Skip to main content

📣 Submit your proposal: OpenSSF Community Days: Europe, Korea | Open Source SecurityCon

search
Tag

education

May 20
Love0

What’s in the SOSS? Podcast #31 – S2E08 Cybersecurity Framework Launch

By Podcast

Summary

In this episode of What’s in the SOSS, host CRob interviews Clyde Seepersad from the LF Education Department. They discuss Clyde’s journey into open source, the role of LF Education in supporting the community, and the importance of cybersecurity education. They also delve into the development of the Cybersecurity Skills Framework, emphasizing the need for continuous learning and community engagement in the tech industry.

Conversation Highlights

00:00 Introduction to Open Source and LF Education
02:59 Clyde’s Journey into Open Source
05:54 The Role of LF Education in Open Source
09:00 Cybersecurity and the Global IT Cyber Skills Framework
11:59 Framework Development and Industry Collaboration
15:13 Continuous Learning and Community Engagement

Transcript

Intro Music (00:00)

Clyde Seepersad (00:02)
Five years ago, eight years ago it was “What are these container things and how are they going to make a difference?” Fifteen years ago it was “What is this hypervisor and how’s it going to make a difference?” We’re having a moment now where there’s this combination of security’s super important in every single aspect.

CRob (00:20)
Welcome back to What’s in the Sauce, the OpenSSF’s podcast where we talk to interesting people that are involved in open source development and standards and supporting our amazing communities. And this is the season two we’re quite excited to have graduated on to the next level. I’m CRob, I’m one of your hosts here at the OpenSSF.

I’ve had the pleasure to be involved with this community for just under five years and I get this amazing chance to interview some amazing, interesting luminaries. And today we have a real treat. We have Clyde from the LF Education Department and they specialize in helping people understand.

open source tools and methodologies and techniques. So, Clyde, can you give us maybe a few minutes of your open source origin story and kind of explain a little bit about what LF Education does?

Clyde Seepersad (01:19)
Thanks, CRob. I’m excited to be here. I’m excited to have education be talked of as a luminary because often when we do materials, people start looking very intently at their toes and hoping that somebody else will do it. Always happy to get a platform to encourage more folks to come on in. The water is fine. I am sort of a latecomer to open source. I’ve been involved for the past 10 years or so and was off on the dark side doing my thing.

And one day a headhunter called up and said, we have this interesting opportunity. We think you’d be good for it. And at the time I was in Austin, Texas. And I thought, well, know, Austin is not that big a town. It was great to meet extra people. We’ve scheduled a 20 minute coffee and no harm, foul. And it took two and a half hours to wrap up the conversation because we just kept going and I kept thinking, I had no idea that dot, dot, dot.

And so I left that meeting, went home, told my wife that the coffee I had told her about ended up being a two and a half hour conversation and I was going to leave my job and go do this non-profit thing that she had never heard about and that I had only barely heard about several hours earlier. And it just…

CRob (02:35)
must have been some great coffee.

Clyde Seepersad (02:37)
It was good coffee. I think it got cold several times. So the refresh cycle on the coffee was good, which, you know, is important. And, It’s just been such a phenomenal ride, right? Obviously, we’re recording this, whatever, 10 days after the deep seek drop, and cool things just keep happening in collaboratively developed spaces, which is, maybe not ever was thus, but certainly ever will be thus. I think that is the new way that stuff gets done. And of course, one of our big priorities along with everybody else on planet Earth in the last few years has been the security space and trying to think about what more could and should we all be doing.

CRob (03:18)
Mm hm. So a lot of people might not be aware that the Linux Foundation has a whole group dedicated towards training and education. So maybe could you talk a little bit about your group and kind of the things that you all do for the community and our members?

Clyde Seepersad (03:33)
Technical folks like to work on technical problems, right? They like to spin up new projects. They like to work on road maps and get from beta versions to release candidates to GA to one to two to X. Some of them like to go to meetups and connect with other folks. Not terribly many like to step back and think about how will I onboard the next person who isn’t currently super excited about this. And I think that’s where this team shows up as we say, as we show up and we say, listen, we can help you with the instructional design. We can help you with the development of quizzes, with the multimedia, with the video, with the, you know, the multilingual stuff, with the production value, with the sort of mapping out of the process, with the handling of the tools that author the content.

If we, if you can work with us, because the one thing we’re not as experts in, fill in the blank, right? There’s a thousand projects at the LF. A lot of what seems scary in terms of putting education together and not just putting it together, but importantly, getting it into the hands of the right people quickly is what we can do. And so that’s what I like to brag on this team is we’re doing a lot of things that aren’t central to any one open source project or initiative, but we’re bringing a set of skills and capabilities that you typically don’t find in kind of the core maintainer community, but they’re very complimentary and we can say, we’ve got all the folks and the tools and the processes to do all the stuff that makes your, know, makes your hair hurt. Let’s work with you. Let’s work with you to get the story out. And importantly, let’s get the story out not just to the people who are already excited and way down the weeds in the GitHub repo.

Let’s get the story out to the next folks out there who, if you ask the question, and I always say to the team, the most important question we can help folks answer is what is that tech and why do I care? And that is very much about, you know, what are these technologies? What did they do that were impossible yesterday, was much easier to do, was able to do in a way that is more cost effective because it’s a shared license. Because that’s where we help, but that’s where we can really help is to bring new people into these ecosystems.

CRob (05:53)
So thinking back of your journey with the LF Education crew, what are some of the timely topics? Like what are some of the most requested things or what are you all working on? What’s your priority lately?

Clyde Seepersad (06:06)
Well, you’ll be shocked to hear that AI is on the list.

CRob (06:13)
You’re right I am shocked.

Clyde Seepersad (06:14)
Pretty much the only two topics I hear currently are security and AI. Five years ago, eight years ago, it was what are these container things and how are they going to make a difference? 15 years ago,it was what is this hypervisor and how is it going to make a difference?
And then you get the most specialized conversations and things like networking. But I think it is definitely true that we’re having a moment now where there’s this combination of security is super important in every single aspect and trying to figure out what exactly the Gen.ai future is going to look like and where we never ever have a junior software developer ever again because, quote, GitHub is pretty good at first pass stuff. You know, I think there’s a series of really active conversations around trying to envision what our future is going to look like. And both those components are front and center.

CRob (07:09)
Very nice. Well, one of the things that you and I have been collaborating on most recently is the global IT cyber skills framework. Could you maybe talk a little about where this idea came from and kind of what you’re intending to do with this project?

Clyde Seepersad (07:25)
Sure, and really appreciate all the support you’ve provided on this. It really started with a very simple observation, which is, as I listen to folks talking about cybersecurity, a lot of what the pattern we kept hearing was there are specific job functions and areas of responsibility related to cybersecurity that everybody wants to be very focused on. So whether that is intrusion detection, pen testing, there’s a lot of specialized focus on cyber. And it’s a little bit like the Sherlock Holmes story where the key clue was the dog that didn’t bark. What about all the people who aren’t cyber security specialists? They’re app developers, they’re network people, they’re database admins, getting up every morning thinking about where the latest vulnerability is going to come from. But they have not been part of the conversation.

And so I think that’s really what we’re trying to do here is to say, we have to find a way to make everybody who touches these systems part of the conversation on cybersecurity and make it easy for them to figure out what their part in the broader strategy is. security is not something you can inspect in at the end, right? It has to be there from the get-go. And that has not been…a big part of the conversation, which is not surprising when the fire is hot as you put in the water on the most immediate source of the flames, but you’re not paying as much attention yet as to where the fuel load is building up. And so think that’s really what we’re trying to, hoping to catalyze is a broader conversation around just how extensive the concept of cybersecurity is when you think about all these different roles in technology. And so it’s great that we’ve started with the specific folks that are in a CISO’s office, but we have to make sure we don’t stop there.

CRob (09:32)
Yeah, I love that kind of looking at the framework, the fact that we looked at many different job types and kind of thought about it from somebody’s career at the beginning of their career, they needed to have certain experiences. And as you evolve and kind of get more, you level up, so to speak, there’s more increasingly complex tasks that you’re asked to do with. you talk a little bit about – just give us kind of a sneak peek into the framework and kind of what went into some of this thinking.

Clyde Seepersad (10:01)
Yeah, think we, there were two things we were trying to make sure that we use as our North Star. The first was it had to be easy to use. We have to make it easy for people to have this conversation. So how can we develop something that is not intimidating, easy to use, people can see their way to the end goal where they’re using it. And the second is, can we make something that is not a special snowflake, that is industry agnostic, that’s geography agnostic? Because what you, and to have those two things be true, and you know, we worked with hundreds of folks who volunteered their time and expertise on this. Where we ended up was saying, to make it easy, we have to have it be, simple for folks to figure out where different people in their organization might slot in. So how can we group like with like? And so we went through this exercise with a group of experts and then validated it through a large form field study survey in the field. And we ended up with 14 or 15 job categories or job families.

Clyde Seepersad (11:23)
That’s not to say that there aren’t people out there who straddle lines, and there will always be, but we felt pretty good about having these categories as sort of people who are grouped together. So things like network specialists, things like database administrators, things like software developers as distinct from app developers, so smartphones. And then from a career perspective, as you alluded to, CRob, there’s this concept that there are things you need to know when you’re just starting out.

And there’s more things you need to know when you start taking more individual responsibility and yet there are more things you need to know, especially as you take on managerial responsibility and start supervising the works of others. And so what we ended up with, if you envision sort of a two by two framework, a set of job families where we have examples, we can help people visualize, oh yeah, I’ve got folks in that box. And then this continuum of experience where newer folks, there’s topics and we’re very, you the topics are quite specific and so they’re somewhat opinionated, but we wanted it to not be a hand wavy feel good.

We wanted people to be able to look into that framework, see things they violently agreed with, maybe see some things they violently disagree with because maybe it’s not relevant and that’s okay, right? It’s very much meant to be a alaqaat, Kanban style. I like this, I want to use it. I don’t like that, I want to take it out. I think this is missing because I’m in industry X and I want to add it in. But I think we’re hoping that the concept of it’s a simple framework. You can print it on one page. It’s a way to start and then make it your own. Make it relevant to your department. Make it relevant to your industry. Move stuff left, move stuff right, blend stuff between buckets, but use it as a accelerant, right? Instead of staring at the blank white board. This is the collective wisdom of hundreds of folks who spent decades in this space – stand on their shoulders, right? Use it as a jumping off point.

CRob (13:20)
I loved the kind of practitioner perspective that the framework brought. Could you maybe talk about, I know we’ve had some conversations with other folks within the ecosystem. How does this work alongside or complement other similar efforts?

Clyde Seepersad (13:37)
Yeah, I think our view is that this is meant to be a entry point for people to think about cybersecurity for their broad audiences and not to replace. There are some very good, more specialized frameworks that already exist out there, right? So you have things like SOFIA, you have things like the NICE framework. And our take was we look around and we listen.

And those are not being as used, used as much and implemented as much as you might have thought. I think part of the reason is they’re so sophisticated and there’s so much detail that they’re a little maybe intimidating if you’re starting kind of at the, at the, at the starters pistol. And so we’re envisioning this really as a gateway exercise to say, here’s a way that you could start. It’s not saying that it’s fully comprehensive of everything you’d ever think of, but it’s saying these are the lowest common denominator pieces, right?

And so it’s a discrete, easy to wrap your head around, printed on a page starting point. And hopefully what we see is that once people start their journey, they gravitate towards some of these bigger frameworks that already exist according to what makes sense for their organization, for their industry, for their geography. And so we’re very much seeing this as complimentary of frameworks that are more specialized that exist, really as a way to get more folks far enough down the path that they start using those frameworks with confidence.

CRob (15:14)
I love the effort. I’m really looking forward to kind of unleashing this and sharing it with the broader ecosystem and then starting to the devils in the details. I want to start building my own little Kanban board and kind of mapping out my journey and seeing what I and others might want to start exploring education wise next.

Clyde Seepersad (15:33)
Yeah, and that’s exactly what we’re hoping to happen, right? This is going to be a publicly available royalty free resource sponsored by OpenSSF and the LF. We want everybody to use it. We want companies, we want education providers to use it. And importantly, we want this to be an ongoing effort. So, you we’ve had a ton of people volunteer their time and expertise to get to V1. We’re very much intending to have this be an ongoing effort where we’re constantly reviewing this, you know.

At least twice a year stepping back and saying, is this still right? Because the one thing that we know is true is yesterday’s threats are not tomorrow’s threats, right? So we cannot have these be static. We have to constantly be asking ourselves, is this still relevant? Is there something else that we need to add? Because that’s the only way that you can really, if we’re trying to get people to think holistically about the security implications up and down the food chain, we have to help them keep track of stuff as it evolves. And so I think one of the beauties of doing this collaboratively is we do have the ability and the intention to continue revving, right? Just like any release schedule, right? That the 2026 version is gonna go look different and the second half of 2025 version might look different.

CRob (16:50)
Excellent. Well, let’s move on to the rapid fire part of the conversation. All right. I got a couple of wacky questions. I just want your first answer right out of the gate. What’s your favorite open source mascot?

Clyde Seepersad (17:06)
You know, it’s still Tux. It’s just, you know, I’ve got a dozen of them on my desk and it’s an oldie but a goodie.

CRob (17:19)
Excellent. Good, good, Spicier mild food.

Clyde Seepersad (17:23)
I grew up in the Caribbean, so definitely spicy.

CRob (17:30)
Ooh, that’s spicy. Excellent. What’s your favorite adult beverage?

Clyde Seepersad (17:34)
Rum and Coke.

CRob (17:35)
Classic. I love that as well. So as we wrap up here, what advice might you offer someone that’s just getting into, whether it’s open source development or cybersecurity, how can you help them start their journeys?

Clyde Seepersad (17:50)
You know, the key thing I say to folks anymore is that the world has really changed. Even when I started my career, you could pick a spot and say, I wanted to be an X. I wanted to be a database person. I wanted to be a Cisco switch person. I wanted to be an Oracle person. Because we used to have these long runways of technology staying pretty stable.

And that’s just not true anymore. I think everybody should be coming into tech and even those of us who’ve been in it should be thinking about it as an ongoing journey of lifelong learning. You’ve got to stay on your toes. The thing that made you successful three years ago probably is not going to be the thing that makes you successful this year. And so committing to this idea that it’s your responsibility to figure out the things you’re passionate about and learn them and implement them and stay on this sort of continuous journey.

That’s going to be what the foreseeable future looks like, is all of us just cross-skilling, up-skilling, feeling like we’re always slightly behind, but making that commitment to our own learning and development.

CRob (18:58)
I like to learn something new every day. And finally, what call to action do you want to give the community right now? What actions can people take to help make the world a little bit better place?

Clyde Seepersad (19:09)
Yeah, I would say for everybody who touches a tech stack, step back and start inventorying where do you think in your day-to-day job you could do one thing better that would narrow or close a security gap. We all have goals and the targets we’re trying to meet and we’re on the treadmill. Take a moment to step back.

Get off the goals treadmill. Try to find one thing, one thing that you can do better that helps narrow the surface, the attack surface, and find a way to make that happen.

CRob (19:52)
Excellent. Well, thank you. Sage advice learned over your journey. Thank you, Clyde, for coming today and sharing about the IT skills matrix and about LF education.

Clyde Seepersad (20:03)
Thanks so much for having me, CRob

CRob (20: 05)
Cheers

Outro Music (20:05)
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

May 14
Love0

Linux Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness

By Blog, Press Release

New Customizable Global Framework Aligns IT Job Roles with Practical Cybersecurity Skills

SAN FRANCISCO, CA – May 14, 2025 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists. Produced in collaboration with the Open Source Security Foundation (OpenSSF) and Linux Foundation Education, the framework delivers actionable guidance to enterprise leaders looking to systematically reduce cyber risk.

As cybersecurity threats grow in both scale and complexity, enterprise leaders are struggling to align job roles with the practical skills needed to mount an effective defense. Despite cybersecurity being one of the top three most in-demand tech roles for enterprises, major talent readiness gaps remain. According to the Linux Foundation’s 2024 State of Tech Talent Report,  64 percent of organizations report candidates lack essential skills and it now takes an average of 10.2 months to hire and onboard new technical staff. Additional research from the Linux Foundation found that 62 percent of open source project stewards lacked dedicated personnel for security incident response, despite 74 percent maintaining formal cybersecurity reporting mechanisms.

These trends reflect a broader industry dilemma—growing awareness of cybersecurity needs without the personnel to tackle them—driven by unclear role expectations and fragmented training pathways. The Cybersecurity Skills Framework addresses these issues with a practical, globally relevant onramp that organizations can use to assess and build internal security capabilities. The framework provides leaders with an easy way to understand the cybersecurity skills needed, quickly identify knowledge gaps, and incorporate critical skills into all of their IT roles. By establishing a shared language for cybersecurity readiness, the framework prepares everyone who touches a system to take responsibility for security, not just the cybersecurity specialists: from app developers to web developers, network engineers to database engineers, solutions architects to enterprise architects.

The framework defines practical cybersecurity expectations across foundational, intermediate, and advanced proficiency levels, while mapping those skills to recognized standards such as the DoD 8140, CISA NICE Framework, and the ICT e-CF. By aligning with widely adopted standards and allowing for customization, the framework can be easily adopted across industries, regions, and organizational sizes. The framework is available in a free, easy to use web interface which allows users to select relevant job families, move skills between categories, delete any that don’t apply and add custom items they require. 

The framework was produced as a result of a global research effort, with contributions and feedback from cybersecurity educators, government advisors, framework stewards, and technical training experts, who together brought comprehensive expertise in workforce development, national defense, professional certification, and open source security.

“Cybersecurity is now a leadership issue, not just a technical one,” said Steve Fernandez, General Manager at OpenSSF. “Our framework gives organizations a straightforward way to identify gaps and prioritize the security skills that matter most, based on role and responsibility—not just checklists. It’s about building real-world resilience.”

The Cybersecurity Skills Framework provides guidance for key roles, including web and software developers, DevOps engineers, IT project managers, platform architects, GRC managers and more. Each job role is defined by its primary cybersecurity responsibilities and aligned with practical skills in areas like secure design, compliance, vulnerability management, and incident response. 

“This framework is a valuable tool for CIOs, CISOs, and enterprise learning teams,” said Clyde Seepersad, SVP and General Manager of Linux Foundation Education. “In an era of accelerating threats, leaders need clear pathways for strengthening security culture across technical teams. This resource helps organizations take a proactive approach to employee development and risk reduction.”

The Linux Foundation and OpenSSF will update the framework annually and welcome community feedback from adopters. Organizations are encouraged to adapt and extend the model to align with their specific needs, security posture, and product portfolios.

To access the full Cybersecurity Skills Framework and explore how your organization can adopt it, visit: http://cybersecurityframework.io

Join us on Wednesday, June 11 at 11:00 am EDT for a webinar discussing the Cybersecurity Skills Framework. Visit here to register.

Supporting Quotes

“As cloud native adoption grows, so does the complexity of managing security across distributed systems. The Cybersecurity Skills Framework offers a clear, actionable resource for teams working in modern environments to assess skills, reduce risk, and embed security into every stage of the software lifecycle.”

– Chris Aniszczyk, CTO, CNCF

“As the cybersecurity landscape grows more complex, particularly with the rapid rise in AI technologies, security can no longer be siloed. Businesses must champion a culture of security awareness, education, and preparedness across functions. The new framework contributes to a stronger security posture by ensuring every teamfrom developers to IT leadersunderstands the specific security skills they need.”

Jamie Thomas, IBM Enterprise Security Executive

“Cybersecurity is a shared responsibility, and closing the skills gap is essential to building secure systems at scale. The OpenSSF Cybersecurity Skills Framework provides a clear, actionable roadmap for equipping technical teams with the right knowledge to protect our digital infrastructure, thus raising the bar for security readiness across the industry.”

– Arun Gupta, VP of Developer Programs, Intel / Governing Board Chair for CNCF & OpenSSF

“Cybersecurity today seems more complicated than ever. It can be difficult to keep up with the evolving cyber risk landscape and what skills internal teams need to approach and mitigate those risks. The Cybersecurity Skills Framework is a much needed blueprint for how developers should approach career development, teams plan for adapting to new risks, and organizations build training governance for the continuous evolution of their cybersecurity programs.”

–  Michael Lieberman, CTO and Co-Founder, Kusari

“The Cybersecurity Skills Framework is grounded in extensive global research and community collaboration. By surfacing practical, role-specific insights, the framework helps enterprise leaders understand where their cybersecurity capabilities stand—and where they need to grow. It’s a meaningful step toward bridging the persistent skills gap we’ve seen across sectors.”

– Hilary Carter, SVP Research at the Linux Foundation

“Security is a shared responsibility across the open source ecosystem. This framework is a powerful tool to help developers, project leaders, and enterprise teams better understand how their roles contribute to a secure software supply chain. It supports the kind of continuous learning culture that is essential to sustainable open source development.”

– Robin Bender Ginn, Executive Director, OpenJS Foundation

“The need for experienced cybersecurity practitioners continues to increase, and a clear understanding of cybersecurity roles, responsibilities, and required skills is not just beneficial – it is the foundation for a resilient and secure organization. The Linux Foundation’s Cybersecurity Skills Framework provides guidance to help leaders and practitioners understand the baseline skills needed for various roles. It serves as an excellent starting point for cybersecurity practitioners looking to enter the field or plan their career progression. Additionally, it helps leaders identify the necessary roles and skills to meet their cybersecurity demands.”

 Dave Russo, Senior Principal Program Manager, Secure Development, Red Hat

###

About the Linux Foundation 

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, LF Decentralized Trust, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org

Apr 22
Love0

What’s in the SOSS? Podcast #28 – S2E05 Secure Software Starts with Awareness: Education & Open Source with the Council of Daves

By Podcast

Summary

In this episode of What’s in the SOSS, host CRob is joined by the “Council of Daves” – Dr. David A. Wheeler of the OpenSSF and Dave Russo from Red Hat – for a deep dive into the intersection of secure software development and education. From their open source origin stories to the challenges of educating developers and managers alike, this conversation covers key initiatives like the LFD121 course, upcoming resources on the EU Cyber Resilience Act, and how AI is shifting the landscape.

Whether you’re a developer, manager, or just open source curious, this is your crash course in why security training matters more than ever.

Conversation Highlights

Intro & Meet the Council of Daves (0:16)
Open Source Origin Stories (1:22)
The Role of the Education SIG (4:05)
Why Secure Software Education Is Critical (6:30)
Inside the LFD121 Secure Development Course (8:01)
Training Managers on Secure SDLC Practices (12:24)
Why AI Makes Education More Important, Not Less (13:53)
What’s Next in Security Education: CRA 101 and More (16:04)
Rapid Fire Round: VI vs. EMACS, Tabs or Spaces & Mascots (20:20)
Final Thoughts & Call to Action (22:04)

Transcript

[Dave Russo] (0:00 – 0:16)
If you’re a people manager, understanding the amount of time and effort and skills that are needed to perform these different activities is vital to know.

[CRob] (0:16 – 0:46)
Hello and welcome to What’s in the SOSS, the OpenSSF’s podcast where we talk to interesting people from around the amazing open source ecosystem. I’m Krobe, your host. Today we have a real treat.

I’m joined by the Council of Daves and we’re going to talk about a topic that is near and dear to both our hearts, but let’s start off with some introductions. I’ll go with David Wheeler first, and then we’ll go to Dave Rousseau. So David, why don’t you introduce yourself real quick?

[David Wheeler] (0:47 – 1:03)
Okay, sure. David Wheeler. I work at the Open Source Security Foundation, OpenSSF, which is part of the Linux Foundation, and I’ve been involved in how do you develop secure software or developing open source software for literally decades.

[Dave Russo] (1:03 – 1:20)
My name is Dave Russo. I work at Red Hat on the product security team. I’m the governance portfolio manager.

I don’t have quite as long a history with open source as Dr. Wheeler does, but I’ve been working on SDLC related activities for quite some time.

[CRob] (1:22 – 1:33)
Awesome. I think we’re gonna have a great chat today about secure software development and education, but let’s get your open source origin stories. Dave Rousseau, how did you get involved in upstream open source?

[Dave Russo] (1:34 – 2:18)
So I was not directly involved in open source for very long in my previous arrangement. I did do some work in the software industry, then I was working in an industry that was not around development. So around 2016, when I joined Red Hat, my good friend Krobe introduced me to a lot of the awesome open source stuff that was going on in and around Red Hat and the upstreams a little bit prior to that.

And a lot of the conversation was aligned with SDLC activities, specifically secure development practices, which is an interest of mine. And then after joining Red Hat, obviously I became much more involved in a lot of different areas of open source, primarily around, again, secure development.

[CRob] (2:19 – 2:24)
Cool.

David Wheeler, how did you get involved? What’s your origin story?

[David Wheeler] (2:24 – 3:46)
That one’s a little challenging because I’ve been involved in it for such a long time, I don’t even remember the first time I gave, you know, I just just contributed to release some, well, what wasn’t called open source software, because the term hadn’t been invented yet.

People were occasionally sharing around source code. Since before I was born, frankly, they just didn’t use these terms. And, you know, necessarily have figured out some of the legal stuff.

So I think the big change to me, though, was the first time I held a very, very early version of Red Hat Linux in my hand. This is back when it was being distributed on CDs. Because at the time, there was a general agreement that yes, of course, people can share source code on, you know, on bulletin boards, and maybe this internet thing, but you couldn’t build something big with it.

And all of a sudden, an entire operating system was open source, and useful. And I think this is where instead of the, oh, sure, we can sometimes share with this, oh, this can be used for building large scale systems. And that was kind of the, and I later on did analysis of this and been doing things involving open source for quite well, since before the name was created.

[CRob] (3:46 – 4:04)
Cool. Well, thanks for sharing, gentlemen. So let’s dive into it.

Dave Russo, you are the current chair of the OpenSSF’s Education SIG, which is part of the BEST working group. Could you maybe talk a little bit about what the Education SIG is and what you all get into?

[Dave Russo] (4:05 – 4:27)
Sure. So the Education SIG is obviously around educating our open source developers to do a better job of incorporating security practices in the development and delivery of these projects. Now, a lot of my previous life experience was in development, so I’ve got a fairly good amount of experience in this area.

[David Wheeler] (4:28 – 4:39)
It is very obvious to a lot of people who’ve been doing this for a while that education has not been a focus area when it comes to developers, especially around security.

[Dave Russo] (4:40 – 6:17)
Developers are mostly interested in creating cool new stuff, which I completely agree with. That is the primary purpose is to put new features and functionality in their software to make it do more cool things, better, faster, stronger, etc. However, security for the longest time was not even a consideration for a lot of software development and delivery.

And over the past 10, maybe 15 years, there’s been a little bit more attention paid to it. But there’s been a movement to try and provide good education courses that talk about secure development practices to the development communities themselves. So at the Education SIG, what we are trying to do is help address that need.

We’re trying to help understand what kind of information and materials we can provide to our upstream communities to help the developers understand what it means when we talk about developing and delivering software more securely and specific techniques and ways that they can incorporate this into their projects, such as hardening guides, delivery guides, compiler rules, general awareness of some of the reasons behind having security, not only from a risk based perspective, just making the project a little bit more robust, but now also because of a lot of international regulations and expectations by different industries and geos that are compelling developers of various types to provide very specific attestations or statements of conformity when it comes to doing things in a certain way while they’re doing their development delivery.

[CRob] (6:17 – 6:30)
Awesome. So it sounds like, Dave, you touched on it a little bit. But David, could you maybe expand a little bit about you know, why do you feel it’s important to get this type of content in the hands of developers?

[David Wheeler] (6:30 – 8:01)
Well, I think the short answer is that if developers don’t know how to develop secure software, they won’t develop secure software. It really is that simple. I often tell people that we get software that’s more secure than we deserve.

Because why should we expect that software be secure when for the most part, developers aren’t told how to do that? It’s it’s it’s not a magic trick, but it does require some knowledge. By the way, we actually did a survey of developers about the state of secure software development education last year.

And I mean, we found that overall, you know, 28% of the professionals weren’t familiar with secure software development. It jumped up to 75% for those who had less than a year of experience because the colleges and universities for the most part, are not requiring it. And so yes, they they increasingly get it over on the job.

But the on the job is often spotty, it has holes. And by the time they become more knowledgeable, there’s more that have come in, again, with that lack of knowledge. And so we’re just constantly on this treadmill of people who don’t know how to do it.

And lack of training was the was one of the primary reasons that people gave for why don’t you know how to do this.

[CRob] (8:01 – 8:17)
So I’m aware that the SIG has a couple artifacts that they work on. The first thing we’ll talk about is the LFD 121 course. So maybe Dr. Wheeler, if you could give a little taste about what that is all about.

[David Wheeler] (8:18 – 8:30)
Absolutely. I’ll quickly note, by the way, both of my participants have used my title doctor, I do have a PhD. But my experience is when people use my title, they’re just yanking my chain.

[CRob] (8:30 – 8:32)
So we love you, sir.

[David Wheeler] (8:33 – 10:14)
Well, thank you. Yeah, so the so we’ve got a course called LFD 121, developing secure software.

Now, we’re here talking about open source. But I want to make sure everybody knows that this is absolutely for open source software. It’s also for closed source software.

It’s for anybody who develops software, because the frank reality is attackers don’t care what your license is. They just don’t. They just want to take over things and do bad stuff and make everyone stay miserable.

So we’re here to help developers deal with that. I just looked at the numbers and we have including, you know, up to now, for both our Japanese and English through edX and through TI, all these are, we’ve had over 30,000 in [Crob: Wow], in that course, which is, you know, fantastic. That’s a lot of people.

That’s a lot of people. So we’ve got a course, we very much focus on the practical, how do you do stuff. And we have optional hands on labs, they’re not required.

But we do encourage people at least do a few. Because doing things hands on is really, really helpful. I’ll do a quick note.

Some people have gotten the wrong impression that security is always expensive. Generally, that’s not true. It’s retrofitting security.

That’s expensive. And so what we should be doing is stopping the retrofit. It’s not hard to do most of the stuff if you just know ahead of time what you’re supposed to do.

But once you once you’ve dug the hole deep, it’s very hard to get out.

[CRob] (10:15 – 10:21)
Speaking of security, not being expensive. This sounds like an amazing class. How much does it cost to take?

[David Wheeler] (10:23 – 10:48)
Oh, what a pitch. Of course, as you know, it’s completely free. The course is free, the labs are free, whole thing’s free.

So, you know, please don’t please don’t make costs a limiting factor for this. You know, it’s basically important for us all around the world that anybody who develops software knows the basics. And that’s what this this particular course covers.

[CRob] (10:49 – 11:08)
So a big part of your world, Dave Russo, is, you know, secure software development and SDLC, secure development lifecycle. From your perspective, you’ve looked at the LFD 121 class. What do you find that to be a useful artifact as you’re sharing it with your engineers?

It is.

[Dave Russo] (11:08 – 12:23)
The content in the course does a very good job at talking about what the different activities that should take place along the different times of the software lifecycle should be. And again, to kind of repeat from what we said earlier, awareness is a big problem that we have. A lot of developers don’t understand what it means when we say we should develop things securely.

And then you start using words like risk assessment, penetration testing, threat modeling, attack surface analysis, and people’s eyes just kind of glaze over because they have no idea what you’re talking about. The course is able to go into these topics and provide a good amount of information, provide an understanding to a developer what we mean when we talk about these sorts of things. And additionally, to David’s point earlier, making the developers aware of this early so they can build it into the plan instead of trying to go back and do it after certain things have been done, makes adopting and implementing these things much, much easier.

So the combination of knowing what these activities actually are, the amount of effort that is needed to complete them, and when to insert them into the lifecycle make the course absolutely invaluable for people who are doing software development.

[CRob] (12:24 – 12:38)
That was one of the OG projects that David Wheeler brought into the foundation. Let’s talk about some of the more current work. Who would like to talk about the security for developer manager class we’ve all been working on?

[Dave Russo] (12:38 – 13:52)
So I’ll go and I’ll start off from a general level. And then I’ll let David go into some things a little bit more in depth. So the intent of the secure software development for managers course is to again, inform.

Awareness is a problem. If I’m a development manager, and someone says to me, you need to do your stuff securely, what does that mean? There’s a lot of different factors involved.

From a risk perspective, if we don’t do these activities, what does that mean? What does it mean for the actual software itself? What does it mean for the organization or company that I work for?

What kind of risk may be exposing the company to? More importantly, if you’re a people manager, understanding the amount of time and effort and skills that are needed to perform these different activities is vital to know. You need to understand when to put these things into roadmaps and timelines, how much time to allocate for them.

And does anybody on your team actually know what it means to do, for example, a penetration test? If not, you’re going to need to find some additional resources to help you with that. So again, not necessarily diving down into the deep weeds on a lot of these topics.

This is meant to provide additional awareness and understanding to someone who’s in a development manager position.

[David Wheeler] (13:53 – 16:04)
And if I can jump in with some additions. Fundamentally, if management’s not on board, it’s probably not going to happen.

And unfortunately, some managers are kind of assuming things like, well, the the IT security department will somehow take care of it. Well, no, they won’t. They certainly do have an important role to play.

There are things that they that they will do that will be very, very helpful. But if you’re managing the development of software, there are things that you as a manager need to know need to do need to make possible. We spend more than a little time in the course helping you understand some terminology, understanding what needs to happen, and frankly, making sure one of the key things a manager needs to do is making sure that the developers know what they need to know.

In many organizations, managers aren’t necessarily writing the code, but they need to make sure that the people they’re bringing in know what they need to know. And if they don’t, fixing that with what is fundamentally a training problem, an education problem. Because just like any other field, if you don’t know what you’re doing, you’re not likely to do a good job.

And it doesn’t mean that they’re stupid. It just means that they lack some important information. I will quickly note, just because I’m thinking of it.

Lots of people talking about AI. AI is awesome. The majority of developers nowadays are using AI to develop code, according to some surveys.

And here’s the problem. Just because some AI generated code does not make it secure code. What do you think that that system was trained on?

Right. So this actually AI is actually increasing the need for education by developers and by their managers. Because if you’re using an AI system, who is going to be reviewing it?

Not just the AI, I hope. You’re going to need people to know what they’re doing. Which brings us back to the need for more education.

The increased need for education, not the decreased need because of AI.

[CRob] (16:04 – 16:15)
Excellent point. Broadly, what other things are on the horizon from an education perspective? What do you got in the hopper in the back? It’s going to come down the road.

[David Wheeler] (16:18 – 16:20)
Well, Dave, you want to go ahead?

[Dave Russo] (16:20 – 18:23)
Sure. So the USSF is putting a lot of attention on education.

There’s some expectations as to what our SIG can help contribute moving forward in 2025. And again, I’ll hit this from an awareness perspective, I think, and I’ll let David dive in to a couple things a little bit deeper. We need to get the message out.

We need to get information out there into the upstream communities and the projects and let them know what it is we’re trying to accomplish and what materials we already have that they could leverage and use right now, as well as understanding how to bring more people into the group, into the USSF in general, and provide their subject matter expertise to help us generate even more materials on top of that.

So we’re going to be making some additions to the information we’ve got on our GitHub page and such. We’re going to try and socialize some of the things that we’ve already put together as a group, some of the hardening guides we’ve done, we already talked about some of the education courses that are being worked on. We’re taking a little bit of a look right now, something that’s in progress, a little bit of behind the curtain for everybody.

We’re working on a CRA 101 course. Again, the EU Cyber Resiliency Act has been passed by their parliament, and everyone is trying to understand exactly what that means to them. So we’re trying to put, again, a general information course together that makes it digestible for people with a couple different types of roles to understand what the CRA means and what the expectations are going to be moving forward as it begins to come into effect.

So these regulations are becoming more common. There’s a couple other ones that are in progress at various geographies around the world, so we expect we’re probably going to do this for a couple other ones as they become available. Hopefully, we’ll have some representatives speaking at certain conferences, talking about the OSSF mission in general, some of the education information in particular, and again, trying to make sure that we are looking at the right ways to bring the right information to our constituency.

David?

[David Wheeler] (18:24 – 20:18)
Yeah, so let me jump in specifically on the Cyber Resilience Act, which is kind of a big thing that’s coming up. Strictly speaking, it only applies to software, and so on, that is released to the EU market.

I guess more accurately, I should say products with digital elements, which is the term of art that they use within the regulation. But the reality is, Europe’s a big place. Most organizations, especially in the software world, are global.

So this is going to affect many, many, many. Indeed, it’ll affect many who have never really needed to look at this kind of thing before. And so we’ve been trying to develop this, what we’ve been calling a CRA 101.

We actually even have an official number for it, it’s LFEL 1001, when it’ll get released. But basically, it’s a little introduction, explanation, what does this say? What does it require?

And it’s going to be a big change, I think, to industry, to the market. It even has some requirements specifically on what’s called open source software stewards. It’s a relatively light touch, but it does impose some requirements.

It does talk about open source software developers. I think in many cases, it will be much less of a touch, but it’s not completely none. And so this is going to affect, and of course, people who develop open source software, that software usually gets pulled into larger systems in many cases.

So this is going to affect a lot of folks. And so it’s gonna be important for us all to be prepared. So we’ve been working very hard to get that introduction developed, and we’re hoping to get that out the door as soon as we can.

[CRob] (20:20 – 20:43)
Excellent. Well, I’m looking forward to taking it, so I can become smart about the CRA. Thank you, gentlemen.

Let’s move on to the rapid fire part of the interview. All right. I got a couple wacky questions, and I would like you both to answer the first thing that comes to your mind.

First, most important question. VI or EMACS?

[Dave Russo] (20:43 – 20:44)
VI.

[David Wheeler] (20:44 – 20:45)
VIM.

[CRob] (20:46 – 20:54)
Excellent answer. Now, the next one, potentially even more controversial.

Tabs or spaces?

[David Wheeler] (20:55 – 20:56)
Spaces.

[Dave Russo] (20:56 – 20:56)
Spaces.

[David Wheeler] (20:58 – 20:59)
Always spaces.

[CRob] (20:59 – 21:09)
I can go back and count, but that is a very contentious, verging on religion for many people. What’s your favorite open source mascot?

[Dave Russo] (21:11 – 21:11)
Tux the Penguin.

[David Wheeler] (21:12 – 21:14)
Oh, it’s it’s hard to beat Tux.

[CRob] (21:16 – 21:17)
Classic.

[David Wheeler] (21:18 – 21:27)
Classic.

I’m planning to print up one on a 3D printer soon, because Tux is fun. But I will say that Honk the Goose. Honk the Goose?

[CRob] (21:28 – 21:28)
Honk the Goose.

[David Wheeler] (21:28 – 21:29)
He is a kind of fun goose.

[CRob] (21:29 – 21:36)
I am personally a fan of the goose. And last question. What’s your favorite vegetable?

[Dave Russo] (21:37 – 21:38)
None of the above.

[David Wheeler] (21:39 – 21:43)
I’ll count corn as a vegetable. Corn on the cob.

[CRob] (21:43 – 22:04)
There you go. Thank you, gentlemen.

Now, as we wrap up, do you have a call to action or some advice you’d like to share with our listeners who are where they have a lot of people across the industry that listen to this newcomers or people that aren’t familiar with open source or cyber security? So what kind of advice or what call to action do you have for our listeners?

[Dave Russo] (22:04 – 22:31)
Get involved.

Get involved. Understand what’s out there. The OpenSSF has a lot of really good information, a lot of different working groups that are going through things that affect all the open source communities, trying to, you know, make our security better, reach farther, make us more proficient in those areas. So if there’s something you think you contribute or if it’s something you want to learn or just want to listen and see what’s going on, join a couple of the working group calls and see what’s happening.

[CRob] (22:32 – 22:34)
Excellent. David?

[David Wheeler] (22:34 – 23:41)
I’ve got a couple.

So for get involved, if you’re interested in security, open source and security, obviously OpenSSF, if you are the happy user of an open source project where it’s starting to become important to you, get involved in that project. If you are a developer of software, please, please learn how to develop secure software. I think our course is great.

I don’t really care if you take that course per se. If you take another course, that’s great. Because what’s more important is all of society now depends on software.

We need that software to be more secure. And the vast, vast, vast majority of the problems we’re seeing today are the same problems we’ve been having for decades. It’s well understood how to systemically counter them.

But people need to know how to do it first. And I, I don’t, as I said earlier, AI is not going to change that. AI will simply mean that we can write bad code faster.

It means we can write good code faster. But to write the good code, the humans have to know what good code looks like.

[CRob] (23:43 – 24:05)
Well, what a difference some Daves make. Gentlemen, some of my favorite people to collaborate with. I appreciate your time and all of your contributions to help trying to improve the quality of life for open source developers and ultimately the users that use all that amazing software.

So that’s a wrap. Thank you all for joining What’s in the SOSS and happy security, everybody.

(24:09 – 24:46)
Like what you’re hearing? Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, Antenapod, Pocketcast, or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all.

Check out the newsletter for open source news, upcoming events and other happenings. Go to OpenSSF.org slash newsletter to subscribe. Connect with us on LinkedIn for the most up to date OpenSSF news and insight and be a part of the OpenSSF community at OpenSSF.org slash get involved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS.

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved
Close Menu