do that will be very, very helpful. But if you’re managing the development of software, there are things that you as a manager need to know need to do need to make possible. We spend more than a little time in the course helping you understand some terminology, understanding what needs to happen, and frankly, making sure one of the key things a manager needs to do is making sure that the developers know what they need to know.

In many organizations, managers aren’t necessarily writing the code, but they need to make sure that the people they’re bringing in know what they need to know. And if they don’t, fixing that with what is fundamentally a training problem, an education problem. Because just like any other field, if you don’t know what you’re doing, you’re not likely to do a good job.

And it doesn’t mean that they’re stupid. It just means that they lack some important information. I will quickly note, just because I’m thinking of it.

Lots of people talking about AI. AI is awesome. The majority of developers nowadays are using AI to develop code, according to some surveys.

And here’s the problem. Just because some AI generated code does not make it secure code. What do you think that that system was trained on?

Right. So this actually AI is actually increasing the need for education by developers and by their managers. Because if you’re using an AI system, who is going to be reviewing it?

Not just the AI, I hope. You’re going to need people to know what they’re doing. Which brings us back to the need for more education.

The increased need for education, not the decreased need because of AI.

[CRob] (16:04 – 16:15)
Excellent point. Broadly, what other things are on the horizon from an education perspective? What do you got in the hopper in the back? It’s going to come down the road.

[David Wheeler] (16:18 – 16:20)
Well, Dave, you want to go ahead?

[Dave Russo] (16:20 – 18:23)
Sure. So the USSF is putting a lot of attention on education.

There’s some expectations as to what our SIG can help contribute moving forward in 2025. And again, I’ll hit this from an awareness perspective, I think, and I’ll let David dive in to a couple things a little bit deeper. We need to get the message out.

We need to get information out there into the upstream communities and the projects and let them know what it is we’re trying to accomplish and what materials we already have that they could leverage and use right now, as well as understanding how to bring more people into the group, into the USSF in general, and provide their subject matter expertise to help us generate even more materials on top of that.

So we’re going to be making some additions to the information we’ve got on our GitHub page and such. We’re going to try and socialize some of the things that we’ve already put together as a group, some of the hardening guides we’ve done, we already talked about some of the education courses that are being worked on. We’re taking a little bit of a look right now, something that’s in progress, a little bit of behind the curtain for everybody.

We’re working on a CRA 101 course. Again, the EU Cyber Resiliency Act has been passed by their parliament, and everyone is trying to understand exactly what that means to them. So we’re trying to put, again, a general information course together that makes it digestible for people with a couple different types of roles to understand what the CRA means and what the expectations are going to be moving forward as it begins to come into effect.

So these regulations are becoming more common. There’s a couple other ones that are in progress at various geographies around the world, so we expect we’re probably going to do this for a couple other ones as they become available. Hopefully, we’ll have some representatives speaking at certain conferences, talking about the OSSF mission in general, some of the education information in particular, and again, trying to make sure that we are looking at the right ways to bring the right information to our constituency.

David?

[David Wheeler] (18:24 – 20:18)
Yeah, so let me jump in specifically on the Cyber Resilience Act, which is kind of a big thing that’s coming up. Strictly speaking, it only applies to software, and so on, that is released to the EU market.

I guess more accurately, I should say products with digital elements, which is the term of art that they use within the regulation. But the reality is, Europe’s a big place. Most organizations, especially in the software world, are global.

So this is going to affect many, many, many. Indeed, it’ll affect many who have never really needed to look at this kind of thing before. And so we’ve been trying to develop this, what we’ve been calling a CRA 101.

We actually even have an official number for it, it’s LFEL 1001, when it’ll get released. But basically, it’s a little introduction, explanation, what does this say? What does it require?

And it’s going to be a big change, I think, to industry, to the market. It even has some requirements specifically on what’s called open source software stewards. It’s a relatively light touch, but it does impose some requirements.

It does talk about open source software developers. I think in many cases, it will be much less of a touch, but it’s not completely none. And so this is going to affect, and of course, people who develop open source software, that software usually gets pulled into larger systems in many cases.

So this is going to affect a lot of folks. And so it’s gonna be important for us all to be prepared. So we’ve been working very hard to get that introduction developed, and we’re hoping to get that out the door as soon as we can.

[CRob] (20:20 – 20:43)
Excellent. Well, I’m looking forward to taking it, so I can become smart about the CRA. Thank you, gentlemen.

Let’s move on to the rapid fire part of the interview. All right. I got a couple wacky questions, and I would like you both to answer the first thing that comes to your mind.

First, most important question. VI or EMACS?

[Dave Russo] (20:43 – 20:44)
VI.

[David Wheeler] (20:44 – 20:45)
VIM.

[CRob] (20:46 – 20:54)
Excellent answer. Now, the next one, potentially even more controversial.

Tabs or spaces?

[David Wheeler] (20:55 – 20:56)
Spaces.

[Dave Russo] (20:56 – 20:56)
Spaces.

[David Wheeler] (20:58 – 20:59)
Always spaces.

[CRob] (20:59 – 21:09)
I can go back and count, but that is a very contentious, verging on religion for many people. What’s your favorite open source mascot?

[Dave Russo] (21:11 – 21:11)
Tux the Penguin.

[David Wheeler] (21:12 – 21:14)
Oh, it’s it’s hard to beat Tux.

[CRob] (21:16 – 21:17)
Classic.

[David Wheeler] (21:18 – 21:27)
Classic.

I’m planning to print up one on a 3D printer soon, because Tux is fun. But I will say that Honk the Goose. Honk the Goose?

[CRob] (21:28 – 21:28)
Honk the Goose.

[David Wheeler] (21:28 – 21:29)
He is a kind of fun goose.

[CRob] (21:29 – 21:36)
I am personally a fan of the goose. And last question. What’s your favorite vegetable?

[Dave Russo] (21:37 – 21:38)
None of the above.

[David Wheeler] (21:39 – 21:43)
I’ll count corn as a vegetable. Corn on the cob.

[CRob] (21:43 – 22:04)
There you go. Thank you, gentlemen.

Now, as we wrap up, do you have a call to action or some advice you’d like to share with our listeners who are where they have a lot of people across the industry that listen to this newcomers or people that aren’t familiar with open source or cyber security? So what kind of advice or what call to action do you have for our listeners?

[Dave Russo] (22:04 – 22:31)
Get involved.

Get involved. Understand what’s out there. The OpenSSF has a lot of really good information, a lot of different working groups that are going through things that affect all the open source communities, trying to, you know, make our security better, reach farther, make us more proficient in those areas. So if there’s something you think you contribute or if it’s something you want to learn or just want to listen and see what’s going on, join a couple of the working group calls and see what’s happening.

[CRob] (22:32 – 22:34)
Excellent. David?

[David Wheeler] (22:34 – 23:41)
I’ve got a couple.

So for get involved, if you’re interested in security, open source and security, obviously OpenSSF, if you are the happy user of an open source project where it’s starting to become important to you, get involved in that project. If you are a developer of software, please, please learn how to develop secure software. I think our course is great.

I don’t really care if you take that course per se. If you take another course, that’s great. Because what’s more important is all of society now depends on software.

We need that software to be more secure. And the vast, vast, vast majority of the problems we’re seeing today are the same problems we’ve been having for decades. It’s well understood how to systemically counter them.

But people need to know how to do it first. And I, I don’t, as I said earlier, AI is not going to change that. AI will simply mean that we can write bad code faster.

It means we can write good code faster. But to write the good code, the humans have to know what good code looks like.

[CRob] (23:43 – 24:05)
Well, what a difference some Daves make. Gentlemen, some of my favorite people to collaborate with. I appreciate your time and all of your contributions to help trying to improve the quality of life for open source developers and ultimately the users that use all that amazing software.

So that’s a wrap. Thank you all for joining What’s in the SOSS and happy security, everybody.

(24:09 – 24:46)
Like what you’re hearing? Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, Antenapod, Pocketcast, or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all.

Check out the newsletter for open source news, upcoming events and other happenings. Go to OpenSSF.org slash newsletter to subscribe. Connect with us on LinkedIn for the most up to date OpenSSF news and insight and be a part of the OpenSSF community at OpenSSF.org slash get involved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS.

Apr 15
Love0

What’s in the SOSS? Podcast #27 – S2E04 Enterprise to Open Source: Steve Fernandez’s Journey to the OpenSSF

By Podcast

Summary

In this episode of What’s in the SOSS, we sit down with the OpenSSF’s new General Manager, Steve Fernandez — a seasoned enterprise tech leader whose resumé spans giants like L’Oréal, Coca-Cola, AIG, and Ford. Steve shares his “origin story,” what drew him into the world of open source, and how his decades of experience as a consumer of open source software are shaping his vision for the Foundation.

Conversation Highlights

00:21 Welcome & Introductions
00:57 Steve’s Tech Journey
03:13 Why OpenSSF?
05:02 The Role of Security & Strategic Vision
08:17 Rapid Fire & Final Thoughts

Transcript

CRob (00:21)
Welcome, welcome, welcome. This is What’s in the SOSS, the OpenSSF’s podcast where we talk to developers, industry experts, and assorted amazing people within our open source ecosystem. I’m CRob, one of your co-hosts for this little event. I do security stuff on the internet, and today we have a new friend to introduce the world to, Steve Fernandez, who just recently joined the foundation.

And Steve, maybe you could talk a little bit about, introduce yourself and maybe talk about your technology origin story.

Steve Fernandez (00:57)
Thanks a lot and great introduction, by the way. So pleasure to meet everybody. My name is Steve Fernandez and as CRob mentioned, I’m the new general manager for the OpenSSF. And I come to this place through a long IT journey. For the last 30 years, I’ve been mainly on the enterprise side of the IT game.

I’ve done various roles as CIO and CTO in many different industries as well as many different companies. Most recently, before I came to the OpenSSF, I was the CIO for NCR Voyix, and previous to that, I was Chief Technology Officer for L’Oreal in Paris, Chief Technology Officer for AIG in the insurance industry.

I was chief technology officer at Coca-Cola and then I worked many years inside of GE and Ford Motor Company in different technology roles. So I really come to this job, I think, with a different and unique perspective than many who’ve been in the open source world for forever. I’m coming as a user of the open source and it’s been a user of the software and the technology inside of all the platforms that I’ve run and managed over the last 30 years. So I’m very excited to take a little different view of technology in this role and hoping a lot of my experience from running enterprise and running large scale platforms and running things day to day is going to translate into growth for the organization and further stability as we move forward.

CRob (02:43)
And, we’ve cited here and at other events, just the penetration of open source in normal operations and just how critical open source is to a lot of enterprises. So I’m very excited to kind of benefit from the experiences you’ve had in your long and successful career and trying to help bring that more business focus to us. But I’m curious, what drew you to the OpenSSF? Was it the goose?

Steve Fernandez (03:13)
I think it could have been the goose, which is quite the great icon. You know, it was a, it’s really interesting for me personally. I was getting to a point in my life where I’ve done many, many operational roles throughout my life and my career. And I was taking a little break and trying to figure out what I wanted to do when I grow up and what I wanted to do next on the journey. And, you know, it’s one of those small things, a friend of a friend talked to me about this position and I said, hmm being general manager of a foundation. Well, I can at least take a look and see what it’s about. And, and, uh, I don’t know, it’s something I’ve never done before, but I think it might make sense. So I sat down with, uh, Jim Zemlin, uh, head of the Linux foundation. And we just had a great conversation and being an open source user throughout my career and knowing the importance of open source and security you know, to every company’s platform, to every company’s install base. It really was a job that I was looking for where I thought I could do some good for the community. I thought I could, like I said earlier, take a different perspective on things, add a little bit of my corporate background to the organization and merge the two together.

Steve Fernandez (04:31)
So for me, it was really about trying something new, experimenting – bring a little bit of your old experience into a new environment. And I have to say, in just the last month that I’ve been here, it’s been an exceptional experience and working with absolutely great people, working with a great community. So, so far it’s been a really, really positive experience and a bit different from my enterprise days, but at the same time, very exciting and it’s great to be involved in real technology.

CRob (05:02)
So it’s interesting you have a long history of kind of helping lead technology organizations. From your perspective, how have you seen security kind of help the business and how does security help developers and other consumers?

Steve Fernandez (05:18)
Yeah, so I’ve always called security kind of the hidden greatness. It’s one of those things that you don’t know you need security until you know you need security.

CRob (05:30) Yeah.

Steve Fernandez (05:31)
And on the enterprise side of the game, it’s your constant worry about security and risk. And you’re always worrying about your platforms. You’re always worried about your products. You’re always worried about making sure that things that you’re presenting to the consumer or to the employee or to, you know, the different install bases, you have an inherent need to make sure your products and your technology are secure. So I’ve always had a love hate with it because you hate to spend incredible amounts of time and investment in security, but you absolutely love it because it keeps you safe and, and, and makes sure that your products and your technology are going to…with it – you know, there are bad actors out there and people do want to get into your products. They do want to find out, you know, personal information. So security is that thing that makes us feel a little bit better. And it lowers your risk profile. And, you know, it’s really the glue that’s needed inside of a technology base.

CRob (06:37)
Mm-hmm.

And thinking about your experiences in your past roles, what do you see, kind of, the additional value and capabilities you’re going to bring to the foundation to help us further our mission?

Steve Fernandez (06:51)
Well, I’m thinking, you what I found in the foundation last month and working with people is we have an incredible set of people and we have an incredible set of technical sales and also have like a really unique community that works together in, you know, in a matrix like organization, but it really works and people are all, you know, moving forward to do what they think is the right thing.

I think what I’m going to try to bring to the foundation from my past is a little bit of strategic vision, a little bit of process, a little bit of thought process at a methodical level so that we best utilize the people that we have and the capabilities that we have. One of the great things I felt as I came into the organization and I’ve been doing my original first month assessment is, you know, we don’t have to reinvent the wheel. We just got to get efficient. We got to make sure our priorities are in line. We need to make sure we work with our enterprise partners. We need to make sure we work with our development community. And I think my job is going to be bringing those different pieces together and working a little bit more seamlessly.

So, that’s really, think, where I’ll add value and a little bit of my past will help out the organization.

CRob (08:17)
Excellent. Well, I can say personally, I’m very excited to be collaborating with you on this mission. And I know our community is very excited to be working with you. But let’s move on to the rapid fire part of our session. Are you ready for rapid, rapid, rapid fire? I got a couple of wacky questions I’m going to ask you just off the cuff answers. What’s your favorite vegetable?

Steve Fernandez (08:40)
Broccoli

CRob (08:42)
Okay, that is a perfectly fine vegetable. Thinking about the amazing open source ecosystem, what’s your favorite open source mascot?

Steve Fernandez (08:51)
The Goose.

CRob (08:53)
The goose, that’s an excellent answer. And mild or spicy food?

Steve Fernandez (08:59)
Spicy as it can get.

CRob (09:00)
Ohhhh, that’s spicy. Nice. And final and probably most important question. Star Trek or Star Wars?

Steve Fernandez (09:11)
Gotta go Trek.

CRob (09:12)
Excellent. Both answers are great, but that’s a fine, fine answer. Thank you, thank you. Well, Steve, as we wind down, do you have any kind of parting thoughts, any words of wisdom that you want to share with our community?

Steve Fernandez (09:29)
You know, I just say to the community, mostly keep the passion alive that you have for the work you’re doing. It’s very apparent when somebody new to the community sees it, you know, especially like myself. I see the passion. I see the intelligence. I see the hard work. And I think you should all feel very proud about that work that you’re doing. It really shows and it’s really transparent to everybody.

So, you know, I’m here to work with you. I’m here to collaborate. I’m here to help drive whatever I can do to better the community. So in that spirit, just please be open with everybody. Feel free to contact me at any time if you have ideas or thoughts about how we can improve the community or how we can move forward. That’s very important to me and I want to work in this know, great environment and, you know, and really help it grow and really foster that security community that we built and continue to do so. So I just say keep working hard and it’s going great.

CRob (10:35)
Thank you very much Steve Fernandez. Thank you for joining us and thank you for spending your time today with what’s in the SOSS and to our audience Happy open sourcing. We’ll talk to you soon

(10:47)
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

Apr 08
Love0

What’s in the SOSS? Podcast #26 – S2E03 JavaScript’s Big Footprint: Robin Bender Ginn on Leading OpenJS and Open Source at Scale

By Podcast

Summary

Robin Bender Ginn, Executive Director of the OpenJS Foundation, joins us to talk about JavaScript’s massive footprint, the challenges of sustaining critical open source projects, and the importance of security in the web ecosystem. She shares her journey, insights on community-led development, and how OpenJS is building a healthier future for the JavaScript ecosystem.

Learn more and register for JSConf North America: https://events.linuxfoundation.org/jsconf-north-america/register/

Conversation Highlights

0:00 JavaScript’s Critical Web Presence
0:51 Robin Bender Ginn Introduces OpenJS Foundation
2:01 Core Challenges Facing JavaScript Ecosystem
4:12 Managing Older Projects and Outdated Software
8:23 Solutions and Security Improvements
12:12 Individual Impact and Community Involvement
14:35 Wrap-Up and Call to Action

Transcript

Robin Bender Ginn: 0:02
Anything you do requires JavaScript, whether it’s AI or in the metaverse. People forget that JavaScript is a critical part of delivering almost everything you do.

CRob: 0:17
Welcome, welcome, welcome to What’s in the SOSS, the OpenSSS podcast where we talk to amazing people and technologists within the space of open source, open source supply chain and software security. We have a real treat today. We have a friend of the foundation, Robin Ginn, and we are going to hear some amazing stuff about her little corner of this amazing world called open source. So, Robin, why don’t you introduce yourself and maybe share what’s your open source origin story for our audience?

Robin Bender Ginn: 0:51
Super cool. Well, hey, thanks for having me. I’m just super psyched to be here. We kind of have a little I would say we have a little corner for JavaScript. We have a big sort of footprint in the world. If you think about the web, JavaScript’s in 98% of the world’s websites. And I have the honor of being the executive director of the OpenJS Foundation. I’ve been there since the beginning and OpenJS was the merger of the Node.js Foundation with the JS, the JavaScript Foundation, a little over five years ago. So, I came on after a long career at Microsoft doing open source to lead up this wonderful organization. So super psyched to be here.

CRob: 1:39
That’s cool and we’re very glad for all the amazing work that comes out of your community super used around the web. From your perspective, having done this for a while, what do you see are some of the core challenges facing the world of JavaScript and the web ecosystem that impacts security?

Robin Bender Ginn: 2:01
Well, you know, I think we have the coolest developers around. Again, anything you do requires JavaScript, whether it’s AI or in the metaverse. People forget that JavaScript is a critical part of delivering almost everything you do. But unfortunately, one of the key challenges is the world of tech suffers from this shiny penny we call it the shiny penny syndrome.

Robin Bender Ginn: 2:26
People love the latest and greatest things and, you know, sometimes JavaScript and the web may not be seen as strategic as it truly is. That sort of creates a kind of a ripple effect on some other challenges we face. So whether that is raising money, you know, sustainability is very important. We have a lot of volunteers running our open source projects. As opposed to some company led projects, we have a lot of community led projects. So if you think about Node.js, it was downloaded 2 billion times last year, wow, wow. And that’s a lot of volunteers and, unfortunately, a lot of companies who all rely on, for example, Node.js, treat our really hardworking, passionate volunteers like they are their paid support staff and create a lot of demands on these folks. So those, you know, leads to burnout and all these other things.

CRob: 3:33
And that’s something that many of the communities we talk with and interact with feel similarly. They have similar challenges.

Robin Bender Ginn: 3:39
Yeah.

CRob: 3:42
Yeah, I think you probably touched on this a bit with your statement of being kind of a seminal foundation for the web. It’s hard to be a little older speaking as someone that has a little more gray in their hair than they used to, and OpenJS holds some really interesting kind of oldies but goodie type projects like Node.js and jQuery. You know how that impacts your maintainers and end users, where it seems like there are so many people that are using outdated or unsupported open source software?

Robin Bender Ginn: 4:22
Yeah, I mean, it does you know? Sometimes it sucks to be old, but in our case I would say that we have broad adoption. So Node.js, again 15 years old, it’s basically everywhere. Node is everywhere. Express.js, you know, 30 plus million. You know weekly downloads. Jquery, 18 years old. It’s in 92% of the world’s websites. So you know, what’s great is the adoption, the stability. The maintainers, many of them have been with the project for 10 plus years. It’s awesome.

Robin Bender Ginn: 4:59
And yeah, so we have this beautiful culture around these projects. You know, some of the challenges are a couple of things that we fixed. One is that our infrastructure got to be a little messy.

Robin Bender Ginn: 5:17
Let’s just put it that way, not quite like wobbly servers in people’s closets, but you know we had to do like an archaeological dig over the last couple of years to find out who in the years past, you know, had a handshake deal with this IT infrastructure company, who had access. So we’ve, you know we’ve done a lot on the infrastructure front to kind of clean that up. But, as you mentioned, a core challenge with older projects is that a lot of people are still using old versions that are unsupported and outdated.

Robin Bender Ginn: 5:55
We did some research with IDC Research Al Gillen, a pretty prominent open source developer analyst, and found that three quarters of a billion websites are using out of date jQuery, and of those people we surveyed which is pretty consistent with some other data we’ve seen a third of those reported having security and privacy incidents in the last two years. Yes, the Node project has done some other research to find that three quarters of users on Node.js are using old and outdated versions. Again, with 2 billion downloads, that’s pretty significant too. So we have created a couple of tools for people to see if they’re using current versions, and for us, it may not be our projects that could create a vulnerability, but it’s really a canary in the coal mine. So, for example, if you’re using old jQuery, if you’re using old Node, probably everything else under the hood is old too.

CRob: 7:03
It’s a really good guess.

Robin Bender Ginn: 7:05
Yeah, so if you want to kind of check your website, you can go to healthyweb.org to see if your jQuery is out of date and then the Node project. If you go on GitHub on Node.js, it’s /is-my-node-vulnerable and you can find out if you’re using an outdated version or not.

CRob: 7:29
This is a really kind of a systemic problem. I’ve talked a lot about this with Brian Fox from Sonotype and others in the ecosystem, and this is something that is again another very common problem. We have a lot of different language ecosystems, and, while the nuances of how to work in that particular space is a little different, a lot of the core challenges are identical.

Robin Bender Ginn: 7:52
Yeah, that’s why we wanted to sort of create this sort of idea of a health check. Like you know, you get your health check once a year, make sure you know everything’s spot on with your physical. We want people to like, maybe yearly, like you change your batteries and your smoke alarm, why don’t you take a look at what versions you’re using?

CRob: 8:13
That’s awesome advice. Yeah, so, but it can’t be all doom and gloom. What do you see as some kind of pathways to move us forward to a better future on the web?

Robin Bender Ginn: 8:23
Yeah, we have had a lot of industry support, government support and support from folks like you at OpenSSF and our friends Alpha Omega. So if you think about, you know, the IT infrastructure, we really solved that problem through funding from the Sovereign Tech Agency oh, excellent, which was wonderful. They provided funding for us to do, you know, kind of that archaeological dig, so to speak, and we essentially modernized all of our OpenJS hosted projects onto just a few handful of software companies, whether it’s CDNs or clouds, and that has all been consolidated, migrated, and now we have some great partnerships in place for people who are sponsoring that work. So, for example, like CloudFlare, DigitalOcean, fastly, Microsoft Azure and others. So we know that six months from now, two years from now, that they’re going to be supporting our infrastructure. And what else was your other question? Oh, on how you know.

CRob: 9:37
What else do we do to move it forward? What do you do to move it forward?

Robin Bender Ginn: 9:39
Yeah, I mean really, I think one of the inherent problems with relying on volunteers is the one missing component to our maintainers is having people with security expertise. That is kind of a secret sauce for talking, you know.

CRob: 9:57
Yeah, it is so.

Robin Bender Ginn: 10:00
Through grants, through Alpha-Omega, we’ve been able to fund security engineers.

CRob: 10:05
Yes, oh, that’s awesome.

Robin Bender Ginn: 10:06
Which we couldn’t have done it otherwise. I mean, I think this is maybe the fourth year we’ve had a Node grant from Alpha-Omega. Four years ago the Node project did not have an active security working group. Today it’s a very robust working group. Back in the day four years ago it was very difficult to put out security releases for Node. It was 26 steps for every release.

Robin Bender Ginn: 10:33
Imagine with someone without expertise who wants to sign up for that in their free time nobody right, yeah, so, um, as part of the work um, that security working group now has fully automated their security uh releases, so it’s been like a game changer for the Node project.

CRob: 10:51
I bet Well. It also relieves a lot of the burden from the regular maintainers as well, right?

Robin Bender Ginn: 11:02
Absolutely. They’ve also put out some permissions, guides and policies on what defines a vulnerability and what doesn’t. Our OpenJS Foundation Security Working Group, which we call it LabSpace security working group, which we call it Lab Space. We’re opening up our own CNA, which is pretty cool, so we’ll be communicating more about that. The thing about JavaScript is that I think security vulnerability reports, probably like others, have become like car alarms Ignore, ignore, ignore. So hopefully, with some new policies and kind of having a little more control with this with our own CNA, we’ll kind of alleviate some burden for our folks.

CRob: 11:40
Oh, that’s excellent. That’s so exciting to hear about those amazing changes. I’m so happy for you all.

Robin Bender Ginn: 11:47
Yes, I know, honestly, we couldn’t have done it without the grants that we’ve received from you all and the membership support and the government grants, which we hopefully will go after some more Excellent.

CRob: 12:02
And thinking about can an individual make a difference in the space of web security or are they totally at the mercy of big tech in the space of web security.

Robin Bender Ginn: 12:12
Are they totally at the mercy of big tech? No, I think one of the flip sides of having these community-led projects is that if you want something, if you want to influence an open source project, we kind of have a doers, not a talkers policy. Excellent. So if you’re a doer, if you want a feature, if you want to help, all you have to do is show up. I think, again, we have the most warm and welcoming and fun group of community members. So, as you know, with open source, you can just come to any of our meetings. We have a radical transparency policy at OpenJS in our projects. So our meetings are almost all streamed live on YouTube and on our YouTube channel. So if you want to just lurk, if you want to participate, if there’s something especially you want, you can just be a doer, just show up and do the work. Also, there’s so many ways that you can make a difference. If coding is not your thing, but you want to make a difference, I like to say content is queen.

CRob: 13:17
I love that I’m going to open source that.

Robin Bender Ginn: 13:20
Absolutely so. You know we do a lot with training, documentation, uh, community organizing, um, and so that’s again brought new, brought new community members to our projects that’s amazing.

CRob: 13:35
Well, let’s move on to the rapid fire part of our session here. Right on, let’s do it fire, rapid fire. A couple quick and crazy questions for you. We’ll start off with a controversial one vi or emacs, neither. Oh, what’s your editor of choice?

Robin Bender Ginn: 13:57
I am a writer, I write about code the same.

CRob: 14:03
That’s awesome, cool cool, we’re neutral.

Robin Bender Ginn: 14:05
I’m neutral at Open.js well said, there you go.

CRob: 14:11
Who’s your favorite open source mascot?

Robin Bender Ginn: 14:15
Well, the rocket turtle probably. We had a mascot contest for the Node project 15 years ago. When it was created. We had a turtle icon and a rocket icon and you can see the rocket turtle is our new mascot, that’s awesome. Yeah.

CRob: 14:34
What’s your favorite adult beverage? Water, water flavored water, water, water flavored water, water flavored water well, that is a responsible choice, yes, adult beverage, so I don’t know I had a person just tell me coffee, which I was like you know, you’re right, I love coffee. That is my favorite adult beverage too.

Robin Bender Ginn: 14:55
Yeah, I, yeah, I don’t know.

CRob: 14:58
And then uh kind of uh as we wrap up here thinking about, uh, what call to action would you have for our audience or what advice would you like to share to a newcomer trying to break into this amazing space?

Robin Bender Ginn: 15:13
Um, yeah, I think the one thing I would say is you know, if we had one, I would encourage folks to join our Slack channel. That might be kind of an easy entry way, maybe even a little easier than trying to figure out what’s going on in GitHub. We have so many different channels. We have an icon right on the homepage of our website, so whether you’re interested in security or package metadata, interoperability or standards, we’ve got like an all-star group working on TC39 and some W3C projects. An easy way to get to know folks perhaps is our Slack channel and then you can see what’s going on. We also have a book club and events and other fun things, so you can get to know us. But yeah, it’s a very friendly group. You can always reach out to me too if you’re just not sure where to go, and I’m happy to introduce you to folks in each of these areas.

CRob: 16:08
Well, excellent. Thank you so much for showing up and sharing a little bit about this amazing space that, as you shared, runs a lot of our world today, and especially how we interact with software and services and applications. So thank you for all the work that your foundation does and thank you for the amazing things you do for the community.

Robin Bender Ginn: 16:28
And thanks, CRob, and for all of your folks. You provide a lot of guidance. I know we sometimes bend the rules a little bit to customize things for JavaScript, but you know You’ve got to make things for JavaScript, but you know You’ve got to make it work for the environment you live in. We do. We take all of what the OpenSSF creates and then we maybe tweak it a little bit for what works for our maintainers and end users. And we’ve been working on and we’ll be publishing on our website some new guidelines as well.

CRob: 16:56
Well, I look forward to reading it. Thank you for joining us. Have a great day.

CRob: 17:09
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

Mar 25
Love0

What’s in the SOSS? Podcast #25 – S2E02 Empowering Security: Yesenia Yser on Open Source, AI, and Personal Branding

By Podcast

Summary

In this inspiring episode of “What’s in the SOSS?”, we welcome our new Co-Host, cybersecurity expert and open source advocate Yesenia Yser. Join hosts CRob and Yesenia as they delve into her compelling journey from discovering open source at Red Hat to pioneering AI security at Microsoft. Learn how Yesenia blends her passion for cybersecurity, Brazilian jiu-jitsu, and empowering communities—especially women—to shape her personal brand and advocacy efforts. Don’t miss this lively conversation full of actionable insights for anyone interested in cybersecurity, open source communities, and personal growth.

Conversation Highlights

00:18 – Introduction to Yesenia Yser
00:55 – Yesenia’s open source origin story
03:30 – From cybersecurity professional to jiu-jitsu practitioner
05:56 – Building a personal brand in tech and beyond
09:04 – Advocating diversity in tech through the BEAR group
12:40 – Fun rapid-fire round (VI or Emacs, Coke or Pepsi, favorite open source mascot, spicy vs. mild food, and more)
13:52 – Yesenia joins as new co-host of “What’s in the SOSS?”
15:39 – Advice for breaking into open source and cybersecurity

Transcript

Soundbite – Yesenia Yser
One thing that you’ll hear me advocate over and over again is to find an open source project that will support your career growth. Whether you’re looking to go into program management, business analyst, management, or your technical skills, find a project that aligns with you. You can jump on the open source Slack and hit up in general, just say, I’m interested in doing this, this, this. This is how many hours I have. And I bet you someone’s going to be.

Hey, come over to our group, join us. We’ll teach you along the way. That’s the best thing I know about open source and the tech is that folks are very open to teach.

Intro – CRob (00:18)
Hello and Welcome to “What’s in the SOSS?” OpenSSF’s podcast where we talk to interesting people throughout the open source ecosystem. My name is CRob, one of your hosts, and today we have an incredible treat. I’m talking to a very dear friend of mine and amazing open source contributor, Yesenia. We have some amazing news to share at the end of the podcast today.

CRob (00:49):
Yesi, please introduce yourself to the audience and tell us about your open source origin story.

Yesenia Yser (00:54):
Hey everyone! Thank you for those listening. I’m Yesenia, born and raised in Miami, South Florida. I’m Cuban American, I’ve been in the cyber tech industry for over 12 years, a bachelor’s in computer science, and a master’s in digital forensics. I usually like to joke that I “social engineered” my way into my first security role. It was always interesting because in school I used a bunch of tools that were online and free.
My first couple of jobs, we used a bunch of libraries and things of that nature. It wasn’t until my time at Red Hat, which was like six years into my career that I realized what I was actually using and that it was open source and there was a huge community of great and amazing folks behind it that are part of it. So from there, I started exploring open source more exploring OpenSSF, a community that I do a lot of, advocacy work and contribution to. But it was just, it was very interesting that for someone that uses it, this is just, you know, everyday person that’s like learning how to code. You bring in Python, you import your libraries and you got to keep them up to date every now and then. And you don’t really know where they come from, but they come from a little black hole that’s called the open source space. Then, my journey took me from Red Hat. worked at the Linux foundation on the Alpha-Omega project. So I was helping with the Omega piece of it and we, in which we were automating, security vulnerability identification and open source software. Then my career took me to Microsoft where right now I’m working on artificial intelligence and open source security research. In that space, I get to explore both AI from the large tech industry and all the threats and yumminess that is in this emerging new technology. And then I get to share my love and passion for open source.

CRob (02:48):
That’s awesome. And as we mentioned, you and I both work together at Red Hat, where you were the very first supply chain security engineer. So I am a little bit more up to speed with your background than other folks may be. But, I think what I find very fascinating about you is that you not only are an amazing technologist and super smart, but you also have a lot of outside of work activities that I find very fascinating. Could you maybe talk about how things like your passion for jiu-jitsu and outside activities kind of inform your practice around open source security and AI security?

Yesenia (03:30):
Yeah. So starting at Red Hat was pretty, pretty cool. I was there as the first supply chain security engineer. A very big breach happened called SolarWinds, in which it blew up the supply chain security space for the industry. So, it was really great to be in the forefront of that in such a big company that is big and open source and be able to see all the plethora of things that happened in the wild wild west that is the development industry.

So outside of work is usually what I like to say about my day job. So by the day, I’m a security professional. By night, I’m a jiujiteira, which means a jiu-jitsu practitioner. I’ve been working, I’ve been training and teaching jiu-jitsu for almost seven years now. Started with the kids and working with them. And it was just lovely to see their faces bright light up when they learned a new technique. And over the years I’ve seen parallels between jiu-jitsu and my own cyber career, in which I became a mirror of things that I was seen as myself in a leader in the cyberspace that was holding me back. And then that was being mirrored into my jiu-jitsu. A year or so ago, I started a nonprofit called the Lioness Instincts, in which our mission is to empower women to protect themselves both physically and digitally, because as a security professional and a presented to jiu-jitsu instructor, which we would teach women’s self-defense classes and teach kids. I saw a huge boost in just their self-confidence and being able to work through some of the traumas that does happen through some of the crazy things that happen throughout the world. So we started the nonprofit. And if I’m not in the cyber world, I’m on the mat teaching and training. I also have two dogs that I teach and you’ll see me with them as well.

They’re their own plethora of tricks and cuteness.

CRob (05:25):
That’s awesome. And I know how much this kind of outside advocacy and your jiu-jitsu kind of affects, know, it colors your thinking and how you conduct yourself. Let’s think about this. I know you’ve kind of taken this and kind of started to develop a personal brand around these types of things. Can you maybe say why it’s important for people to find these opportunities and these passions and kind of try to do this for themselves? How does this personal branding help you?

Yesenia (05:56):
Yes. So for me, it’s my personal brand. And for those that follow, I’m called cyber jiujiteira online because of the mixture of, me, gives me a purpose and an avenue. And usually when I make a decision of something that I’m going to do, I ask myself, does it match or fit my brand? And my brand has its own pillars of advocacy as it has its five, has its five pillars, which is, cybersecurity and promoting advocacy, education and guidance to get more folks into the industry. There’s just the empowerment, self-defense, digital privacy piece that involves digital and the physical side, teaching and lessons, motivation, and then lifestyles. Because I normally talk to folks and they’re like, you have a very interesting lifestyle of just working in training, working in training, and then running a nonprofit. So I feel like a brand helps you not only keep because I have ADHD, so I’m all over the place, but it helps me keep aligned with what I’m doing and then ensuring that I can go back to it when it comes to social media platforms, it helps people know who I am and what I stand for. So I’ve been in conferences, both physical, like for jiu-jitsu things, and then for cybersecurity things or open source. And they’re like, you’re the jiu-jitsu girl. You’re the cyber girl. So it’s great. I’m like, yeah, you know me.

It becomes a cool way for folks to connect with you on a more personal level, and understand who you are. And in that, once you hear that you understand that I’m a martial artist and any thoughts around martial artists, you relate it to me in a, in a way. So martial artists tend to be disciplined. They tend to be focused. They tend to have patience. So as an individual that’s applying to cybersecurity roles that are fast pacing, working with executives. Things are constantly moving. You have to adapt quickly. The mindset of a martial artist, I think, falls very well into that, which helps with interviewing. And somebody said it the other day, which I think is great for branding, is your brand should be getting you the interviews. So instead of you searching out for these interviews, your brand should be helping you acquire what’s right for you.

And it’s just very important when you’re networking and connecting with folks that your brand speaks on who you are, whether or not you’re in the room.

CRob (08:29):
Excellent. Yeah. And thank you for all you do for especially, you know, late getting ladies into cyber and talking about self-defense. I think that’s amazing contribution back given back. We get to work together in the open SSF as part of a group that also has a lot of very strong advocacy bent to it. So maybe could you talk a little bit about the bear group that we participate in and you know, why is it so important to kind of bring awareness and kind of reach out to people that may not be currently in this career path of this world.

Yesenia (09:03):
Yes. So the BEAR, I think what we’re doing in the group is great. So bear stands for belonging.The E is empowerment, is for allyship and R is for representation. And I, I strongly feel very passionate about this because in the open source space, let’s just start with the challenges. A lot of the times are open source maintainers. They created this when they were younger. It was a college project. It was just a fun idea that they had and somehow it went very mainstream. It went viral, blew up, and now is in 80 to 90 % of software that’s out there, right? So we have this one tool that’s maintained by one person who probably has a family, who probably works two or three jobs. And it’s crucial to everything from US government infrastructure to maybe you know, outside sources to big tech company, industries. So the idea of Bayer is to be able to make that bridge a little bit easier for folks. Cause I know myself when I was starting, as I mentioned earlier, I didn’t know what open source was. was just like, okay, some cool thing that I can pull from online, but having these like community office hours, which we do once a month, we get to highlight different areas of like how to get started into space, how to look for mentorships.

We talk about your branding and how to get that. And we just highlight a lot of amazing voices in the community and that we are associated with to bring out different representations and ideas that will help folks understand how to get into the industry. This is also for folks already in the industry, because if you want to give back or you have knowledge that’s very important, you can set up your own mentorship. You can join our community and plan different events.

We’re looking to also host conversations at different OpenSSF and open source community conferences. And this advocacy is important because it’s going to give maintainers and open source contributors a little bit of extra break room to bring more folks in. One of the biggest issues you hear is that people just don’t have time. But if they have an individual…it’s willing to take on a task, right? And it doesn’t have to be a coding task. It can be writing documentation to make it easier for other people to use it. It could be updating the website. It could be a plethora of different skills that doesn’t require coding that can assist the maintainer in coming on. And we can just improve our open source software and tools usage.

CRob (11:43):
Yeah, it’s an, love the mission of the bear group and I love kind of the, how we’re moving forward with the community office hours. I think it’s been really impactful to kind of give these different perspectives and try to help have a very broad contributor base and help people break into something that sometimes there’s a lot of obstacles to, right?

Yesenia (12:04):
There’s a lot. And if you’ve missed any of the previous ones, they’re on YouTube. You can check them out and join us on Slack and ask, know, questions. We’ll be willing to either make a community office hours specific for that or just answer your questions right there on Slack. Even if you’re looking for a project.

CRob (12:23):
Cool. Well, let’s move on to the rapid fire part of the interview. All right. I have a couple of wacky questions. You probably don’t want to be drinking a drink when I ask you this. We don’t need any spit takes, but first question, VI or Emacs.

Yesenia (12:42):
VI or Emacs, we’re going to go with VI.

CRob (12:45):
Nice. Excellent, excellent. There are no wrong answers.

Yesenia (12:49):
Here. Haha.

CRob (12:52):
Next question, Coke or Pepsi? Yes, there was a right answer for that one and you’ve got it. Who’s your favorite open source mascot?

Yesenia (12:54):
CRob with the goose hat.

CRob (13:05):
CRob the goose hat?! Haha.

I don’t think you have a tattoo of that one yet though.

Yesenia (13:11):
Yet, but the one I do have a tattoo is Tux

CRob (13:15):
Very nice. What’s your favorite adult beverage?

Yesenia (13:19):
Coffee. This place is coffee.

CRob (13:23):
Yum yum yum. Love me some coffee. And last rapid fire question, spicy or mild food?

Yesenia (13:31):
None of the above. I’m Cuban. We don’t do spicy. It all hurts. haha.

CRob (13:39):
Fair enough.

Yesenia (13:40):
Seasoned, seasoned with a dull.

CRob (13:43):
Okay, excellent.

Well, thank you for playing rapid fire. So before I move on to our last question, I wanted to let the audience know that Yacinia is going to be joining us as a featured co-host of What’s in the SOSS. So you’re going to see her talking to some other amazing, interesting people. Do you want to give us kind of a little taste of what you, kind of the types of topics or people you’re interested in exploring as you’re going through and doing interviews?

Yesenia (14:11):
Yeah, I’m just interested in getting folks in the open source community and then external that may not even be aware that they’re using open source or how they can get involved. Our upcoming community office hours is going to bring in some amazing voices. But really just anybody that’s interested in speaking, speaking in the open source, talking about their journey in any shape or form or bringing in some technical coolness that, you know, like to spice up the SOSS, right?

So if you are interested… Was that the play if I said spicy? Yeah, I had feeling that was going be the audio.

Yeah, just looking at my list, but, once I post, this episode or just a general call for action, I’ll keep the community up to date, but if anyone listening to this is interested or has an awesome voice that they would love to share the space with, let me know.

CRob (15:11):
Yeah, I think this is going to be really amazing. Kind of reaching out to new voices and perspectives and just kind of broadening the awareness of the things the foundation does and the importance of open source security. So thank you for joining us. Yeah. And to that end, as we launch you off on your new endeavor, what’s your call to action or what advice do you have for people trying to get into this crazy field of cyber and open source security?

Yesenia (15:24):
Thank you for having me.

One thing that you’ll hear me advocate over and over again is to find an open source project that will support your career growth. Whether you’re looking to go into program management, business analyst, management, or your technical skills, find a project that aligns with you. You can jump on the open source Slack and hit up in general, just say, I’m interested in doing this, this, this. This is how many hours I have. And I bet you someone’s going to be.

Hey, come over to our group, join us. We’ll teach you along the way. That’s the best thing I know about open source and the tech is folks are very open to teach.

CRob (16:18):
Well, again, thank you for joining us today and thank you for volunteering to help us co-host the podcast. And we look forward with eager anticipation to the amazing interviews you’re going to do for us. And with that, it’s a wrap. Thank you all for joining us today.

Yesenia (16:29):
It’s going to be amazing. Thank you.

CRob (16:38):
Thank you.

Outro (18:40):
Enjoyed the podcast? Subscribe to “What’s in the SOSS?” on Spotify, Apple Podcasts, Pocket Casts, or your favorite platform. Stay updated with OpenSSF news and events by subscribing to our newsletter at openssf.org/newsletter. Join the OpenSSF community at openssf.org/get-involved, and connect with us on LinkedIn.

Thanks for listening, and we’ll catch you next time on “What’s in the SOSS?”

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved