🎙️ Submit your talk for: OpenSSF Community Day Europe by July 12

Tag

Cybersecurity

May 19
Love0

What’s in the SOSS? Podcast #61 – S3E13 Beginner to Builder: Shaping the Conversation in Open Source Security

By Podcast

Summary

In this episode of What’s in the SOSS, Yesenia Yser interviews cybersecurity analyst Ejiro Oghenekome about her journey from UI/UX design to becoming a key contributor to the OpenSSF. Ejiro shares the inspiration behind her public “100 Days of Cybersecurity” challenge, which has helped her maintain discipline and consistency while making the field less intimidating for beginners. She discusses how connecting with the OpenSSF community led her to the BEAR Working Group, where her authorship of the “Beginner to Builder” blog series has allowed her to move from consuming content to actively shaping the open source security conversation. Ejiro also offers advice to the next generation, emphasizing that open source contribution is not just about coding but is a welcoming space for anyone to learn and grow, regardless of their current expertise.

Conversation Highlights

00:00 – Music, Promo clip, & Welcome
01:11 – Ejiro details her transition from UI/UX design to cybersecurity and connecting with OpenSSF.
03:39 – Ejiro explains her motivation for starting the 100-day challenge, including receiving advice to learn publicly and a previous rejection from an internship.
06:49 – Ejiro shares that she is currently on day 44 and expects to complete the challenge around April.
07:50 – Ejiro discusses her biggest personal lesson: understanding consistency and discipline, and learning from the community.
10:45 – Ejiro describes her authorship of the “Beginner to Builder” blog series, which shifted her from consuming content to shaping the open source conversation.
15:47 – Ejiro shares the impact of her work, noting that it has made cybersecurity feel less intimidating for beginners and helped her grow in confidence.
18:22 – Rapid Fire Questions: Ejiro shares her preferences on books, cooking, social media, and more.
21:13 – Ejiro offers advice to the next generation, emphasizing that open source is welcoming, not just about coding, and provides great opportunities for learning and growth.
24:46 – Yesenia concludes the interview, thanking Ejiro for her time and contributions

Transcript

Intro Music (00:00:00)

Ejiro Oghenekome (00:01.366)
So I have embarked on a 100-day cybersecurity challenge where I post whatever I learn about cybersecurity in the open. I posted both on LinkedIn and on Twitter, currently known as X. I was told to learn publicly. It has really helped me to stay consistent and it has also helped me to stay disciplined.

Yesenia Yser (00:23.662)
Hello and welcome to What’s in the SOSS, OpenSSF’s podcast where we talk to interesting people throughout the open source ecosystem, sharing their journey, experience, and wisdom. So Yesenia, one of your hosts, and today I have the utmost pleasure of interviewing Jiro, who has been such a great part of the open source community and has done a lot for us already from part of the FAIR program.

writing a few blogs that we have seen out in the wild, and much more. don’t want to share details of the upcoming podcasts, but welcome, Ejiro. Please, you know, let’s start with you for listeners that are meeting you for the first time. Can you introduce yourself and share your journey into open source cybersecurity? Like what really pulled you into this space?

Ejiro Oghenekome (01:11.822)
Thank you very much for having me here. Hello everyone. My name is Ejiro Oghenekome. I’m a cybersecurity analyst. Currently I am contributing to the OpenSSA. So for how I got into this space and where I am at right now, I’d like to give a little backstory on myself so that I would better understand how I got to this particular phase of my career. I used to be a UI UX designer a couple of years.

But I think about 2024, I started to like not see myself doing UI UX in a long time. And as at that point, I was already interested in security. I was already curious to know how data is secured and a lot of other things about security. So I decided to dive in and take it as a career to learn about security. And the first course I took was the Google Cyber Security Certification course on

Coursera and it was a very interesting course. I took that. had other little courses that I took some on YouTube and other very, very not so prominent courses that I took that helped my career helped shape my career going forward. And something I didn’t have, I didn’t mention was the fact that I’ve always known about open source, even during my UI UX design time, but I really did not partake in open source contribution as at that point.

But I really, did not want my cybersecurity journey to be that way. So I was looking for every means to get into this space, to try to contribute to open source with my cybersecurity career. So fortunately for me during that time, I think about 2025, met a friend, told me, or I saw a post from a friend where she had an interview with someone that was talking about open source and open source security. I found that very interesting and I reached out to her.

I like to connect to the person so that they would share more light on contributing to open source, especially with my focus, which is cyber security. And she actually did that to me. She actually did that for me. And I connected with the person. The person was Sal. I a couple of meetings with Sal and she got to know where I was in my career, which led her to introduce me to the OpenSSF. And yeah, I am today trying to contribute to the OpenSSF in whichever way I can.

Yesenia Yser (03:39.854)
That’s such a great story how one friend, one webinar connected you to one individual that opened up the space of open source and it’s brought you to where you’re at today. Such a great story to hear. And one of the little birdies in the open source told me that they gave you a hundred days of cybersecurity challenge that you’ve been publicly documenting on LinkedIn. Like what inspired you to start that journey and

What do you hope would come from it?

Ejiro Oghenekome (04:10.67)
So I have embarked on a 100-day cybersecurity challenge where I post whatever I learn about cybersecurity in the open. I posted both on LinkedIn and on X. Twitter, currently known as X. So my journey can be documented. What’s made me do this was the advice I got from friends and loved ones. I was told to learn publicly. And that really has shaped me over time coming out.

because looking back, it has really helped me to stay consistent and it has also helped me to stay disciplined in terms that I feel so indebted to the cause of posting because I’ve seen a lot of people grow interest in what I have posted about my career, everything I do about cyber security. It has really been an interesting journey for me. Also, another reason why I embarked on the 100 day of cyber security challenge was because

I would say I got a rejection from an internship. I really did not get a feedback from them. So I would know, I don’t know if I should say that’s a rejection, but technically it is because I didn’t get the feedback. I really wanted to get a practical knowledge of what I was already learning. I’ve learned for a while and I wanted to get into the practical space. I wanted to get into the real world space to practice what I have been learning. Applied for the internship. Unfortunately.

I did not get it, so I had to take some step back and make a curriculum for myself where maybe I would be able to create something that feels really practical. The internship I applied for was a three-month internship, which is 90 days, if I would say technically. So I just had to do it, 90 days for an internship that I did not get. So I had to make it a 100-day for myself. Looking at all I have done, what I hope

to come out from this, which I am already saying is for people to know me for what I do. For people to know me for open source, for people to know me for open source security, for people to know me for cybersecurity, and for people to know me for preaching and being an enthusiast of open source. People should come into the open source space to contribute to open source and see the opportunity it comes with. And people to also know that

Ejiro Oghenekome (06:34.734)
I’m a cyber security analyst and I also give best practices. I also give basic knowledge of what cyber security is and all of that. Yeah, that is what I hope to get my 100 day challenge. And it has really been turning out well for me.

Yesenia Yser (06:49.836)
I love that because getting online and really just sharing what you’re learning, you know, on a cadence, whatever cadence that is for you is such an important way just for your own accountability and for others to connect to you, connect with you and learn what you’re learning, especially if you’re looking for jobs. I’m just curious right now it’s, you know, mid February. What day are you in for this challenge?

Ejiro Oghenekome (07:13.774)
Yeah, I think I’m in day 44. Nice. Yeah, day 44. It’s been a great journey. Yeah.

Yesenia Yser (07:22.574)
24 days. So when do you envision, it’s 100 days, so when do you envision this challenge ending?

Ejiro Oghenekome (07:29.39)
Let me try to do a rough calculation right now in my head. So we have a couple of these. So let’s see the beginning of around April. I’m not sure the dates for April. I’m not going to give an exact estimate, but yeah, by April I should be done with the 100 day cybersecurity challenge.

Yesenia Yser (07:50.85)
Very nice. Okay, so we’ll keep watching. you’re deep into this challenge. 44 days is a great time because that’s built in that habit to get it done and share out what you’ve learned. But I’m curious, what’s your biggest lesson that you’ve learned so far? And not just like technically, but like personally, like how have you changed how you see your learning, your discipline, or just like your community growth?

Ejiro Oghenekome (08:17.614)
Okay, that’s a very interesting question. I would really say if I’m going to put it short, I’ll say it has not been an easy journey. It’s not been easy because it’s not easy to stay consistent and trying to like, remodel my expectations of what I have to post, what I have to do. It is not easy. I’ve come to see that everything cannot go on the same pace every day.

I’ve had to stay consistent. I’ve had to understand what consistency and discipline means. I’ve come to get that. Consistency does not mean I have to be in the same place every day. I do not do the same thing every day. Some days I might not even feel motivated to want to partake in that particular challenge for that day. But have to stay disciplined. I have to stay consistent, which might make me cover less than what I covered the previous day.

Other days I might feel so motivated that I might cover more every other thing I’ve covered in the past. It just happens. One thing I’ve learned is staying consistent, what consistent really mean, being very disciplined in the space. Also it has given me a very good routine. In terms of community, I’ve come to understand that community is where I learn.

This learning can come by interacting with projects and interacting with people in the community that have more experience than I do. During my 100-day challenge, I’ve been able to have the opportunity to be part of the OpenSSF. This has gone hand in hand with the 100-day challenge that I’m doing. For the fact that I’m part of the OpenSSF and doing my 100-day challenge, I’ve seen the impact that the OpenSSF community has had on me. I’ll give a very simple example.

We had a blog post or we had a blog post that talks about a lot of things that we might go over eventually. Because of one research I did for one part of one series of the blog post, I a course on the OpenSSF and the Linux Foundation Education that I took in and I benefited from. That is the LFD121, that is developing secure software.

Ejiro Oghenekome (10:34.274)
want to understand from this journey that I’ve taken that I could learn from community, I could learn from interacting with people, want to understand what consistency and discipline mean.

Yesenia Yser (10:45.678)
That’s awesome. Yeah, I when you started being involved in the Bear Working Group, you and Saul were working on a blog series and I you just lightly mentioned it. It’s beginner to builder. What has that experience been like moving from learning to actually contributing publicly? And you know, this blog, it’s a big deal. It’s a three series blog. Like what does this authorship mean to you in the aspect of open source?

Ejiro Oghenekome (11:13.208)
Again, I would try to give an example to put what I have learned and how contributing to open source has been to me. During my design career, I’ve always known about open source, but I was not involved in open source contributions because as I did, I would say I did not know where to start. I did not know what to do. I did not know how to get into the space. I also felt most of the times that I did not know enough to be able to partake in open source contributions.

all of that and that’s feeling of mine is something I feel like a lot of other persons also do have. It was a problem for me and that problem I felt that a part of the blog post was able to solve it. One thing about me is if I experience a particular challenge or problem going forward in my career I try my best to solve it so that when people come behind me and they experience such problems they would not find it difficult to solve because they are

cases or maybe they are documentations that will help them go through this problem. That is one thing that I’ve been able to do with the blog posts and that is how, that is why the blog post publication was made public. And for me, Autorship in open source is more than just putting my name on the blog post or making contribution. It represents ownership of my learning and my voice. When I started my cyber security,

I was mostly consuming content. was reading documentations, watching tutorials and following experts. questions, I did all of that. But authorship changed the dynamics of everything for me. It shifted me from being just someone that consumed information to someone that is actively shaping the conversation, even if it was in small ways. Authorship made me feel responsible. I know that something I am going to write

is going to be published and the knowledge I share is going to be put out in the ecosystem. It would make me more focused. It would make me more thoughtful. It would make me more intentional about what I’m going to post. And this led me to call back, questions, ask people from the community to give me feedback on the blog post I wrote. I think you must have experienced that because

Ejiro Oghenekome (13:35.916)
During the first part, the second part and the third part, we were always very intentional to make sure that we got feedback from the community so that the best resources can be put out there to solve the actual problem we saw that we wanted to solve. And also, Authorship for me means visibility. As someone from Nigeria and someone who transitioned from design to cyber security, Autorship allows me to exist in a public space where people like me

are not highly represented. It shows that contributions does not have to fit a specific style or character. Also, it also makes me confident. It means that I am no longer waiting until I know everything before I can speak and before I can contribute in the open source space. Comfortable contributing while I am learning.

This is very powerful in the open source space because the open source space does not work with one person’s perfection, but it works with individuals putting together their efforts and their knowledge to try to make things work. The bear walking group and generally the OpenSSF community has really been helpful in this part. I’ve been encouraging, they’ve been friendly and they have pushed me to understand things. They have guided me each step of the way.

to understand what I am doing so that whatever resources we put out there will be the best quality for people that are going to have that.

Yesenia Yser (15:08.448)
It reminds me a lot of when I started, like just grabbing whatever kind of resources I could find and just learning. And when I realized that I was able to use my voice or my penmanship, so to speak, to share out information, I realized the power and the impact that I can have, you know, just not for my own credibility, but also you never know who’s going to read it down the line. Like I have articles that I wrote years ago or that I published that people still reference.

Nowadays that they’re like, this was an amazing article that you wrote. learned so much. So big kudos to you for that.

Ejiro Oghenekome (15:45.55)
Thank you.

Yesenia Yser (15:47.17)
Before we get into the rapid fire, I would love to know what impact you’ve seen in the community, either from your 100 day posts or your bear working group, like the work you’ve done with the blog. I know you mentioned a bit in this session, but I would love to learn, know a little bit more of looking at your journey so far. Like what impact have you seen?

Ejiro Oghenekome (16:08.634)
Genuinely speaking, I really did not think about impact when I started all of this. When I started my 100-day challenge, I was not thinking about the impact it was going to have on anyone. I just wanted to learn. When I started contributing to open source, I just wanted to learn. But over time, I started to notice little impact on people. I saw that for my 100-day challenge, people would message me saying things like, they started learning because they were following my post.

Some people asked me questions on the tools that I use and if I will be able to share resources with them. Other people said that made cyber security feel less intimidating because of course, a lot of cyber security posts we see online are from experts that would tell us in cyber security knowledge and try to express things in very technical terms for us, which could be very intimidating for beginners.

for people that are beginners that could relate to what I was saying, that could relate to very basic things in cyber security. It really felt nice. It really felt welcoming. It gave them confidence to say, okay, I could learn this. I could start somewhere. I could get some of this knowledge and get to that point of expertise where I would be able to have this opposed, intimidating knowledge also to myself. Also talking about the community.

The impact has been slightly different. I’ve been able to be part of so many decision-making. I’ve connected with experts that are very kind and friendly, and they want to see me grow. From publishing the blog series, this has made me more aware of my words, that my words could guide people that are just starting up, and this makes me feel so happy. I’m growing in the community in terms of

confidence and experience and also in transferable skills, in terms of receiving feedbacks and all of that growing. And I see that when resources are put out there, it’s really encouraging to me.

Yesenia Yser (18:22.126)
That’s awesome to hear the impacts from, I think he started maybe like a year or so ago into the organization. So it’s great to see and hear what has happened within a year.

So let’s go ahead and move on to the rapid part of the interviews. You gotta have fun with some of these parts. So I’m gonna ask you a series of this or that kind of questions or what’s your favorite X and then you just go ahead and respond. So first question, books or podcasts?

Ejiro Oghenekome (18:38.776)
FIRE!

Ejiro Oghenekome (19:02.117)
I don’t really like reading. I just have to read because I need to get those informations in my head.

Yesenia Yser (19:08.258)
Yeah, I get that. A favorite off-computer activity.

Ejiro Oghenekome (19:18.51)
enjoy cooking a lot. Yeah, enjoy cooking a lot.

Yesenia Yser (19:22.158)
What’s that one meal you cook often that you enjoy?

Ejiro Oghenekome (19:27.926)
I know if you would know, but I cook fried rice. I like seafood a lot. So I cook fried rice, prawns, salad.

That’s my favorite meal. That’s my favorite. Maybe one will see one of these days, I’ll make it and you will definitely testify to its greatness.

Yesenia Yser (19:48.086)
am ready for that. Next question. Best way to grow a project. it social media, conferences, or contributors?

Ejiro Oghenekome (19:57.44)
is social media yeah if I’m going to be very honest social media can do that

Yesenia Yser (20:03.726)
I feel like social media drives the other two. Next question, sweet or sour?

Ejiro Oghenekome (20:12.014)
No, sir, I don’t like sweets like that.

Yesenia Yser (20:16.366)
We had a quick, quick, quick change there.

Ejiro Oghenekome (20:19.575)
I just had to think about suits, so I really didn’t like suits.

Yesenia Yser (20:25.166)
I know we’re meeting early morning for you, so are you an early bird or a night owl?

Ejiro Oghenekome (20:32.386)
I I’m an early bird. I really do think I’m an early bird because I wake up very early and do things. I’m an early bird and I try to sleep very early.

Yesenia Yser (20:41.77)
I’m the opposite. just, at night I’m like a week. It’s so strange.

Ejiro Oghenekome (20:46.894)
I’m really not sleeping lot. So I just try to sleep at night. I stay awake very early in the morning. I get up very early in the morning and try to go on my day.

Yesenia Yser (20:57.464)
Yeah, I’ve adapted myself to it, but naturally I could stay up all night and sleep all day. Last question is your favorite treat or dessert?

Ejiro Oghenekome (21:10.702)
I’d say cakes.

Yesenia Yser (21:13.422)
That’s a good answer. There you had it. The rapid fire interview questions focused on food. So as we wrap things up, any advice for the next generation entering tech or security? What advice would you give them about using open source as a way to launch pad their career?

Ejiro Oghenekome (21:36.494)
Okay, well, I’ll give a disclaimer. would say I’m still part of the next generation. So whatever advice I’m going to say, I’m giving that to myself also. This is something I would have told myself earlier on in my career during design. Try to understand open source and the opportunity it provides. Also, open source is not just about coding. There are different things that someone can do in the open source space.

As a designer, could contribute to the open source space. As a writer, you could contribute to the open source space. As a community manager, you could contribute to the open source space. Obviously, very obvious ones. You could write codes. You could review codes. And you could do a whole lot of other things. Even joining calls, giving your suggestions on calls and decision making during the call is also a way to be part of the open source space.

get involved in the open source space. has a lot of opportunities for people. It’s a very welcoming space. I can testify to that from the community I am part of. It’s a very lovely community with lovely people. The OpenSSF has been a great space for me to learn and grow. And I strongly believe that this is how most, if not all of the open source communities are.

It’s a place where you can learn. It’s a place where you can build your confidence. It’s a place where you can grow. also open source is not about you being an expert. are with the knowledge you have. You could be part of an open source space. You could be part of, you could contribute into the open source. So commonly try to understand open source. is not as difficult as it might look from the outside. Trust me. in, learn.

be part of it and contribute. And I promise you it’s a very welcoming space to be part of. And talking about open source and advice I’ll give to people, have an article coming up that will be talking about contributing into the open source space generally. How to work for communities that you could contribute to, how to understand the communities, and maybe how to make it a first time contribution in a community.

Ejiro Oghenekome (23:54.668)
that you’re contributing to. This is not going to just be specifically about the open access, but open up source generally, how to be part of the space, how to try to understand the space and get into the space. Something else I would have, I would love to talk about is the opportunity for open source for us in Africa. I really don’t know that we, the idea of open source is not so widespread in Africa. That is why it has to be preached. It has to be introduced to a lot of people.

And I would love us to consider that, to try to make sure we introduce people in Africa to open source and the benefits it has on us, what it can do to us and the privileges it can give to us. Yes, that is the advice I would give to the next generation, also myself, the open source space.

Yesenia Yser (24:46.478)
Thank you so much for your time today, your impact, your contributions. I love that you have another article coming out to help those, know, explore the different open source communities and how to search. Thank you so much for everything you do within our community and all the hard work you’re putting together. I really appreciate your time and to our listeners, reach out to Jiro. She’s doing great work. Find her on LinkedIn and keep tracking on that 100 day challenge. Thank you so much everyone and we’ll catch you on the episode.

Apr 06
Love0

What’s in the SOSS? Podcast #58 – S3E10 Big Thoughts, Open Sources: Beyond the Hype: Brian Fox on Securing the Agentic Future of Open Source

By Podcast

Summary

In this inaugural episode of Big Thoughts, Open Sources, host CRob sits down with Brian Fox, Co-founder and CTO of Sonatype, to discuss the friction between rapid AI adoption and foundational software security. Brian shares insights from the 11th annual State of the Software Supply Chain Report, revealing the emergence of “slop squatting” and the high frequency of AI models recommending non-existent or vulnerable dependencies. The conversation explores how the Model Context Protocol (MCP) could revolutionize developer compliance and why the industry must fund the critical infrastructure supporting our trillion-dollar open source ecosystem.

Conversation Highlights

00:23 – Welcome: Big Thoughts, Open Sources inaugural episode.
01:01 – Brian Fox’s journey: Apache Maven, Sonatype, and OpenSSF.
02:53 – The critical role of Maven Central in the software supply chain.
03:26 – Decades of security trends: The persistent “Log4Shell” pattern.
05:34 – The “Tribal Knowledge” problem for AI agents.
07:06 – State of the Software Supply Chain Report: AI recommending made-up code versions.
08:09 – Explaining “Slop Squatting” and AI hallucinations.
10:03 – Model Context Protocol (MCP): Turning security tools into AI expert systems.
13:42 – Do not ignore 60 years of software engineering “physics”.
15:11 – The “Vulcan Mind Meld”: Injecting governance data into AI agents.
17:19 – Risks, rewards, and the need for ML SecOps discipline.
19:30 – “Inefficient code is still inefficient code”: Lessons from cloud migrations.
21:01 – Building an “AI-native SDLC” with upfront security.
24:18 – The sustainability crisis: Secure open source builds are not free.
27:17 – Conclusion: Funding open source infrastructure (8 trillion dollars of value).

Transcript

Crob (00:23)
Welcome, welcome, welcome to Big Thoughts, Open Sources, the OpenSSF’s new podcast. We’re gonna dive a little more deeply in with some of the amazing community members, subject matter experts, and thought leaders within open source, cybersecurity, and high technology. Today in our inaugural episode, I’m very pleased to welcome a friend of the show, Brian Fox from Sonotype. How you doing, Brian?

Brian Fox (00:47)
I’m doing well, how are you?

Crob (00:48)
Excellent, we’re super glad to have you today. So maybe just for our audience members that are unfamiliar with your work, could you maybe talk a little bit about how you got into open source and kind of what you specialize in in this amazing ecosystem?

Brian Fox (01:01)
How I got an open source, that’s a long conversation. geez, all the way back in 2002, 2003, I suppose, is when I really, really got involved. I had done some dabbling and some other things before that, but I got involved around that time in Apache Maven. I started writing some plugins.

They’re pretty popular plugins, people still use them these days. And those ultimately got pulled into the Apache project, the official project. I kind stowawayed and came in as a committer. A few years later, I joined up with some other folks that were also working on Maven and we co-founded Sonatype. It’s been 19 years now.

CRob (1:45)
Wow, that’s awesome.

Brian Fox (1:46)
Yeah, and so then I was ultimately the…the chair of the Apache Maven project for a long time. still an Apache member of the foundation. And then more recently, even though it’s been a while, what, four or five years now, we joined the OpenSSF. I’ve been on the Governing Board with you for a while. I’m also on the Governing Board of FINOS, which is the financial open source.

And for the last couple years, also been on the Singapore Monetary Authority’s Cyber
Experts Group. Yeah, that’s fun And so, you know, I’ve spent a lot of time focused on those things. One of the things that Sonatype does for the community we run Maven Central, right? Which for people that don’t know that’s where all the world’s open source Java components come from.

CRob

Yeah, it’s kind of sounds like a big job It is a big job running critical infrastructure for all that kind of stuff And so, you know over the years that’s given us really interesting insights into what’s going on with the supply chain so, you know, that’s kind of that’s sort of what led us to the path that brought me to OpenSSF and all those other things.

CRob (2:53)
Yeah, you and your team have been amazing participants and contributors to our community and just kind of even putting aside all the work with Maven. Just your kind of participation in our working groups and our efforts has been amazing. Yeah, thank you. So today I think you wanted to talk about a topic a lot of people probably haven’t heard about. This little thing called AI. I have a hard time spelling that.

Brian Fox (3:16)
Right?

CRob (3:20)
Let’s just set the stage. What are you thinking about? What do we want to have a conversation around AI about?

Brian Fox (3:26)
Yeah, I think so if we back up a little bit, right? So it was probably around 2011, 2012, I suppose. We started looking at some of the trends that we were seeing within the Maven central downloads. We were seeing things like the most popular version of a crypto library was the one that had a level 10 vulnerability.

fixed and patched years before, but that everybody was still using the vulnerable version. The log for J, log for shell pattern has existed basically forever. It’s not actually new. And so that led us down the path to start doing different things to help our customers A, understand what open source they were using. Way back then, nobody knew. They were like, we’re not using open source. What they really meant was, I don’t think I’m using Linux in open office. They didn’t understand.

that their developers were pulling in all these components. And so the problem space back then was helping them have visibility and then providing data and controls to help them better govern their choices. So we’ve always been trying to help expedite and make it more efficient for developers to make better choices. And so it’s interesting to see this development of AI and all of the kind of things that have come along with it. So that got me thinking, you know, what?

When we started out to build some of the stuff that we built for our customers, my focus at that time was to make it possible to do the analysis in real time so that it wasn’t the case that, we’re just going to do all our stuff and then we’re going to run a compliance scan at the end of the week or end of the month or something. So we were very focused on, it needs to be able to be run every single bill all the time. We need to be able to provide guidelines so that they don’t have to ask the legal team and wait six weeks for an answer, or the security team, right?

We were trying to capture those roles, or those rules, into the system so that they could make better choices in real time. And that was a big thing that organizations needed to be able to scale and become efficient. When you start dealing with thousands of developers, tens of thousands or millions of applications, the tribal knowledge problem kind of falls apart.

CRob (5:33)
Absolutely.

Brian (5:34)
Right? And so you start thinking about what happens with AI, and if you don’t have that stuff in an automated, you know, coded kind of way, how do you feed that to an agent? The agent’s not hanging out with you at lunch. It doesn’t get an onboarding session where we say things like, you know what, we never use an LGPL dependency because we ship our code. Or, you know, we only fix vulnerabilities five and above. Or, you know, whatever the policy may be, those things sometimes can be shared among developers.

CRob (6:02)
Right. and it plays into kind of the classic problem with engineering – is most engineers I’ve met don’t like doing documentation. And with AI entering the chat room becoming this accelerant, it’s making decisions based off of knowledge or lack thereof. if you don’t have your security policy documented, it even goes back to thinking about the early days of Kubernetes.

Where it was a big mental shift for people to have that software defined network inside. And that helped, I think, a lot of organizations get better discipline and rigor where you had less mysterious outages. Because the firewall guy in the back end said, I didn’t do anything, but try test it again.

Brian Fox (6:46)
Right, right. Yeah, for sure. And that’s kind of what we’re seeing now. We’re seeing a lot of that with the, not just with agents. mean, agents are sort of like the next big step and not everybody’s
fully there yet. Some people are dabbling with it. But even just AI assisted coding, you’re seeing the same problem that you come in and you say, hey, I want a new feature. And it just grabs whatever statistically likely thing dependency is going to be in there. We’ve done some studies. We recently released the state of the software supply chain report. It’s a great report. Yeah, thank you. This was our 11th year. We just published it last month. And we did a deep dive on AI recommendations, you know, and we found that 30 % of the time the models were recommending made up versions.

CRob (7:35)
What?

Brian Fox (7:36)
Yeah, just making them up. You know, so it’s kind of shocking. In the real world, you know, if you’ve got a tool, that’s one of those things that fails fast, right? Like it picks a version that doesn’t exist, the thing goes and it immediately blows up and then, you know, Claude or whatever you’re using will go, whoops, and it’ll fix it. So it’s kind of funny, burns some tokens, but the downsides aren’t huge.

If the agent randomly picks a terrible dependency or a very old one that does in fact exist, I would argue that’s worse because there’s no fail fast in that scenario.

CRob (8:09)
Well, you also have the whole problem with slop squatting. Where the models seem to, regardless of what vendor provider you’re getting it from, they seem to fairly consistently suggest the wrong dependencies, kind of like typo squatting.

And so now the bad guys have recognized this kind of fairly consistent behavior and they’re uploading malicious packages with those bad names so that you don’t break the build because it can find what needs.

Brian Fox (8:33)
So instead of it failing fast, it fails fast by grabbing a back door or something. Exactly, that’s exactly right. That’s what slop squatting is what they call it now. Yeah, and so those are some of the challenges that we observe and you kind of take it to the extreme where now you potentially have less sophisticated developers, not classically trained developers using these tools, and they don’t know what they don’t know.

They wouldn’t necessarily stop to say, hey, I want you to now be a security expert and do an assessment of the code you just created. Like somebody who knows better will do that. But if you’ve not lived through the pain that you and I have lived, you wouldn’t think about that. And so on average, these things are going to potentially toss away a lot of the learnings that we’ve known for so many years.

CRob (09:21)
And that’s been a chronic challenge, trying to get the tribal knowledge instantiated, trying to help people make those right decisions. And the AI tools are amazing productivity and efficiency savers, but they are bringing in, as you said, classically untrained professionals that they are not a software engineer. They don’t understand how a system should be architected, or they don’t understand kind of the app sec best practices that help secure the foundation of everything and not let the world fall apart.

Brian Fox (9:59)
The interesting thing is I think they can be if prompted correctly.

CRob (10:02)
Yes.

Brian Fox (10:03)
Right? And that’s where some of the knowledge gap comes in. And I think, what was it last summer, Anthropic released the MCP model control protocol, right? Which is, I’ve spent a lot of time thinking about that pretty deeply and looking at all the tools. And I wrote about this. I think that there’s a high likelihood that we see a lot of the tools we use in software, in the SDLC today, moving more towards providing their capabilities as subject matter experts in “a thing” to an AI agent via MCP.

So I think that, for me, is pretty exciting for a number of reasons. It means, as a tool vendor, I don’t have to create a plug-in for IntelliJ and one for Eclipse and one for VS Code. As an example, MCP can be the same thing for I don’t care what tool you’re using, because it’s interacting with me via this standard API. And I’m kind of talking to it in more or less English prompts. So my ability to deliver the value that we have into whatever tool you feel like using today, and they change every week, is pretty cool.

And I would also argue that the ability to insert that information and to potentially roll out the root prompting that all of the developers are using in these capabilities is better. You’re going to get potentially better compliance than you do today. One of the things I struggled with forever was we created an IDE plugin for our capabilities that it demoed amazingly well. It showed, hey, this dependency has vulnerabilities, or license, or would make recommendations. It was great. But developers just didn’t want to install more plugins. They just weren’t using it, right?

So while it demoed well, the actual usage of it was very low for compliance reasons. That’s a thing we struggle with. Every tool vendor struggles with that. But if you were able to insert that same information into an MCP capability and the company rolls out a root prompt that says something like, hey, every time you’re choosing a new project or a new dependency or trying to assess a dependency, use this MCP server to get up-to-date real-time information, it’s more or less going to do that every time. Right.

CRob (12:13)
Yeah, and I think back to like when I was a baby cyber person going studying for my CISSP, there was a lot of talk in the exam materials about expert systems, which is exactly what I think a best case scenario with these tools can be. It’s you’re expert. I don’t have to necessarily have this expertise. That’s right. But thinking about it takes a lot of knowledge to craft these expert systems. Let’s talk about how some of these models have been trained on potentially less than expert data.

Brian Fox (12:43)
Right, and that’s just, think, the inevitable nature that the frontier models have been trained on, you know, all the stuff that they can find.

CRob (12:49)
The internet.

Brian Fox (12:49)
On the internet, good information, bad information, people talking about terrible dependencies a lot might statistically make that more of recommendation, right? And I think that can be okay as long as you’re plugging in the models that have real data. The things that we’ve seen, you know, when we assess the models is that like I said, they make up versions, they pick old versions arbitrarily, they don’t know about anything newer than when they were last trained, which means both new versions and also vulnerabilities that might be an older version.

So they’re inadvertently recommending, and it’s not even a recommendation really, it’s just using it, right? It’s putting it in there and writing the code around it. Imagine picking Spring, right? It’s just going to go, I’m going to write a Spring app and I’m going to use all Spring 5.

And then when you probe it, then it’s like, oh, sorry, I have to do two major framework updates. You almost have to throw it away and start over. And so if you’re able to plug the right data in up front, you don’t have all of that waste. And again, if you have people who don’t know to prompt it to ask about the latest versions, you can insert that underneath the hood. I think that’s what’s really cool.

Brian Fox (13:59)
But what we’re seeing currently, I kind of wrote about this a little bit too, that I feel like we’re throwing out all the lessons of the past. We’re talking about situations where whole tools, SAST is under fire right now, right? Because when all the code can be just completely generated, what’s the problem with SAST? But I do think that we’ve learned a lot of things over the years if we can figure out how to plug those capabilities into what’s being generated.

I think we can bring all of that forward with us. But the entire SDLC is going to have to adapt to that. It’s not going to be sufficient to say, I’ve got a bunch of developers over here. They’re doing AI assisted development. And then later, we’re going to run a bunch of SAS and produce legacy reports. That’s not going to work. The information has to be fed directly into the AI capabilities up front.

CRob (14:51)
And it’s the classic problem we’ve always had, where security historically is the the last thing done, addressed, it’s bolted on at the end in a lot of cases. And just this AI tooling and just the velocity it has is a huge accelerant for the sins of our past we’ve never actually addressed.

Brian Fox (15:11)
Absolutely, but it also provides the Vulcan mind meld if you want to think of it. You now have that opportunity to plug that right into what the agent is thinking about in the moment. You can’t do that with the humans, but you can do that with the agent. And that’s what I think is potentially exciting about this.

Where I described it recently at a summit, we’re sort of in a bootstrap situation, though, right? Like, we don’t have all of those capabilities. Organizations haven’t rolled them all out. And so we’re sort of in this weird situation, one foot on the boat, one foot on the dock, and it’s not going to end well as we’re going through it. And worse, there are people that are afraid of the MCP protocol. So I hear lots of organizations say, we just block it completely.

Yeah. It’s a little hard to argue that that’s not a reasonable place to start because of the nature of what’s happening. We saw just the other day the latest version of Shai-Hulud came out. Did you see this? And they used MCP capabilities as data exfiltration. And I’m like, come on, guys. There’s so much power in this, but now you’re making it like a bad thing. So I think the industry and the tools and all of that are going to have to work through governance of the MCP capabilities, sanitization inspection of the MCP capabilities just like we’ve seen. So it’s sort of one of these things like when you’ve been around long enough you can recognize the patterns. It’s new and exciting but also the pattern rhymes with a bunch of stuff we’ve done before and what frustrates me is that like everybody charges ahead so fast they just feel like it’s all new it’s all different it’s like yes but let’s not forget everything we’ve learned over the last 60 years of software engineering because the physics is still the same.

CRob (16:50)
Well, and that’s where so our AI / ML working group wrote a paper around ML SecOps. And the paper was really interesting. I recommend the audience check it out. But it was they talked about classic techniques that are assisted and are helpful with AI development. And then it talked about some gaps where we have things like are not documented policies that are kind of a hindrance and something that’s an opportunity in the future to try to get addressed.

Brian Fox (17:18)
Yeah.

CRob (17:19)
But…I’m of two minds about my friends, our new robot overlords, in that it can be extremely helpful, but I don’t see a lot of people reconsidering those lessons of the past of software engineering. To say this is all brand new and totally different, like, well, you’ve got different GPU accelerators and dedicated cores to do things.

And now with this like agentic and ADA architecture where things are more highly distributed, yeah, that’s new twists, but it’s not brand new. We’ve done networking. We’ve done composite applications for decades.

Brian Fox (18:01)
Right. It’s the same thing, you know, we saw when, you know, we were like, oh, everything should be serverless or let’s go to the micro architecture, micro architecture, micro service architecture is going to solve everything until it doesn’t. Right.

Or, you know, that’s no problem, we’ll just put it in the cloud because I can just infinitely scale my machines, right? So I see the same pattern all again, that we sort of say, yes, but this time is different because insert new technology, and then we realize, yes, but everything we know is still true. And that’s what I think we’re sort of grappling with right now as we go through this. What is absolutely true is that, you know, the AI capabilities, the agents, all these things are making everything happen so much faster. That can be good.

can also be bad. If you’ve forgotten all the lessons of the past, you’re just going to create a ton of crap much faster than you could before. And by the time you realize it, it might be too late.

CRob (18:57)
I’m familiar with a lot of enterprises that were going through a digital transformation journey, trying to update their heritage software to newer things and to the cloud to get that scalability and cost efficiency. But a lot of organizations didn’t take that journey, didn’t learn from lessons from the past.

they just crammed what they had out in the cloud, and then a month later they get this giant bill and they’re shocked and confused, or they didn’t understand that this thing wasn’t architected for zero trust, and they’re leaking data everywhere.

Brian Fox (19:30)
Right, right. Or that, or just even the performance reasons why you were excited to infinitely scale, sure, but somebody’s not excited to infinitely pay a bigger bill. Inefficient code is still inefficient code, right? And that’s what I think we’re gonna see with… with AI capabilities is just going to happen faster. And without humans in the loop, it provides less opportunities for us to course correct, which is why I’ve been taking a step back and thinking about how do we do that? How does it make sense? I think for some of the stuff that we’ve been doing as a business, it’s really exciting because we have built up really interesting, unique data sets based on being able to see everything going on with Maven Central. We’ve long had Nexus, the repository manager that’s out there.

We have hundreds of thousands of instances. Those things are proxying for enterprises, not just Maven, but NPM, Nougat, Python, all the things. And so that gives us visibility into other ecosystems so we can understand what’s going on, what’s commonly used in enterprises, these kinds of things. And so all of that data can be fed now directly, like I said, the Vulcan mind meld directly into these tools. And it makes it a lot easier.

So in some ways, when we sort this out, and people become less afraid of MCP capabilities, we can directly inject a stream of high quality data to make all of those things better. But, before businesses can really leverage that, they have to get out of the experimentation phase. They have to roll that out. And these things are kind of interrelated. What we see is that organizations are afraid to let developers just go with AI assisted development because it’s not governed, because they can’t govern it.

And those are echoes of what I saw firsthand during the early days of open source. Like I said in the beginning, people said, we’re not using it. And then I’d tell them, yes, you are. And then their reaction was like, well, just shut it all out. It’s like, right, you can’t do anything. So the reaction that some enterprises have right now of like, we’re just not going to do anything with AI, is just setting themselves up to be left behind.

The right answer is to do it thoughtfully and use tools to help them make better decisions.

CRob (21:43)
So reflecting back, mentioned in your report that you have some guidance for people around AI. What would the top two or three things, if somebody’s thinking about moving more aggressively in this AI direction, what can they take away and do immediately or start thinking about?

Brian Fox (21:01)
Yeah, I mean, think the biggest thing is humans like to…try to take the old patterns and just adopt it to the new new technologies like we were talking about take an inefficient architecture and throw it in a cloud It’s gonna fix everything. No, it’s not and I think that’s true of Let’s call it the AI SDLC right an AI native SDLC Might resemble a normal SDLC, but it should be designed differently, right?

You know trying to do the checks and balances after the fact is even worse than it was with humans You need to think about providing that information upfront so that you get the value in the creation of the code and not try to chase it out. You need to be able to think about how all of these things can be done in parallel with agents, breaking these things down. what I would say is, don’t just try to do what you’re doing today and use AI to do it. Take a step back and really assess how can you adopt this.

It’s sort of like the conversations we were having in the board today about developers, maintainers are getting overwhelmed with AI slop. It’s true. A reaction is to stop allowing that to be contributed, just dismiss everything AI. That’s not a good answer. A better answer is let’s figure out how to help them use AI tools to be able to keep up with that, right? Because that’s what it’s good for. It can review and assess the patches faster than the maintainers and then provide sort of a first pass filter, if you will, right?

But that requires thinking outside of the box. Don’t just try to keep doing what you’re doing and try to keep up with it. Think about how you judo move that into something that makes more sense for your organization.

CRob (23:42)
And this skirts along another kind of project you’re passionate about, sustainability and funding. It is one thing to try to admonish the developers, why aren’t you using AI? But there are real costs involved around this. And, just to say, well, you should use the tool that doesn’t help them when there’s no funding. They don’t have access to infrastructure to be able to do these things. And that’s like, think, it touches on your passion project around trying to help get the package repositories more sustainably funded.

Brian Fox (24:18)
That’s right. Yeah, I mean, if you take a step back and you think about open source when probably you started, certainly when I started, what that really meant was you were donating your time. And you were sharing your thoughts, and you were sharing your words via code. And that was in a time when it was perfectly acceptable. In fact, it was the only choice that you built things and you shipped them off of your laptop.

There was when the Apple MacBook Air launched, the first one. That launched with a version of Maven on it that was signed by my key, my personal key, that was built on my personal laptop. So everybody that bought the launch version of the MacBook Air had my signed code on it. That’s kind of cool.

But also kind of scary, right, when you think about it. Like, what if my laptop was compromised? And that’s the world we live in today. Fortunately, in 2009 or whatever it was, that was a little bit more remote of a chance. And so everybody thinks like, well, that’s crazy. You wouldn’t do that anymore. So what does it mean today? It means you have to have certified builds. Usually that means it’s running in the cloud, and it’s attested to, and all these kinds of things. And that’s not free.

Like I can’t donate that, I’m not a hyperscaler. Most open source gets that infrastructure donated by these big companies, but there’s a lot of opportunity for abuse, right? And these types of things. it’s just, at the end of the day, it’s not free. So the cost of producing open source is not free anymore. It’s not just donating my time with equipment and internet access I already have, right? That’s the big difference. And I think people don’t really recognize that and now fast forward to what we’re just talking about AI the obvious answer to deal with AI, you know Piled on PRS is to have AI assistance help.

Who’s gonna pay for that? It’s literally not free. It costs electricity, last time I checked we still pay for our electricity Regardless

CRob (26:12)
Electricity, water…

Brian Fox (26:14)
Right all of these things, right? These are very…they have very real implications. They’re just not free and so There’s no good answer to that. How does that get aligned? How do we…how do we continue to create open source software that can power all of these industries in a world where it’s not just somebody donating their time and thoughts? There are no good answers. But we’re working towards trying to align that. Because the bulk of open source software, certainly in our world, in these areas, is being consumed by organizations that are selling for-profit software, more or less.

There’s definitely a lot of hobbyists and stuff like that the biggest consumers from our repositories are all the giant companies. I’ve named the top 100. You would know every single one of them. And I’m sure that’s true for all the registries. So there has to be an answer in there. I don’t know the stat off the top of my head, but the Linux Foundation does the census, right? And it’s billions of dollars of economic value that open source creates. Eight billion? Nine billion?

CRob (27:16)
Trillion.

Brian Fox (27:17)
Oh, it’s a trillion now?

CRob (27:17)
It’s eight (8) trillion, I believe.

Brian Fox ()
Eight (8) Trillion dollars worth of economic value being produced by open source…1 % of that would pay for a lot of that infrastructure, and then a whole bunch more. And so I think that’s what ultimately we have to figure out how to balance. AI just makes that worse, because it moves the bar even further.

CRob (27:39)
Interesting conversation. Any final thoughts you want our listeners and viewers to take away?

Brian Fox (27:46)
Well, certainly go take a look at The State of the Software Supply Chain Report.

CRob (27:51)
Great report.

Brian Fox (27:52))
sonatype.com/SSCR Certainly, I’ve also written a number of blogs. You can find those at our website as well. That deep dive, kind of all these topics we touched on here. Yeah.

CRob (28:02)
Excellent. We’ll put some links as we do our summary. So Brian, thank you for our inaugural episode of Big thoughts, Open Sources. I think this was an amazing conversation that we’re gonna continue to be adding onto and reconsidering in the coming weeks and months.

Brian Fox (28:20)
Yeah, thanks for having me kick it off in Napa.

CRob (28:25)
Thank you. Well, I hope everybody stays cyber safe and sound. We’ll talk to you soon.

Mar 23
Love0

Kusari Partners with OpenSSF to Strengthen Open Source Software Supply Chain Security

By Blog, Guest Blog

Cross-post originally published on the Kusari Blog

Open source software powers the modern world; securing it remains a shared responsibility.

The software supply chain is becoming more complex and more exposed with every release. Modern applications rely on vast ecosystems of open source components, dependencies, and increasingly AI-generated code. While this accelerates innovation, it also expands the attack surface dramatically. Threat actors are taking advantage of this complexity with more frequent and sophisticated attacks, from dependency confusion and malicious package injections to license risks that consistently target open source communities.

At the same time, developers are asked to move faster while ensuring security and compliance across thousands of components. Traditional security reviews often happen too late in the development lifecycle, creating friction between development and security teams and leaving maintainers overwhelmed by reactive work.

Kusari is proud to partner with the Open Source Security Foundation (OpenSSF) to offer Kusari Inspector at no cost to OpenSSF projects. Together, we’re helping maintainers and security teams gain deeper visibility into their software supply chains and better understand the relationships between first-party code, third-party dependencies, and transitive components.  

Projects adopting Kusari Inspector include Gemara, GitTUF, GUAC, in-toto/Witness, OpenVEX, Protobom and Supply-chain Levels for Software Artifacts (SLSA). As AI coding tools become standard in open source development, Kusari Inspector serves as the safety net maintainers didn’t know they needed. 

“I used Claude to submit a pull request to go-witness,” said John Kjell, a maintainer of in-toto/Witness. “Kusari Inspector found an issue that Claude didn’t catch. When I asked Claude to fix what Kusari Inspector flagged, it did.”

Maintainers are under growing pressure. According to Kusari’s Application Security in Practice report, organizations continue to struggle with noise, fragmented tooling, and limited visibility into what’s actually running in production. The same challenges affect open source projects — often with fewer resources.

Kusari Inspector helps OpenSSF projects:

  • Map dependencies and transitive risk
  • Identify gaps in attestations and provenance
  • Understand how components relate across builds and releases
  • Reduce manual investigation and security guesswork

Kusari Inspector – Secure Contributions at the Pull Request

Kusari Inspector also helps strengthen the relationship between developers and security teams. Our Application Security in Practice research found that two-thirds of teams spend up to 20 hours per week responding to supply chain incidents — time diverted from building and innovating. 

For open source projects, the burden is often even heavier. From our experience in co-creating and maintaining GUAC, we know most projects are maintained by small teams of part-time contributors and already overextended maintainers who don’t have dedicated security staff. Every reactive investigation, dependency review, or license question pulls limited capacity away from priorities and community support — making proactive, workflow-integrated security even more critical.

By increasing automated checks directly in pull requests, projects reduce review latency and catch issues earlier, shifting from reactive firefighting to proactive prevention. Instead of maintainers “owning” reviews in isolation, Kusari Inspector brings them integrated, context-aware feedback — closer to development and accelerating secure delivery.

This partnership gives OpenSSF projects the clarity they need to make informed security decisions without disrupting developer workflows.

“The OpenSSF welcomes Kusari Inspector as a clear demonstration of community support. This helps our projects shift from reactive security measures to proactive, integrated prevention at scale,” said Steve Fernandez, General Manager, OpenSSF.

“Kusari’s journey has always been deeply connected to the open source security community. We’ve focused on closing knowledge gaps through better metadata, relationships, and insight,” said Tim Miller, Kusari Co-Founder and CEO. “Collaborating with OpenSSF reflects exactly why Kusari was founded: to turn transparency into actionable trust.”

If you’re an OpenSSF project maintainer or contributor interested in strengthening your supply chain posture, use Kusari Inspector for free — https://us.kusari.cloud/signup.

Author Bio

Michael LiebermanMichael Lieberman is co-founder and CTO of Kusari where he helps build transparency and security in the software supply chain. Michael is an active member of the open source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF’s Secure Software Factory Reference Architecture whitepaper. He is an elected member of the OpenSSF Governing Board and Technical Advisory Council along with CNCF TAG Security Lead and an SLSA steering committee member.

Mar 17
Love0

Linux Foundation Announces $12.5 Million in Grant Funding from Leading Organizations to Advance Open Source Security 

By Blog, Press Release

Anthropic, Amazon Web Services (AWS), GitHub, Google, Google DeepMind, Microsoft, and OpenAI Join Forces with the Foundation to Invest in Sustainable Security Solutions for the Open Source Ecosystem

SAN FRANCISCO – March 17, 2026 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced $12.5 million in total grants from Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI to strengthen the security of the open source software ecosystem. The funding will be managed by Alpha-Omega and the Open Source Security Foundation (OpenSSF), trusted security initiatives within the Linux Foundation, to develop long-term, sustainable security solutions that support open source communities worldwide.

As the security landscape grows more complex, advances in AI are dramatically increasing the speed and scale of vulnerability discovery in open source software. Maintainers are now facing an unprecedented influx of security findings, many of which are generated by automated systems, without the resources or tooling needed to triage and remediate them effectively. Through this investment, Alpha-Omega and OpenSSF will work directly with maintainers and their communities to make emerging security capabilities accessible, practical, and aligned with existing project workflows. The effort will support sustainable strategies that help maintainers manage growing security demands while improving the overall resilience of the open source ecosystem.

“Alpha-Omega was built on the idea that open source security should be both normal and achievable. By funding audits and embedding security experts directly into the ecosystem, we’ve proven that targeted investment works,” said Michael Winser, Co-Founder of Alpha-Omega. “Now, we’re scaling that expertise. We are excited to bring maintainer-centric AI security assistance to the hundreds of thousands of projects that power our world.”

“Grant funding alone is not going to help solve the problem that AI tools are causing today on open source security teams,” said Greg Kroah-Hartman of the Linux kernel project. “OpenSSF has the active resources needed to support numerous projects that will help these overworked maintainers with the triage and processing of the increased AI-generated security reports they are currently receiving.”

“Our commitment remains focused: to sustainably secure the entire lifecycle of open source software,” said Steve Fernandez, General Manager of OpenSSF. “By directly empowering the maintainers, we have an extraordinary opportunity to ensure that those at the front lines of software security have the tools and standards to take preventative measures to stay ahead of issues and build a more resilient ecosystem for everyone.”

To learn more about open source security initiatives at the Linux Foundation, please visit openssf.org and alpha-omega.dev

Supporting Quotes

“The open source ecosystem underpins nearly every software system in the world, and its security can’t be taken for granted. This investment reflects our belief that the best way to improve security outcomes is to work directly with maintainers and give them the resources and tooling to address threats at scale. Ensuring the world safely navigates the transition to transformative AI means investing in the foundations it runs on.” 

– Vitaly Gudanets, CISO, Anthropic

“Over the past four years, our work with Alpha-Omega has proven it can deliver real results for the open source ecosystem at scale—from helping the Rust Foundation deploy Trusted Publishing to enabling critical vulnerability fixes across Node.js and PyPI. We are excited to increase our investment in Alpha-Omega and to work with our collaborators and directly with maintainers to provide not just funding, but the right tools and expertise that projects actually need to handle AI-generated security reports at scale.” 

— Mark Ryland, Director, AWS Security 

“Building on our initial commitment alongside Google and Microsoft four years ago, we’re now confronting new security challenges as AI transforms vulnerability discovery. That’s why AWS is investing an additional $2.5 million in Alpha-Omega. We believe the same advanced models creating these challenges can also solve them through better tooling and automation, but only through collaboration between industry leaders and the open source security community.” 

— Stormy Peters, Head of Open Source Strategy and Marketing, Amazon Web Services  

“As the home for open source, GitHub knows that code is only as strong as the community behind it. Supporting the Linux Foundation’s Alpha-Omega initiative extends our longstanding commitment to securing the global software supply chain. Through funding, training, and AI-powered tools, we’re empowering maintainers to identify risks faster and prevent burnout.”


— Kyle Daigle, COO, GitHub

“Securing the open source ecosystem is a shared responsibility that requires more than just capital, it also requires giving maintainers the right tools to stay ahead of evolving threats. By combining AI-driven innovation with the proven frameworks of Alpha-Omega and OpenSSF, we are empowering the community to not just react to threats, but build systemic resilience.” 


— Evan Kotsovinos, Vice President of Privacy, Safety and Security, Google

“Securing open source is a shared responsibility, and we have to move as fast as the technology does. We’re focused on turning AI’s ability to find and patch vulnerabilities into a massive defensive advantage. Supporting Alpha-Omega and OpenSSF is an important step for us, right alongside our work on OSS-Fuzz, Big Sleep and CodeMender. We’re going to keep building on this to put these capabilities into the hands of maintainers, leveraging AI to help scale society’s collective resistance to cyber attacks.” 

— Four Flynn, VP, Security and Privacy, Google DeepMind

“Open source software is a critical part of the modern technology landscape. As AI accelerates both software development and the discovery of vulnerabilities, the industry must step up to protect this shared infrastructure. This collaboration represents an important step in democratizing AI-powered defenses, and we’re proud to support Alpha-Omega and the OpenSSF in delivering scalable, maintainer-first solutions that secure the code powering our digital society.” 


— Mark Russinovich, CTO, Deputy CISO and Technical Fellow, Microsoft Azure

“This is a critical moment for global cybersecurity that requires unprecedented levels of collaboration across the industry, and sustained commitment. For artificial intelligence to benefit us all, we need to listen closely to maintainers and strengthen the open source foundations we all depend on. Maintainers make an extraordinary contribution, and this program is an important step in providing them the support they need.”

— Dane Stuckey, CISO, OpenAI

About Alpha-Omega

Alpha-Omega protects society by funding and catalyzing sustainable security across open source software. With over 70 grants totalling over $20M across major ecosystems, package registries, and individual projects, Alpha-Omega has an established track record of “turning money into security.” Backed by Anthropic, AWS, Citi, GitHub, Google, Google DeepMind, Microsoft, and OpenAI, Alpha-Omega partners with maintainers, security experts, and communities to invest where it can have the greatest impact. For more information, visit us at alpha-omega.dev.

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry organization at the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org

About the Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects, including Linux, Kubernetes, Model Context Protocol (MCP), OpenChain, OpenSearch, OpenSSF, OpenStack, PyTorch, Ray, RISC-V, SPDX and Zephyr, provide the foundation for global infrastructure. The Linux Foundation is focused on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org

Media Contact
Grace Lucier
The Linux Foundation

pr@linuxfoundation.org