Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya and welcome to TFiR Let’s Talk. Today we have with us Derek Weeks, SVP and Chief Marketing Officer at the Linux Foundation. And today we are going to talk about Open-Source Security Foundation. Derek, it’s great to have you on our show and welcome.

Derek Weeks: Thank you. It’s great to be here, Swapnil.

Swapnil Bhartiya: There is so much to talk about. We will of course talk about the Open-Source Security Foundation. But before that, what I want to talk about, especially looking at your own career is that a general perception used to be that open-source is secure by design or by default, I don’t think that’s fully correct. Bugs are part of software development and those bugs become vulnerability when the software goes into production or mis-configuration lead to more vulnerability. And if you look at Linux Foundation has played a big role in this, that the word literally runs on open-source, which means the attack surface is massive. So if I ask you from your perspective, how serious are the challenges is in terms of security and open-source?

Derek Weeks: It’s a really good question. If you go back seven or 10 years in the open-source community, everything that you read about security was the famous quote from The Cathedral and the Bazaar, “With more eyeballs, all bugs are shallow”. And that was certainly true under the time that in the foundations of Linux and the Linux Kernel that that book was referencing. But I think the truth of open-source security, when you get into it today, there are over 40 million open-source project releases out there, versions of open-source software that the community has created, and the community has to look after.

And there honestly just aren’t enough eyeballs out there to look over every single open-source project, every release of those projects, and to assess those projects for known security vulnerabilities in them. Now, obviously not all projects are created at the same level of importance. Some are very important, some are very critical and others are extremely popular. For those particular projects that are used in many places, we need to enhance the overall quality and security of those open-source projects within the community. And that’s part of what we’re doing at the Linux Foundation today.

Swapnil Bhartiya: Yeah, one more thing as you mentioned, though, there are so many product, and just look at the point of view of the users or consumers of that open-source project. If you can pick any stack, and there are so many, there are different frameworks, there are different libraries, and there are different versions of the products. It’s more or less like building a car, assembly line where pieces are coming from different sources. You need to keep a track of those sources. That’s why we also talk about open-source supply chain. And then there are like SPDX, which are helping companies build software bill of material, or to keep a track on that. So can you also talk about, as you said, there are so many product and from the point of view of users that they do need to know what’s running in their… What’s flowing through their pipeline as well.

Derek Weeks: So I think the latest state of the software supply chain report for this year said that there were over two trillion open-source component downloads by the development community in the past year. This is not since open-source was ever created, so that tells us that open-source is ubiquitous. It’s used by all development teams everywhere and development teams need a way to better assess how the quality and security of the open-source that they’re using. There’s nothing that necessarily comes as default when you download a package to say, “Hey, this one is good, or this one is bad”. Or maybe one of the dependencies of that open-source component has a known security vulnerability in it. There’s nothing that automatically tells developers this.

So we need to address this problem in a number of different ways. One is, just based on the numbers of open-source components and packages that are being downloaded, we have to apply some forms of automation to assessing these at different points within the development cycle. So we need to assess them to determine what is the quality of those components? Are those components secure or not? And if they’re not secure, are there possible remediation paths where you could go to a newer or safer version of that component?

There are also things like secure coding courses that the Linux Foundation has put together to help better educate the community on secure coding practices. But we’re also doing other things like working into research initiatives, working toward new standards, like SPDX, as you mentioned, as a software bill of material standard. And then also introducing and supporting reward programs for developers or security researchers that want to go out and find potential vulnerabilities in the code. Not only find those, but fix them and support the community that way. So even if you’re a developer that’s downloading something, if someone in the community has done some work to fix vulnerabilities in that, you don’t have to check whether that’s safe or not. You’re just able to absorb that newest version of the component or fixed version of the component into your development practice.

Swapnil Bhartiya: Yeah, it’s a big challenge. And the problem is also in so many different places. And if you look at Linux Foundation, you folks have a lot of projects, over a period of time, there was the Core Initiative, where the badges were given and there are so many programs, but I still feel that the coherent story around security is still missing. So if you look at the Open-Source Security Foundation, is this the foundation that will bring all those efforts together, as you mentioned, SPDX, and there are so many other Linux Foundation projects. So if I ask you that today, what is the security story at Linux Foundation? How are you trying to consolidate all those efforts or keep them separate, so that the community can look at the foundation and see, “Hey, just the way there’s a Linux foundation, we can go there. This is the security space where we can go”?

Derek Weeks: I don’t think that there’s a true effort to really consolidate all of the security work at the Linux Foundation or in the open-source communities that we support. There are a lot of different initiatives around security and each plays its own role. So where OpenSSF or the Open-Source Security Foundation is concerned, we are looking at research into the most popular open-source projects and security vulnerabilities associated with them, we’re looking at education practices around… Education around best practices. We’re looking at being able to identify and enumerate and better quantify security vulnerabilities through things like the security scorecard or badging processes that you mentioned before. But we also have projects around the Linux Foundation like Sigstore, Let’s Encrypt, SPDX. LFX is our open-source platform for open-source projects, being able to scan for known security vulnerabilities through the incorporation of technology from Sneek that was contributed there.

And there’s also things like the open chain initiative, which are looking at how to help us better track and trace open-source components that are used in software development across a variety of different organizations and industries. So I think it’s much more about just continuing to build the awareness. There’s no silver bullet or one single approach that can be taken to address open-source security. And I think it’s really just more of us inviting the community in to participate in different ways to raise the bar on open-source security and software supply chain security.

Swapnil Bhartiya: Exactly, and also security is not a thing. There are so many different aspects of it. Human and cultural aspect is also very critical piece, how your teams actually look at security. We are looking at the paradigm shift from DevOps, DevSecOps, SREs, so where the buck stops is also changes. So I think that there will be much more discussions that will happen at Linux Foundation in terms of security, so thanks for highlighting some of those. You also mentioned some open-source project, like OpenSFF and everything else. I remember there was a time when those projects were maintained by just one person and Linux Foundation funded those projects. So I also want to understand from the Open-Source Security Foundation, because now you folks also have raised 10 million in the investment funding, which also turns that foundation into a well-funded foundation. So first of all, congratulations about that investment. Now let’s talk about how are you going to invest or use that money? What are the areas you will be growing or planning?

Derek Weeks: One, it’s really exciting to see industry leaders come together from financial services, from technology, from cybersecurity, from the academic community, as well as others around the community to support this initiative. So, we’ve just announced 10 million in funding that the OpenSSF will get to operate and better enhance software supply chain security. This plays into many different facets. If you look at the start of software supply chains where the open-source projects are in repositories, being able to look at the leading and most popular open-source projects, to help fund studying those and investigating those open-source projects that are most popular and finding security vulnerabilities in them. And then helping to advocate and reward organizations or individuals to fix those security vulnerabilities, right at the start of the software supply chains, where the open-source packages exist and where they’re then further downloaded by the development community.

So, part of those initiatives play into not only that research, but play into reward programs. We just announced along with Google, the SOS Initiative, which identifies, helps the community or reward the community to identify and fix known vulnerabilities within open-source packages. There’s also a lot of research that we’re doing to help build education programs and certification programs for secure coding initiatives within OpenSSF. So we currently have three training courses available now, and we’ll be building out that portfolio even more as we move forward.

We’re also looking at how to bring new standards into software development, as well as more automation and tooling into software development, so that we can give organizations the approaches and tools and best practices that they need to bring security into their software development life cycle. So as you mentioned, DevSecOps, where can we start to embed the intelligence and analysis of open-source that’s being used in the software development builds so that you know you’re using the safest components? And then following the release of those applications that are being built, how do you track and trace those open-source components over time, so that if a security vulnerability is discovered a year from now in one of them, you know what you used and where, and then you can go about better identifying those where those open-source components exist and remediating those in time.

Swapnil Bhartiya: Excellent. I have a couple of questions about governance, but since you talked about using intelligence as well. So, Linux Foundation, the beauty is that you folks have LF, machine learning AI, there’s a foundation about that as well, of course, you have SPDX. So I also feel that there are so many organizations within Linux Foundation, so there’s a lot of room for cross pollination or leveraging each other’s words, just to enable better security posture. Can you talk about how you plan to engage those foundations so that you can eventually help all the users.

Derek Weeks: It is a really good question. Even this week, as we’re at KubeCon, there are a number of other attached conferences to KubeCon, the SupplyChainSecurityCon is one of those that is going on. And that really is not an open SSF conference or even a specific Sigstore conference. This is where the Linux Foundation is bringing together the best and brightest minds from across the industry, people at Citibank, people at SolarWinds, people at Google and Microsoft Red Hat, VMware, and others have come to share their best practices on securing software supply chains.

And some of those people participate in the open SSF working groups, some of them participate in the Salsa project or Sigstore or Let’s Encrypt. And people from all over the Linux Foundation community are participating in that conference to one learn what the best practices are, but two, to provide the forum in which people can get together and have conversations on things like you just mentioned, maybe there’s some AI work that we’re doing that could help better accelerate the efforts that we’re bringing to software supply chain security. Perhaps there are things that we’re doing around SPDX and the SBOM standards that we can bring to software supply chain security to improve them under open SSF. So just by bringing these communities together in a forum like this, in conferences, in person conferences as well as virtual, we’re spreading awareness on these topics, but also helping to improve best practices through collaboration and integration of the different open-source projects and ideas.

Swapnil Bhartiya: When you’re mentioning all these companies and industries, one player that I felt is missing, or one entity, and which is very big player, which could be U.S. Government, of course I’m near D.C., so DoD is doing a lot of work in their space. They have something called Iron Bank where they ensure that the images are secure, Docker images are secure, they have a very strict plan. Plus the Biden administration a few weeks ago, they talked about the cyber security and open-source supply chains mentions where there. So I also want to understand from your perspective, how are you planning to engage with not only just U.S. Government but agencies across the globe as well, because security is not just a issue with private companies?

Derek Weeks: I think in terms of where best practices exist for software supply chain security and things like DevSecOps, those best practices come from individuals, they come from industry and they come from the public sector as well. I know many people across the DoD specifically that have worked on software supply chain security for many years and implementing and defining some of the best practices in this space. So part of it is looking for best practices that exist out there, no matter where they originated, they can be shared with many people across industries or across governments around the world. Software supply chain security isn’t anything new to governments, even though there was a Biden executive order earlier this year, there was a White House cybersecurity meeting back in August, where people were making pledges to improve cybersecurity efforts, especially around software supply chains.

That’s not new, governments actually have been working in this space for a long time. You can look at things like the NTIA Initiative around SBOMs that… I don’t remember exactly when it was five, six years ago, that that effort had originated. Organizations like the FDA really made great strides at bringing software bill of materials and cyber security to the forefront in that particular agency. So I think there are not only best practices, but implemented best practices that we can leverage. But I think in addition to those best practices, where government is being involved in, and where government has really proven to be necessary, is when industry doesn’t react fast enough to critical needs of the communities that it serves, or that the industry serve, government sometimes needs to step in.

Cyber security and software supply chain security is not new. There have been software developers and organizations that have continued to use open-source components that have known security vulnerabilities in them. And when they do, and this is becoming just more… It’s part of common practice, not that it’s a good practice. Government sometimes says, you need to step up and do a little more. They’ve done that to improve the quality of products in many industries, from food products to automotive to electronics, and software is just another industry that is being asked by government to do more to improve the quality and security of the product that not only government relies on, but many of the constituents the government serves rely upon. So I think there’s best practices sharing and there’s certainly leaning in with the government with new policies or potential regulation that comes through.

Swapnil Bhartiya: Excellent. Now I’ll go back to the foundation quickly. And since now you have the sort of funding. Of course the governance is structure of the foundation that was already there. But if I just ask, because Linux Foundation they have their own structure, they borrow some ideas from the Linux Foundation, but they run their foundations their own way. So what is the governance going to look like for the Open-Source Security Foundation?

Derek Weeks: So the governing structure of OpenSSF is similar to other projects within the Linux Foundation. They will be led by a general manager in this case, Brian Behlendorf, who has spent a lot of time in the open-source software community, as well as at the Linux Foundation. He’s most recently been the general manager of Linux Foundation Public Health, as well as the Hyperledger project where blockchain certainly plays into the protection of supply chains. Brian is able to now bring some of that industry knowledge and his open-source background to OpenSSF. In addition to Brian’s leadership, we have the largest organizations from the financial services industry, as well as technology organizations and cybersecurity companies around the world that have invested as part of this initial $10 million round and who will therefore get seats on the board of OpenSSF to help direct new ways that the funding for the programs should be administered, so it can help really focus on the top problems that industry is having. And that should be prioritized in terms of the research education, best practices, and tooling that’s needed to support this problem.

Swapnil Bhartiya: Derek, thank you so much for taking time out today and talk about not only of course, Open-Source Security Foundation, but also the larger security challenge in the open-sources space, supply chain and efforts that are going on within the Linux Foundation. So thanks for those insights and I look forward to our next conversation. Thank you.

Derek Weeks: Great. Thank you very much.