🎙️ Submit your talks for: OpenSSF Community Day Europe by July 12 | SecurityCon NA by June 21

Tag

OpenSSF

Jun 16
Love0

What’s in the SOSS? Podcast #63 – S3E15 Big Thoughts, Open Sources: Driving Enterprise Security and Career Growth Through Open Source with Jamie Thomas (IBM)

By Podcast

Summary

In this episode of Big Thoughts, Open Sources, host CRob sits down with Jamie Thomas, IBM Enterprise Security Executive and OpenSSF Governing Board Member (former Chair!), to tackle the vital shifting dynamics of enterprise open source engagement. From IBM’s historical “billion-dollar bet” on Linux to modern supply chain wake-up calls like SolarWinds and Log4j, Jamie pulls back the curtain on what it truly means to move from accidental consumption to intentional stewardship. Tune in to discover how active participation in neutral foundations like the OpenSSF acts as a fast track for engineering career trajectories, why soft skills like “the art of influence” are critical for upstream collaboration, and how organizations can protect their crown jewels while implementing a powerful “give-back strategy.”

Conversation Highlights

00:00 – Intro Music + Promo Clip
00:21 – Introduction & Welcoming Luminary Jamie Thomas
01:32 – Wearing the Enterprise Security Hat at IBM
02:10 – Supply Chain Wake-up Calls: From SolarWinds to Log4j
03:14 – Unlocking Open Ecosystems: IBM’s Early History with Java and Linux
05:21 – Mainframe Debates and Portability: The Evolution of Open Source Adoption
06:24 – The Red Hat Acquisition and Monetizing the Developer Ecosystem
08:20 – The Myth of “Free” Software: Securing Regulated Enterprise Deployment
10:15 – Why a Seat at the Table Matters: The Value of Neutral Foundations
11:29 – The Art of Influence: Upstream Contributions as a Career Catalyst
13:50 – Moving Innovation from Open Source Kernels to Commercial Value
16:12 – Storming, Norming, and Conversation: Lessons from the Kubernetes Era
17:38 – Pitching Upstream Time: Helping Developers Sell Open Source to Management
19:30 – Beyond Code: Bringing Domain Expertise and Soft Skills Upstream
21:40 – Conquering the Chasm: Automating CI/CD Pipelines and Testing at Scale
22:56 – Consuming with Intent: Active Stewardship and the OpenSSF Scorecard
25:21 – Rapid Fire Round: Mainframes, AI-Generated Code, and Star Trek nostalgia
27:53 – Call to Action: Crafting Your Organization’s “Give-Back Strategy”

Transcript

Music & Intro/Promo clip (00:00)
If you’re a direct consumer of open source, do it with intent. And intent means that you’re responsible for what that means to your organization, both from a productivity perspective, but also from a security perspective and what you can expect from an investment point as well. You have to be an active steward in the maintenance of your open source strategy, just like you would have to be a steward of the maintenance of your own home.

CRob (00:26)
Welcome, welcome, welcome to Big Thoughts Open Sources. My name’s CRob. I’m your host today. This is a special video series where we’re talking to some of the leaders within open source. And today we have an amazing treat. We have Jamie Thomas from IBM. It’s a little company you might’ve heard of. And she’s here today to kind of talk about maintaining a career and influence within open source. Welcome, Jamie.

Jamie Thomas (00:54)
Thanks, Crob. Thanks for having me.

CRob (00:56)
I think we’re going to have a pretty amazing conversation today. For those of you that might be unfamiliar with kind of the luminaries that exist within our little slice of open source security heaven, Jamie has been alongtime contributor and member to the OpenSSF, predominantly through influence through our Governing Board. You actually were our Governing Board Chair for a period of time. So for those that may be unfamiliar with you, could you maybe talk about what your current role is at IBM and kind of what you do within the OpenSSF?

Jamie Thomas (01:32)
Absolutely, and thanks for having me again. I think this is a really interesting topic. At IBM, I have a couple of hats, but the main hat that is important to this discussion today is IBM Enterprise Security Executive. And I’m therefore responsible for the protection of the IBM company. It includes our CISO office, our Cybersecurity Operations, as well as our Product Security, which has to span a number of our units, including our software, hardware, our consulting unit. So it’s an interesting job.

CRob (02:05)
Really big job.

Jamie Thomas (02:10)
Yeah, and you know, as you know, CRob, I got involved in OpenSSF from the very beginning of the Governing Board. And I remember when I got involved in enterprise security, someone told me, by the way, it’s all quiet, there’s not much going on right now. And, and the first thing that I recall happening not long after that was SolarWinds, which was one of the first interesting supply chain attacks. And then of course, we had Log4j, which is another whole realm of fun.

But certainly I felt that joining OpenSSF has been important for us, the IBM company, to stay abreast of what’s happening in the industry and to be a participant in this open source security realm. It continues to be an ever changing landscape.

CRob (02:53)
Absolutely, a blink and it totally changes. It’s a pretty wild space we get to live in. Thinking back through your career here, was there a moment or something that really sparked your interest that kind of drew you towards more open source perspectives, participation?

Jamie Thomas (03:14)
Yeah, yeah, absolutely. I mean, when I started IBM, I did start as a programmer in the software organization. And at that time, of course, we worked on, like all of the industry, probably at that time, closed source systems. But at some point in IBM, we got very involved in something called Java. As part of…

CRob (03:32)
I’ve heard of it.

Jamie Thomas (03:34)
Haha, yeah you’ve heard of Java…As part of Java, we wanted to engender an open ecosystem around the Java programming model.
And to that end, we realize we’re not going to attract developers at scale without a different approach.

And so we made some concerted decisions at that time. One was that we would invest in Linux. There was something called Linux at that time. And we made a decision to put into the corporation Linux Technology Center to invest in Linux, be open source contributors to the Linux operating system. And the other big decision we made is that we would outsource some of our Java development tooling to something called the Eclipse Foundation.

CRob (04:16.691)
Mm-hmm, oh yeah.

Jamie Thomas (04:17)
So it seems like, you know, tribal knowledge at this point, but to say the least, embarking on some of these endeavors was quite unique for the IBM company at the time. And getting people to understand their role within an open source community as opposed to what we had always traditionally done in terms of how we provided software to clients was very, different.

And I had the pleasure of being involved in both the Java effort and the Eclipse Foundation effort through our Rational Software Division. And at that time, I actually owned all of the folks that were contributing to Eclipse and got to see that evolve for a period of time. You know, that was very, very fascinating times for IBM and also, I think, important for the evolution of open source that we have today.

CRob (05:09)
Well, in thinking further downstream, the folks, the organizations that would be your customers, Java was probably one of their, also their entry points into the open source ecosystem.

Jamie Thomas (05:21)
Mm-hmm. It absolutely was because you found through the eyes of lot of our enterprise clients as they adopted Java, they were naturally then adopting Eclipse. And over a period of time, they certainly became very strong supporters of the Linux operating system. And in fact, I remember one of the first meetings we had where we actually were in a room with all these clients and there became this huge argument, this huge argument about whether we should put on the IBM mainframe.

And you can imagine, there were a variety of opinions in that room. But what made sense, if you thought about it, is that Linux would give us portability. And if folks developed on Linux, of course, then ultimately portability to different hardware platforms, of course, would be gained through Linux. And that’s exactly what did happen.

But at that time it was a very, very novel concept that we should embrace this new operating system. And so it was fun, fun stories.

CRob (06:24)
Speaking of fun stories, several years back, IBM made the air quotes, billion dollar bet on Linux and kind of looking back at kind of IBM’s initial involvement with the ecosystem and Java, and then through the acquisition of Red Hat, kind of thinking about what was the most difficult part kind of moving these massive enterprises towards an open source first mindset.

Jamie Thomas (06:53)
Well, I think that by the time we made that multi billion dollar bet on something called Red Hat, our perspective of open source had matured quite a bit. We had then already discovered and learned that we did.

CRob (07:02)
Mm-hmm.

Jamie Thomas (07:03)
We had then already discovered and learned that we did. monetize quite well the Java ecosystem and part and parcel to what we did around Eclipse and Linux. We’d also adopted scale Linux on our platforms on both the Z platform in particular and Power and also we were stewards of Linux on x86 for our clients. So we had a different perspective. And I think at the time we acquired Red Hat though, we did understand the needle had moved quite a bit on the developer ecosystem. In that period of time since we had first started some of these efforts and that Red Hat would enable us to have a bigger stake in the open source community as well as the ability to reach developers at scale.

And that was part of the motivation for the acquisition and I think that it definitely served us well. I believe that what Red Hat does, curated open source is something that’s really important for the industry to have a competent enterprise level open source provider, but that once again,has their finger in the pie around the open source community because that’s where everything happens. It happens in the community and then it has to bubble upstream and be effective for the enterprises that are consuming it.

CRob (08:20)
I know we’ve talked many times that you get the opportunity to talk to a lot of business and cyber leaders at firms that you partner with. Kind of when you’re providing advice and counsel to these leaders, how do you kind of reassure them that they’re not going to be contributing to open source isn’t going to be giving away their secret sauce or their crown jewels? How do you encourage them in engaging more and more effectively with open source?

Jamie Thomas (08:50)
Well, I think there’s two different perspectives. And when you talk when I talked to a lot of the client organizations, I think they have pretty much accepted that open source is a valuable asset to them. What they’re then looking for is who can help me ensure that I’ll have operational fidelity, security around this open source. And that’s when they then start to say, should I have a trusted vendor to work with on that point? Or am I going to consume it directly?

And, and certainly, Isee that early on in the acquisition of technology that many enterprises just take the open source and try it out. I mean, that’s one of the benefits, right? You can try it out. You can test drive it, you can decide if it works for you. But then normally, if you go into enterprise deployment, you do want someone that’s going to be there. In many cases I’m going to provide the care and feeding for you, particularly if you’re in a regulated industry. And of course, we deal with a lot of regulated firms and in our environment.

I also also make sure that I remind everybody involved, including ourselves and our ecosystem, that open source is really not totally free. I mean, it’s something that we all have an obligation to support. So if we’re consuming it, we need to understand what that means and we need to be stewards of ensuring that the open source communities are successful going forward.

CRob (10:15)
That’s an interesting point that leads me to my next question. How vital is it for enterprises to participate in neutral bodies like the OpenSSF or Eclipse or CNCF, rather than just trying to take all these amazing tools and kind of assemble it themselves, how does that neutral collaboration help them?

Jamie Thomas (10:36)
Well, I think it’s very important for you to, as an organization to have a seat at the table, if you will, realizing that in today’s world, you know, software doesn’t stay in the boundaries of one company. I mean, there’s an extensive ecosystem out there, we’re all somewhat interconnected. And if you’re at the table, you have an ability to influence the direction of a lot of these projects, you had the ability to contribute uniquely, but most importantly, to make sure that the projects understand your unique point of view. Certainly there’s a point of view of technology organizations like IBM. There’s a there’s a the the point of view of the startups out there that are so critical to the ecosystem. And there’s the point of view of the consuming enterprises, the downstream enterprise, I think all of those play a critical role in having that seat at the table.

CRob (11:29)
I absolutely agree. So as we continue our conversation here and getting more to, think, is one of your true areas of passion.

From your perspective, you’ve seen a lot of engineers in your career and you’ve seen them become kind of strong speakers and potentially global influencers through this open source ecosystem. From your perspective, do you see active participation in like open source projects as some type of a fast track towards leadership for engineers?

Jamie Thomas (12:04)
I think it’s one of those many facets that can really improve your career trajectory. The reason I think this is that for any accomplished computer science engineer today, you really have to have the ability to influence others. You have to have the ability to influence networks. Maybe that’s outside of your organization or inside of your organization. You have to have the ability to influence your customers.

And so how do you build that kit bag of resources and skills that allow you to do that? And I think participation in an open source community gives you a lot of industry perspective.

You know, when I go to the OpenSSF, I don’t just go there and understand, of course, what my point of view is, I’m understanding the collective point of view. And that collective point of view is very interesting and fascinating. Learning from others and then having that ability to share your unique perspective with clients and even in your internal organization is a skill that many people often underestimate.

The skill of influence is something that’s really important in today’s world. And I think that you can build that. You can also strengthen your own personal presentation skills.

I’ve seen many people presenting in a lot of these forums, whether they’re presenting at one of the conferences or presenting in a governing board or presenting at one of the breakouts. And it really is, once again, an opportunity for you to build your own personal presentation skills, understand how you can represent your ideas more effectively to another organization or set of organizations. And that is something I think is critical for a lot of individuals that are pursuing a different career trajectory.

CRob (13:50)
Mm-hmm. I really appreciate that insight. If thinking about this, how important is it for an engineer to have kind of this open source pedigree, whether it’s like a recognition, like your IBM Open Innovation Awards or other types of awards? How does participating in those things help that individual stand out, especially in this age where organizations are rapidly changing and pivoting?

Jamie Thomas (14:19)
Well, thanks for bringing that up IBM does have an open innovation award that we give to individuals every year who are standouts in the participation of open communities. And I think that’s really important. And we have both executive contributions as well as non-executive contributions and I always recognize those individuals in my all hands meetings to make sure they get their name in lights a bit internally. But I think that this is particularly important for individuals who once again want to take the learning from these kind of communities and use that to more broadly influence the direction of organizations. In many cases and I was just on one of these today in fact a lot of the innovation does start in an open source format because once again it’s very easy to get your ideas out there to start seeing them scale understand what really appeals to clients and what is not then how do you take the open source kernel and then create something that is of commercial value right.

You either have to have the concept like we did with Eclipse that it’s going to enable developers to use other products more effectively, or you have to take the kernel and then become an enterprise open class support organization like what Red Hat did eventually…

CRob (15:41)
Mm-hmm.

Jamie Thomas (15:42)
Very accomplished open source curation organization. So I think for individuals to help companies like IBM or to help their team to help their little asset that they created become more successful, then this participation is absolutely critical. And without a few individuals along the way that really understand how to do this, then I think many, many rewarding projects will not get from point A to point B and be as successful as they could have been.

CRob (16:12)
Right, Yeah, I definitely agree with that. So how…

Jamie Thomas (16:17)
I mean, look at things like probably, you know, Kubernetes or many of the things that we recognize today is just we take for granted without that kind of vested participation support would they have become what they are today? I mean, Linux is the best example, of course.

CRob (16:36)
I absolutely agree. Kubernetes is another example of where we had an organization that had an idea and there were some competing ideas at the same time. And then that project was donated to a neutral foundation where all these fierce competitors could get together and work together in that space to help make the technology itself far more impactful than it ever would have been.

Jamie Thomas (17:00)
Yes. And I hear I hear behind the scenes, even though I was not part of all of that directly, that there was a little bit of storming and norming and maybe a few disagreements along the way and everything.

CRob (17:10)
Yep.

Jamie Thomas (17:11)
But eventually, you know, some really good things came out of that. And, you know, it’s like anything when you nothing, nothing really good is achieved in my mind without conversation, you know, without really having a human dialogue to understand what’s working and what’s not. Certainly big things are not achieved typically through subterfuge and so I think that is the value of a lot of these communities.

CRob (17:38)
I agree. So when you’re thinking about, again, from the developer maintainer perspective, what’s advice you would give to give a developer to pitch to their manager about spending some part of their time working upstream, hopefully in security, but participating in an upstream project? How do you help them sell that to their management?

Jamie Thomas (18:01)
Well, I think in many cases, the individual needs to take a point of view of what’s in it for my manager, right? I mean, it’s kind like when you’re trying to sell anything, right? There are certainly clear attributes that help you as an individual, right? Can improve your leadership skill, your ability to help the manager from that perspective, I think is quite valuable. Problem solving is something we often take for granted today, but it’s not always there, right? But then the other thing is what what particular.

But will the participation aid from a business perspective? And I think there’s a lot of different aspects of that. If someone’s working in the security domain, I think there’s really clear outcomes.

where their participation will benefit for the enterprise you learn so much right in terms of what you need to do. If you’re working in a particular project that is going to have downstream impacts possibly to the organization I think there’s a clear linkage there. But first of all never take for granted that everyone does understand open source.

I find that even in today’s environment, there’s a lot of upline management or senior executives perhaps don’t understand the importance of open source and open source participation. It’s kind of like the water that’s running in our house and we just think it’s gonna always be there. It’s always gonna be on, right? So building that cell package is important. It’s important.

CRob (19:30)
So from, again, your perspective, outside of having some coding skills or some other technical ability, what other types of specific things should people think about when they’re going to go engage upstream? Are there other abilities or skills they might be able to bring to bear to help upstream?

Jamie Thomas (19:52)
Well, I think that coding skills are one but don’t underestimate just basic ability to influence basic ability to bring technical perspectives together and drive a conclusion. I mean, we’ve certainly seen a lot of that in the OpenSSF right where the technical committees have really had to come together and you’ve been a big part of that to render a recommended outcome right that’s influence and getting people to agreements really important back to your Kubernetes point. Somebody had – a group of people had to get some level of agreement to move forward. So influence is really important. Having domain knowledge of things like security, of secure CICD practices, sharing that with organizations I think is really, important. That’s one of the things you know that we’re really focused on is not how do we just create best practices and tools, but how do we help other projects consume those tools at a faster rate and pace.

So individuals that have that passion, who have the ability to help teams be more successful, those are maybe some soft skills that I think a lot of projects really need.

CRob (21:04)
And I think that that’s, hear this a lot from non-developer folks that are interested in contributing is, you what could I possibly bring to the table? I’m not a coder. I don’t understand C or Rust or Go. And I tell them, you have value, you have domain expertise, you understand networking or like CI systems far better than most software engineers do because software engineers are studying the language or a particular community. They don’t necessarily have a lot of these additional skills like program management and communication.

Jamie Thomas (21:40)
Yeah, and one of the things I remember the most about, you know, one of the IBM projects I worked on WebSphere is one of the most fundamental investments we made was automating the CI-CD pipeline in a really cool way. And of course, this was 20 years ago. But I’ll remember that point, like it was yesterday, because our lives change when we achieve this automation at scale. And so I think that that kind of thing can have a huge impact on the projects today. One of things we’ve been talking about as you know with all the AI mania that’s out there these days is one thing to find the defects but how do you fix the defects and actually test them at scale?

So we all know the secret of many software projects is while we have a lot of software out there, testing them in an automated fashion even is quite a challenge for many organizations and many projects. So those people that are able to conquer those leaps across the chasm help with that CI/CD automation, help infuse security, or help create a different perspective of how to automate the test associated with not only remediating but making sure that we’re not breaking everything that’s out there that uses that particular asset. Small thing.

CRob (22:58)
Yeah, very small. So again, let’s pivot back to your conversations with enterprises and leaders broadly. How do we help move the industry from thinking about open source is something that’s consumed to something that is more of your steward? Your participant in this shared infrastructure?

Jamie Thomas (23:21)
Well, I think we have to continue what we’re doing here in this session. Really, we have to continue to provide a lot of education and perspective about what happens when you don’t do that. Right. This is, you know, it’s like, you know, my house, I do wake up every day and I expect the plumbing, the water and electricity to run. But on the other hand, if I’m not a good steward of the basic underpinnings of some of that capability, it might not always be that way. And I think there’s the same can be said about open source.

So when you consume it, you have to consume it, I think, with a recognition that it’s a critical part of your infrastructure investment. You should understand what you’re consuming. should typically I don’t think it should be accidental consumption unless you’re depending on perhaps a packaged app vendor to provide it to you. And then that could be something that you’re unaware of, right? S bombs and things like that are particularly making that more apparent, of course.

But I think if you’re a direct consumer of open source, do it with intent. And intent means that you’re responsible for what that means to your organization, both from a productivity perspective, but also from a security perspective and what you can expect from an investment point as well. One of the things that we’ve learned through the OpenSSF is not every project maintains a healthy state over a period of time. And so that’s why we’ve created this scorecard that gives organizations a perspective of whether the project is healthy.

And I think today, if you’re consuming open source, you need to be using those kind of assets to understand, are you consuming healthy projects? If not, what do you want to do about that? Right? So it’s you have to be an active steward in the maintenance of your open source strategy, just like you would have to be a steward of the maintenance of your own home.

CRob (25:21)
I love that. participating with intent and having a strategy. That’s excellent advice.

Jamie Thomas (25:25)
Yeah, it shouldn’t be an accidental consumption approach. It should be with intent.

CRob (25:36)
Right. Well, let’s move on to the rapid fire part of our talk. I have a couple wacky questions. I would just like the first answer off the top of your head, please. Blue suits or blue jeans?

Jamie Thomas (25:53)
I think both. I have a blue jacket on today. What am I supposed to say?

CRob (25:55)
Both very nice. That was kind of a leading question. Next question, mainframe or microservice?

Jamie Thomas (26:10)
Oh, both. Oh, I’m cheating on this quiz. But you know, I do have the fondness for mainframes. Here’s my little mainframe chip, you know, the chip package here. It’s like a little paperweight, right? This one is z 16. I don’t have z17. But anyway, and then microservices, I think the world does depend on microservices. Very, very important part of the architecture.

CRob (26:33)
And I heard you can run open source microservices on a mainframe.

Jamie Thomas (26:37)
That’s right, that is true.

CRob (26:40)
AI generated or hand coded?

Jamie Thomas (26:44)
Well, I think in today’s environment AI generated is becoming quite prevalent, but I do believe that developers who are standouts are gonna be those individuals that go back in there and use it to their advantage. So I think there will be humans in the loop or humans somewhere in many cases, and it’s up to the human to decide how do I use this cool innovation to my personal advantage.

CRob (27:12)
That’s amazing. And then finally, most importantly, Star Trek or Star Wars?

Jamie Thomas (27:19)
Now I have to confess that I was a Star Trek person growing up, right? I watched those cool Star Trek episodes and everything so I guess I’m more partial to Star Trek.

CRob (27:34)
There are no wrong answers, both are good, but it’s just kind of fun. I love both. I grew up on Star Wars and then Star Trek and then Star Wars changed my life in 77.

Jamie Thomas (27:43)
Well, I do like Princess Leia, of course. Being a woman, Princess Leia was a hero for all of the young ladies out there. Quite good. Good stuff.

CRob (27:53)
Absolutely. Well, and so as we wind down, Jamie, thank you for playing along. Your call to action. So if we have an enterprise that’s only consuming open source today, what’s one thing that you would suggest to them to get them to start participating?

Jamie Thomas (28:12)
I would ask everybody to think about what is your give back strategy?

Because if you’re consuming open source, but you’re not participating in open source projects, maybe with your developers, you’re not participating in an organization in terms of lending your unique perspective of your strategy and how the foundation or the open source project could help you with your strategy. You could do that even through maybe just the use of open source and beta testing, but be an active participant.

Think about consuming with intent. And what does consuming with intent mean for you as an organization?

CRob (28:54)
I love it. Thank you, Jamie Thomas, for participating in Big Thoughts Open Sources. This was a delight. Thank you very much.

Jamie Thomas (29:06)
And thank you very much, CRob. It’s always good to talk with you.

CRob (29:09)
Absolutely – and to those of you listening today, please check out the transcript, we’re gonna have some really great links and you know, stay cyber safe and sound. Bye everybody

Jamie Thomas (29:20)
Bye.

May 21
Love0

OpenSSF Notes Quarter of Growth with New Members, Added AI Security Resources, and Growing Community

By Blog, Press Release

Foundation celebrates five additional members, new cyber reasoning sandbox project, and release of v1.0.0 Python Secure Coding Guide to support open source security globally

MINNEAPOLIS – OpenSSF Community Day North America – May 21, 2026 – The Open Source Security Foundation (OpenSSF), a cross-industry initiative of the Linux Foundation focused on sustainably securing open source software, today announced five new members have joined the foundation. The OpenSSF also notes additional technical resources for Python secure coding, the first cohort of OpenSSF Ambassadors, and new projects like OSS-CRS joining the foundation’s sandbox during OpenSSF Community Day North America in Minneapolis. OpenSSF’s efforts ensure that open source remains a trusted foundation for digital innovation by addressing the technical, legal, and human elements of modern cybersecurity.

These milestones address two main converging pressures in the software ecosystem: increasingly mandatory security standards and the need to unify organizations and countries behind those standards. By providing practical resources, the OpenSSF helps projects navigate complex requirements such as the CRA. The project continues to expand its global community as well, keeping all that benefit from open source software ahead of sophisticated risks and threats. 

“As the threat landscape for software supply chains becomes more complex, the need for community driven security standards has never been more urgent,” said Steve Fernandez, General Manager of OpenSSF. “The growth we’re seeing in our membership and the arrival of projects like OSS-CRS show that security is an important priority for all. The OpenSSF is providing the practical tools and guidance developers need to build more resilient software.”

New OpenSSF members include ActiveState, Aikido, Minimus, and TuxCare, who join the Foundation as General Members. The FreeBSD Foundation also joins as an Associate Member. These organizations will contribute to working groups and technical initiatives to help drive the strategic direction of the OpenSSF. By collaborating within a neutral forum, these members support the long term sustainability of the open source ecosystem.

Foundation Updates and Milestones

In the second quarter of 2026, the OpenSSF achieved several milestones to secure and support more resilient software for all: 

  • Publication of the European Union Cyber Resilience Act (CRA) Guides and Resources for Maintainers and Stewards: The Global Cyber Policy Working Group created this technical roadmap to help foundations and projects navigate global regulations, including the EU Cyber Resilience Act (CRA).  
  • OSS-CRS Joins OpenSSF: Following its debut in the DARPA AI Cyber Challenge, the Open Source Cyber Reasoning System (OSS-CRS) has been formally accepted as an OpenSSF Sandbox project to advance AI-driven automated vulnerability finding and patching. 
  • First Release of the Python Secure Coding Guide: The BEST Working Group has announced version 1.0.0 release of the Secure Coding Guide for Python, providing developers with high-confidence anti-patterns and compliant code examples to mitigate common vulnerabilities. 
  • Security Slam 2026 Conclusion: OpenSSF celebrates the successful completion of Security Slam 2026, which resulted in dozens of open source projects reaching the Open Source Project Security (OSPS) Baseline and publishing their first formal threat models. 
  • New AI Security eBook: In collaboration with the Cloud Native Computing Foundation (CNCF), OpenSSF released Securing Open Source in the Age of AI: A Practical Guide for Maintainers, Security Engineers, and Researchers. The guide offers actionable advice for managing AI generated contributions and using AI to improve security.
  • Mentorship Program Expansion: OpenSSF selected eight mentees for its Summer 2026 program. These contributors will provide dedicated support to Repository Service for TUF (RSTUF), GITTUF, SBOMit, and Minder.
  • Inaugural Ambassador Program Cohort: Today at OpenSSF Community Day, the Foundation announced the first cohort of the OpenSSF Ambassador Program, featuring 13 community leaders dedicated to spreading security best practices.

Supporting Quotes

 “The Linux Foundation and OpenSSF are where the serious work on open source security gets done. No single organization secures the software supply chain alone. Thirty years of building secure open source infrastructure is what we bring to that work, and that work is better done together.” 

– Abby Kearns, CEO, ActiveState  

“Open source software is the foundation of modern software development, and supporting that ecosystem has always been core to Aikido’s mission. Through projects like Safe Chain, Zen Firewall, OpenGrep, and BetterLeaks, we’re investing in practical, community-driven security tooling that helps developers build and ship software with speed, trust and confidence. We believe securing open source is a shared responsibility, and we’re proud to contribute technologies that make the broader ecosystem safer and more resilient for everyone.”

– Willem Delbare, Founder and CEO, Aikido Security

“As a critical component of the global digital infrastructure, we believe FreeBSD must be part of the security discussions shaping the future of open source. Joining the OpenSSF will enable us to collaborate with others to help protect the software the world depends on.” 

– Deb Goodkin, Executive Director, FreeBSD Foundation

“Minimus is proud to join OpenSSF and work alongside its other members to help secure the open source ecosystem that allows us all to thrive. Enabling developers to build on open source components while keeping security teams happy is central to our business, and we intimately understand the responsibility we all share in achieving that goal.”

– Kat Cosgrove, Head of Developer Advocacy, Minimus

“TuxCare is pleased to be joining OpenSSF and the cross-industry effort to strengthen open-source security. For more than a decade, we’ve worked to keep open source secure and reliable in enterprise production over the long term. We see that kind of sustained reliability as essential to the trusted, secure open-source ecosystem OpenSSF envisions.”

– Igor Seletskiy, CEO, TuxCare

Events and Gatherings

OpenSSF members are gathering this week in Minneapolis at OpenSSF Community Day North America. To get involved with the OpenSSF community, join us at the following upcoming events: OpenSSF Community Day Europe (Prague; October 6) and Open Source Summit Europe (Prague; October 7-9).

Additional Resources

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry organization at the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org

About the Linux Foundation 

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, LF Decentralized Trust, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. 

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Grace Lucier

The Linux Foundation
pr@linuxfoundation.org 

May 19
Love0

What’s in the SOSS? Podcast #61 – S3E13 Beginner to Builder: Shaping the Conversation in Open Source Security

By Podcast

Summary

In this episode of What’s in the SOSS, Yesenia Yser interviews cybersecurity analyst Ejiro Oghenekome about her journey from UI/UX design to becoming a key contributor to the OpenSSF. Ejiro shares the inspiration behind her public “100 Days of Cybersecurity” challenge, which has helped her maintain discipline and consistency while making the field less intimidating for beginners. She discusses how connecting with the OpenSSF community led her to the BEAR Working Group, where her authorship of the “Beginner to Builder” blog series has allowed her to move from consuming content to actively shaping the open source security conversation. Ejiro also offers advice to the next generation, emphasizing that open source contribution is not just about coding but is a welcoming space for anyone to learn and grow, regardless of their current expertise.

Conversation Highlights

00:00 – Music, Promo clip, & Welcome
01:11 – Ejiro details her transition from UI/UX design to cybersecurity and connecting with OpenSSF.
03:39 – Ejiro explains her motivation for starting the 100-day challenge, including receiving advice to learn publicly and a previous rejection from an internship.
06:49 – Ejiro shares that she is currently on day 44 and expects to complete the challenge around April.
07:50 – Ejiro discusses her biggest personal lesson: understanding consistency and discipline, and learning from the community.
10:45 – Ejiro describes her authorship of the “Beginner to Builder” blog series, which shifted her from consuming content to shaping the open source conversation.
15:47 – Ejiro shares the impact of her work, noting that it has made cybersecurity feel less intimidating for beginners and helped her grow in confidence.
18:22 – Rapid Fire Questions: Ejiro shares her preferences on books, cooking, social media, and more.
21:13 – Ejiro offers advice to the next generation, emphasizing that open source is welcoming, not just about coding, and provides great opportunities for learning and growth.
24:46 – Yesenia concludes the interview, thanking Ejiro for her time and contributions

Transcript

Intro Music (00:00:00)

Ejiro Oghenekome (00:01.366)
So I have embarked on a 100-day cybersecurity challenge where I post whatever I learn about cybersecurity in the open. I posted both on LinkedIn and on Twitter, currently known as X. I was told to learn publicly. It has really helped me to stay consistent and it has also helped me to stay disciplined.

Yesenia Yser (00:23.662)
Hello and welcome to What’s in the SOSS, OpenSSF’s podcast where we talk to interesting people throughout the open source ecosystem, sharing their journey, experience, and wisdom. So Yesenia, one of your hosts, and today I have the utmost pleasure of interviewing Jiro, who has been such a great part of the open source community and has done a lot for us already from part of the FAIR program.

writing a few blogs that we have seen out in the wild, and much more. don’t want to share details of the upcoming podcasts, but welcome, Ejiro. Please, you know, let’s start with you for listeners that are meeting you for the first time. Can you introduce yourself and share your journey into open source cybersecurity? Like what really pulled you into this space?

Ejiro Oghenekome (01:11.822)
Thank you very much for having me here. Hello everyone. My name is Ejiro Oghenekome. I’m a cybersecurity analyst. Currently I am contributing to the OpenSSA. So for how I got into this space and where I am at right now, I’d like to give a little backstory on myself so that I would better understand how I got to this particular phase of my career. I used to be a UI UX designer a couple of years.

But I think about 2024, I started to like not see myself doing UI UX in a long time. And as at that point, I was already interested in security. I was already curious to know how data is secured and a lot of other things about security. So I decided to dive in and take it as a career to learn about security. And the first course I took was the Google Cyber Security Certification course on

Coursera and it was a very interesting course. I took that. had other little courses that I took some on YouTube and other very, very not so prominent courses that I took that helped my career helped shape my career going forward. And something I didn’t have, I didn’t mention was the fact that I’ve always known about open source, even during my UI UX design time, but I really did not partake in open source contribution as at that point.

But I really, did not want my cybersecurity journey to be that way. So I was looking for every means to get into this space, to try to contribute to open source with my cybersecurity career. So fortunately for me during that time, I think about 2025, met a friend, told me, or I saw a post from a friend where she had an interview with someone that was talking about open source and open source security. I found that very interesting and I reached out to her.

I like to connect to the person so that they would share more light on contributing to open source, especially with my focus, which is cyber security. And she actually did that to me. She actually did that for me. And I connected with the person. The person was Sal. I a couple of meetings with Sal and she got to know where I was in my career, which led her to introduce me to the OpenSSF. And yeah, I am today trying to contribute to the OpenSSF in whichever way I can.

Yesenia Yser (03:39.854)
That’s such a great story how one friend, one webinar connected you to one individual that opened up the space of open source and it’s brought you to where you’re at today. Such a great story to hear. And one of the little birdies in the open source told me that they gave you a hundred days of cybersecurity challenge that you’ve been publicly documenting on LinkedIn. Like what inspired you to start that journey and

What do you hope would come from it?

Ejiro Oghenekome (04:10.67)
So I have embarked on a 100-day cybersecurity challenge where I post whatever I learn about cybersecurity in the open. I posted both on LinkedIn and on X. Twitter, currently known as X. So my journey can be documented. What’s made me do this was the advice I got from friends and loved ones. I was told to learn publicly. And that really has shaped me over time coming out.

because looking back, it has really helped me to stay consistent and it has also helped me to stay disciplined in terms that I feel so indebted to the cause of posting because I’ve seen a lot of people grow interest in what I have posted about my career, everything I do about cyber security. It has really been an interesting journey for me. Also, another reason why I embarked on the 100 day of cyber security challenge was because

I would say I got a rejection from an internship. I really did not get a feedback from them. So I would know, I don’t know if I should say that’s a rejection, but technically it is because I didn’t get the feedback. I really wanted to get a practical knowledge of what I was already learning. I’ve learned for a while and I wanted to get into the practical space. I wanted to get into the real world space to practice what I have been learning. Applied for the internship. Unfortunately.

I did not get it, so I had to take some step back and make a curriculum for myself where maybe I would be able to create something that feels really practical. The internship I applied for was a three-month internship, which is 90 days, if I would say technically. So I just had to do it, 90 days for an internship that I did not get. So I had to make it a 100-day for myself. Looking at all I have done, what I hope

to come out from this, which I am already saying is for people to know me for what I do. For people to know me for open source, for people to know me for open source security, for people to know me for cybersecurity, and for people to know me for preaching and being an enthusiast of open source. People should come into the open source space to contribute to open source and see the opportunity it comes with. And people to also know that

Ejiro Oghenekome (06:34.734)
I’m a cyber security analyst and I also give best practices. I also give basic knowledge of what cyber security is and all of that. Yeah, that is what I hope to get my 100 day challenge. And it has really been turning out well for me.

Yesenia Yser (06:49.836)
I love that because getting online and really just sharing what you’re learning, you know, on a cadence, whatever cadence that is for you is such an important way just for your own accountability and for others to connect to you, connect with you and learn what you’re learning, especially if you’re looking for jobs. I’m just curious right now it’s, you know, mid February. What day are you in for this challenge?

Ejiro Oghenekome (07:13.774)
Yeah, I think I’m in day 44. Nice. Yeah, day 44. It’s been a great journey. Yeah.

Yesenia Yser (07:22.574)
24 days. So when do you envision, it’s 100 days, so when do you envision this challenge ending?

Ejiro Oghenekome (07:29.39)
Let me try to do a rough calculation right now in my head. So we have a couple of these. So let’s see the beginning of around April. I’m not sure the dates for April. I’m not going to give an exact estimate, but yeah, by April I should be done with the 100 day cybersecurity challenge.

Yesenia Yser (07:50.85)
Very nice. Okay, so we’ll keep watching. you’re deep into this challenge. 44 days is a great time because that’s built in that habit to get it done and share out what you’ve learned. But I’m curious, what’s your biggest lesson that you’ve learned so far? And not just like technically, but like personally, like how have you changed how you see your learning, your discipline, or just like your community growth?

Ejiro Oghenekome (08:17.614)
Okay, that’s a very interesting question. I would really say if I’m going to put it short, I’ll say it has not been an easy journey. It’s not been easy because it’s not easy to stay consistent and trying to like, remodel my expectations of what I have to post, what I have to do. It is not easy. I’ve come to see that everything cannot go on the same pace every day.

I’ve had to stay consistent. I’ve had to understand what consistency and discipline means. I’ve come to get that. Consistency does not mean I have to be in the same place every day. I do not do the same thing every day. Some days I might not even feel motivated to want to partake in that particular challenge for that day. But have to stay disciplined. I have to stay consistent, which might make me cover less than what I covered the previous day.

Other days I might feel so motivated that I might cover more every other thing I’ve covered in the past. It just happens. One thing I’ve learned is staying consistent, what consistent really mean, being very disciplined in the space. Also it has given me a very good routine. In terms of community, I’ve come to understand that community is where I learn.

This learning can come by interacting with projects and interacting with people in the community that have more experience than I do. During my 100-day challenge, I’ve been able to have the opportunity to be part of the OpenSSF. This has gone hand in hand with the 100-day challenge that I’m doing. For the fact that I’m part of the OpenSSF and doing my 100-day challenge, I’ve seen the impact that the OpenSSF community has had on me. I’ll give a very simple example.

We had a blog post or we had a blog post that talks about a lot of things that we might go over eventually. Because of one research I did for one part of one series of the blog post, I a course on the OpenSSF and the Linux Foundation Education that I took in and I benefited from. That is the LFD121, that is developing secure software.

Ejiro Oghenekome (10:34.274)
want to understand from this journey that I’ve taken that I could learn from community, I could learn from interacting with people, want to understand what consistency and discipline mean.

Yesenia Yser (10:45.678)
That’s awesome. Yeah, I when you started being involved in the Bear Working Group, you and Saul were working on a blog series and I you just lightly mentioned it. It’s beginner to builder. What has that experience been like moving from learning to actually contributing publicly? And you know, this blog, it’s a big deal. It’s a three series blog. Like what does this authorship mean to you in the aspect of open source?

Ejiro Oghenekome (11:13.208)
Again, I would try to give an example to put what I have learned and how contributing to open source has been to me. During my design career, I’ve always known about open source, but I was not involved in open source contributions because as I did, I would say I did not know where to start. I did not know what to do. I did not know how to get into the space. I also felt most of the times that I did not know enough to be able to partake in open source contributions.

all of that and that’s feeling of mine is something I feel like a lot of other persons also do have. It was a problem for me and that problem I felt that a part of the blog post was able to solve it. One thing about me is if I experience a particular challenge or problem going forward in my career I try my best to solve it so that when people come behind me and they experience such problems they would not find it difficult to solve because they are

cases or maybe they are documentations that will help them go through this problem. That is one thing that I’ve been able to do with the blog posts and that is how, that is why the blog post publication was made public. And for me, Autorship in open source is more than just putting my name on the blog post or making contribution. It represents ownership of my learning and my voice. When I started my cyber security,

I was mostly consuming content. was reading documentations, watching tutorials and following experts. questions, I did all of that. But authorship changed the dynamics of everything for me. It shifted me from being just someone that consumed information to someone that is actively shaping the conversation, even if it was in small ways. Authorship made me feel responsible. I know that something I am going to write

is going to be published and the knowledge I share is going to be put out in the ecosystem. It would make me more focused. It would make me more thoughtful. It would make me more intentional about what I’m going to post. And this led me to call back, questions, ask people from the community to give me feedback on the blog post I wrote. I think you must have experienced that because

Ejiro Oghenekome (13:35.916)
During the first part, the second part and the third part, we were always very intentional to make sure that we got feedback from the community so that the best resources can be put out there to solve the actual problem we saw that we wanted to solve. And also, Authorship for me means visibility. As someone from Nigeria and someone who transitioned from design to cyber security, Autorship allows me to exist in a public space where people like me

are not highly represented. It shows that contributions does not have to fit a specific style or character. Also, it also makes me confident. It means that I am no longer waiting until I know everything before I can speak and before I can contribute in the open source space. Comfortable contributing while I am learning.

This is very powerful in the open source space because the open source space does not work with one person’s perfection, but it works with individuals putting together their efforts and their knowledge to try to make things work. The bear walking group and generally the OpenSSF community has really been helpful in this part. I’ve been encouraging, they’ve been friendly and they have pushed me to understand things. They have guided me each step of the way.

to understand what I am doing so that whatever resources we put out there will be the best quality for people that are going to have that.

Yesenia Yser (15:08.448)
It reminds me a lot of when I started, like just grabbing whatever kind of resources I could find and just learning. And when I realized that I was able to use my voice or my penmanship, so to speak, to share out information, I realized the power and the impact that I can have, you know, just not for my own credibility, but also you never know who’s going to read it down the line. Like I have articles that I wrote years ago or that I published that people still reference.

Nowadays that they’re like, this was an amazing article that you wrote. learned so much. So big kudos to you for that.

Ejiro Oghenekome (15:45.55)
Thank you.

Yesenia Yser (15:47.17)
Before we get into the rapid fire, I would love to know what impact you’ve seen in the community, either from your 100 day posts or your bear working group, like the work you’ve done with the blog. I know you mentioned a bit in this session, but I would love to learn, know a little bit more of looking at your journey so far. Like what impact have you seen?

Ejiro Oghenekome (16:08.634)
Genuinely speaking, I really did not think about impact when I started all of this. When I started my 100-day challenge, I was not thinking about the impact it was going to have on anyone. I just wanted to learn. When I started contributing to open source, I just wanted to learn. But over time, I started to notice little impact on people. I saw that for my 100-day challenge, people would message me saying things like, they started learning because they were following my post.

Some people asked me questions on the tools that I use and if I will be able to share resources with them. Other people said that made cyber security feel less intimidating because of course, a lot of cyber security posts we see online are from experts that would tell us in cyber security knowledge and try to express things in very technical terms for us, which could be very intimidating for beginners.

for people that are beginners that could relate to what I was saying, that could relate to very basic things in cyber security. It really felt nice. It really felt welcoming. It gave them confidence to say, okay, I could learn this. I could start somewhere. I could get some of this knowledge and get to that point of expertise where I would be able to have this opposed, intimidating knowledge also to myself. Also talking about the community.

The impact has been slightly different. I’ve been able to be part of so many decision-making. I’ve connected with experts that are very kind and friendly, and they want to see me grow. From publishing the blog series, this has made me more aware of my words, that my words could guide people that are just starting up, and this makes me feel so happy. I’m growing in the community in terms of

confidence and experience and also in transferable skills, in terms of receiving feedbacks and all of that growing. And I see that when resources are put out there, it’s really encouraging to me.

Yesenia Yser (18:22.126)
That’s awesome to hear the impacts from, I think he started maybe like a year or so ago into the organization. So it’s great to see and hear what has happened within a year.

So let’s go ahead and move on to the rapid part of the interviews. You gotta have fun with some of these parts. So I’m gonna ask you a series of this or that kind of questions or what’s your favorite X and then you just go ahead and respond. So first question, books or podcasts?

Ejiro Oghenekome (18:38.776)
FIRE!

Ejiro Oghenekome (19:02.117)
I don’t really like reading. I just have to read because I need to get those informations in my head.

Yesenia Yser (19:08.258)
Yeah, I get that. A favorite off-computer activity.

Ejiro Oghenekome (19:18.51)
enjoy cooking a lot. Yeah, enjoy cooking a lot.

Yesenia Yser (19:22.158)
What’s that one meal you cook often that you enjoy?

Ejiro Oghenekome (19:27.926)
I know if you would know, but I cook fried rice. I like seafood a lot. So I cook fried rice, prawns, salad.

That’s my favorite meal. That’s my favorite. Maybe one will see one of these days, I’ll make it and you will definitely testify to its greatness.

Yesenia Yser (19:48.086)
am ready for that. Next question. Best way to grow a project. it social media, conferences, or contributors?

Ejiro Oghenekome (19:57.44)
is social media yeah if I’m going to be very honest social media can do that

Yesenia Yser (20:03.726)
I feel like social media drives the other two. Next question, sweet or sour?

Ejiro Oghenekome (20:12.014)
No, sir, I don’t like sweets like that.

Yesenia Yser (20:16.366)
We had a quick, quick, quick change there.

Ejiro Oghenekome (20:19.575)
I just had to think about suits, so I really didn’t like suits.

Yesenia Yser (20:25.166)
I know we’re meeting early morning for you, so are you an early bird or a night owl?

Ejiro Oghenekome (20:32.386)
I I’m an early bird. I really do think I’m an early bird because I wake up very early and do things. I’m an early bird and I try to sleep very early.

Yesenia Yser (20:41.77)
I’m the opposite. just, at night I’m like a week. It’s so strange.

Ejiro Oghenekome (20:46.894)
I’m really not sleeping lot. So I just try to sleep at night. I stay awake very early in the morning. I get up very early in the morning and try to go on my day.

Yesenia Yser (20:57.464)
Yeah, I’ve adapted myself to it, but naturally I could stay up all night and sleep all day. Last question is your favorite treat or dessert?

Ejiro Oghenekome (21:10.702)
I’d say cakes.

Yesenia Yser (21:13.422)
That’s a good answer. There you had it. The rapid fire interview questions focused on food. So as we wrap things up, any advice for the next generation entering tech or security? What advice would you give them about using open source as a way to launch pad their career?

Ejiro Oghenekome (21:36.494)
Okay, well, I’ll give a disclaimer. would say I’m still part of the next generation. So whatever advice I’m going to say, I’m giving that to myself also. This is something I would have told myself earlier on in my career during design. Try to understand open source and the opportunity it provides. Also, open source is not just about coding. There are different things that someone can do in the open source space.

As a designer, could contribute to the open source space. As a writer, you could contribute to the open source space. As a community manager, you could contribute to the open source space. Obviously, very obvious ones. You could write codes. You could review codes. And you could do a whole lot of other things. Even joining calls, giving your suggestions on calls and decision making during the call is also a way to be part of the open source space.

get involved in the open source space. has a lot of opportunities for people. It’s a very welcoming space. I can testify to that from the community I am part of. It’s a very lovely community with lovely people. The OpenSSF has been a great space for me to learn and grow. And I strongly believe that this is how most, if not all of the open source communities are.

It’s a place where you can learn. It’s a place where you can build your confidence. It’s a place where you can grow. also open source is not about you being an expert. are with the knowledge you have. You could be part of an open source space. You could be part of, you could contribute into the open source. So commonly try to understand open source. is not as difficult as it might look from the outside. Trust me. in, learn.

be part of it and contribute. And I promise you it’s a very welcoming space to be part of. And talking about open source and advice I’ll give to people, have an article coming up that will be talking about contributing into the open source space generally. How to work for communities that you could contribute to, how to understand the communities, and maybe how to make it a first time contribution in a community.

Ejiro Oghenekome (23:54.668)
that you’re contributing to. This is not going to just be specifically about the open access, but open up source generally, how to be part of the space, how to try to understand the space and get into the space. Something else I would have, I would love to talk about is the opportunity for open source for us in Africa. I really don’t know that we, the idea of open source is not so widespread in Africa. That is why it has to be preached. It has to be introduced to a lot of people.

And I would love us to consider that, to try to make sure we introduce people in Africa to open source and the benefits it has on us, what it can do to us and the privileges it can give to us. Yes, that is the advice I would give to the next generation, also myself, the open source space.

Yesenia Yser (24:46.478)
Thank you so much for your time today, your impact, your contributions. I love that you have another article coming out to help those, know, explore the different open source communities and how to search. Thank you so much for everything you do within our community and all the hard work you’re putting together. I really appreciate your time and to our listeners, reach out to Jiro. She’s doing great work. Find her on LinkedIn and keep tracking on that 100 day challenge. Thank you so much everyone and we’ll catch you on the episode.