Redefining CyberSecurity

Why the Industry Needs OpenSSF | A Conversation with Omkhar Arasaratnam, Adrianne Marcum, Arun Gupta, and Christopher Robinson | Redefining CyberSecurity with Sean Martin

Episode Summary

Dive into the critical discussions around securing the open source software ecosystem with the latest episode from the Redefining CyberSecurity Podcast, featuring insights from leaders at OpenSSF. Learn about the collective efforts to enhance software supply chain security and the importance of community participation in shaping a safer digital future.

Episode Notes

Guests: 

Omkhar Arasaratnam, General Manager, OpenSSF [@openssf]

On LinkedIn | https://www.linkedin.com/in/omkhar/

Adrianne Marcum, Technical Project Manager, OpenSSF [@openssf]

On LinkedIn | https://www.linkedin.com/in/adriannefranscinimarcum

Arun Gupta, VP/GM Open Ecosystem at Intel, Governing Board Chair, OpenSSF [@openssf]

On LinkedIn | https://www.linkedin.com/in/arunpgupta/

On Twitter | https://twitter.com/arungupta

Christopher Robinson, Chairperson of the Technical Advisory Council, OpenSSF [@openssf]

On LinkedIn | https://www.linkedin.com/in/darthcrob/

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/sean-martin

View This Show's Sponsors

___________________________

Episode Notes

In a comprehensive exploration of software supply chain security within the open-source arena, the latest episode of the Redefining CyberSecurity Podcast, hosted by Sean Martin, convenes notable figures from the Open Source Security Foundation (OpenSSF).

This discussion unveils the critical mission of OpenSSF, led by Omkhar Arasaratnam, the General Manager, emphasizing the foundation's endeavor to bolster security across open source software utilized in over 90% of commercial applications. Adrianne Marcum, OpenSSF's Technical Project Manager, and Arun Gupta, Vice President at Intel and the Governing Board Chair for OpenSSF, delve into the pioneering strategies for enhancing open source security, incident response, and the Essence of collaborative efforts bridging the gap between the private sector and public initiatives.

Christopher Robinson, chairperson of the Technical Advisory Council, provides insight into the ubiquitous integration of open source in technology, from consumer electronics to critical infrastructure, underlining the universal stake in securing this landscape. The episode also spotlights the pressing need for community involvement in securing open source ecosystems, highlighting OpenSSF's initiatives in education, repository security, and the creation of standards for safer open source software deployment.

The episode also touches on the collaborative efforts between private and public sectors to address security challenges in open source projects. Further discussions illuminate the initiative by OpenSSF to improve incident response and education within the open source community. There's even a shout-out to Allan Friedman and Bob Lord from the Cybersecurity and Infrastructure Security Agency (CISA).

The call to action for listeners encapsulates the essence of contributing to a broader community effort, underscoring the pivotal role each individual plays in advancing the security and integrity of open source software worldwide. The group encourages listeners to join the OpenSSF's mission by contributing to their diverse projects and working groups, reinforcing the idea that securing open source software is not just critical but achievable through collective effort.

Key Questions Addressed

___________________________

Watch this and other videos on ITSPmagazine's YouTube Channel

Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq

ITSPmagazine YouTube Channel:

📺 https://www.youtube.com/@itspmagazine

Be sure to share and subscribe!

___________________________

Resources

OpenSSF Home Page: https://openssf.org

OpenSSF - Get Involved: https://openssf.org/getinvolved/

OpenSSF Events: https://openssf.org/events

___________________________

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: 

https://www.itspmagazine.com/redefining-cybersecurity-podcast

Are you interested in sponsoring this show with an ad placement in the podcast?

Learn More 👉 https://itspm.ag/podadplc

Episode Transcription

Why the Industry Needs OpenSSF | A Conversation with Omkhar Arasaratnam, Adrianne Marcum, Arun Gupta, and Christopher Robinson | Redefining CyberSecurity with Sean Martin

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] And hello, everybody. You're very welcome to a new episode of Redefining Cybersecurity Podcast here on ITSP Magazine. I'm Sean Martin, your host. Most of you probably know that already and also likely know that I get to chat to some really cool folks about really important and fun topics. And one of those topics happens to be supply chain that comes up over and over and over again. 
 

I think I've recorded three. On the topic this week, some connected to RSV conference, some beyond that, uh, An important topic. I think we're, we're all trying to figure out how we get our hands wrapped around this so we can, uh, deliver safe stuff, hardware and software. Today, we're going to be talking about software supply chain and open source and, uh, and I have some cool folks with me today. 
 

We have, uh, Omkar, Adrian, Christian, Christopher, sorry, Christopher, right? Yes. And [00:01:00] Rue. The C Rob threw me off. I always forgot the first name. Um, so I'm excited for this conversation. And, uh, I'm thrilled to have good representation. It's probably one of the more fuller podcasts in terms of guests that I've had in a while. 
 

So I'm excited for this. We'll see where this goes. I'm going to get a few words from each of you to tell us who you are, what you're up to, and your role within OpenSSF. Adrian, we'll start with you, please.  
 

Adrianne Marcum: Yeah, I am Adrian Marcum. I am the technical project manager for OpenSSF. I joined back in July of last year. 
 

So, About nine months at this point, uh, it's been really neat to learn more about open source security and, um, you know, just working with our community. I get to work a lot with the technical initiatives, um, kind of helping them through their process with their roadmaps and getting things done. It's a great community. 
 

I really enjoy them.  
 

Sean Martin: Fantastic. Thanks for being here. Omkar.  
 

Omkhar Arasaratnam: Hi, I'm Omkar Arasaratnam. I'm [00:02:00] the general manager of the OpenSSF. Sean, thank you for having us on. Um, and I provide day to day direction to the staff working on OpenSSF. I also liaise with our community as well as our board members.  
 

Sean Martin: Fantastic.  
 

Christopher Robinson: Hey, everybody. 
 

I am Christopher Robinson, a. k. a. Krobe. I, uh, I do security stuff on the Internet. Um, in regards to the OpenSSF in particular, I am the current chairperson of the Technical Advisory Council. I also am a chairperson for a couple of our technical initiatives, and I'm a sponsor for a whole set of other technical initiatives. 
 

So I help kind of guide them through things. So in our world here, I spend most of our time working with open source maintainers, um, security researchers, uh, people involved in upstream open source security.  
 

Sean Martin: Give your hands full there, Christopher. Right. [00:03:00] And Arun.  
 

Arun Gupta: Yeah, thank you for having us here. My name is Arun. 
 

I work at Vice President and General Manager of Open Ecosystem Team at Intel. I'm also blessed to be the Governing Board Chair for OpenSSF. Um, so I work with all the Governing Board members and all the wonderful people over here. To really take the mission of OpenSSF further.  
 

Sean Martin: And that's a great segue Arun that Omkar gets to take us on a journey with. 
 

I want to know, set the stage with what is OpenSSF and we'll get into all, all the, uh, activities and deliverables and outcomes that you guys do. What's the vision, mission, what's it all about Omkar?  
 

Omkhar Arasaratnam: Sure. I'll get us started, but obviously invite all of our. Colleagues here to jump in. Uh, the first rule about open SSF is you don't talk about it. 
 

No, I'm joking. Um, one of those, I see. Open SSF has the lofty goal. And there was an [00:04:00] acronym that Arun used earlier and I'll, I forget it. I'll ask him to enumerate it later. But, um, we have the audacious goal of trying to secure open source software, full stop. Open source software, although it has this. 
 

Almost legendary status in terms of all the neat things that's done over the years. People aren't always aware of all the places open source software exists today by our estimate in something like 90 percent over 90 percent of commercial software contains some kind of open source software. So us securing open source software is an incredible mission. 
 

And also. for everybody. It's a public good. And it's our mission to secure open source software for everyone.  
 

Sean Martin: It wants to peel back the Onion on that stat. Who can paint the [00:05:00] picture on where we're open sources. And 90 percent of the stuff we use is I can obviously picture software, um, applications, commercial stuff, getting forked, using, using bespoke applications, but I presume it's also running in cars and other places. 
 

Right. So who can paint that? Picture for us.  
 

Arun Gupta: Krobe is the right guy for painting that, you know, technical picture, but just to kind of go back to what Omkar was saying, the acronym he was talking about is BHAG. BHAG and so it's an Intel acronym and that I shared this morning with him and the whole idea here is it's a big hairy audacious goal. 
 

It's like we want to make the open source secure. What does that mean? Like, you know, it's used anywhere and everywhere. Whether you're using a car, whether you're using a phone, if you have sent an email, if you have watched Instagram Rail, you know, 90 percent of [00:06:00] their software stack, you know, all the way from Linux to JDK to Kubernetes to PyTorch. 
 

To running your LLMs, there is some open source element involved in there, and, you know, open source is good, if, but it has to be secure, you know, and security is not the top job until it becomes the top job right away. I think that's super important to keep that open source software secure. Our digital infrastructure across the country, you know, talk about transport, talk about, you know, planes, talk about trains, talk about buses, talk about schools. 
 

They rely so significantly and heavily on open source. That ensuring security of that open source so that the threats and all, you know, the vulnerabilities all can be minimized is exactly what the charter is. The big hairy audacious goal. And that's where people like probe and Adrian fit in that. How we, how do we take that be had and kind of break it [00:07:00] down into a mindful, manageable pieces. 
 

And start making a really impactful way yet setting up a long term goal That in four years five years, this is where we're going to get to now. We'll hand it over to croak  
 

Christopher Robinson: Yeah, and when you think about open source software, it is Literally everywhere you'll have College and high school students working on software projects that they'll push out to the internet. 
 

You'll have professional software developers that work at companies like Intel or Google or Yahoo, or any of these large, big tech companies. Every government on the planet uses it. Every military, every financial institution, most manufacturers, it runs critical infrastructure. It runs things like the Mars Rover and the little Mars helicopter and satellites and telescopes. 
 

It's. In everything, it's in your cars. There's a big movement for embedded Linux, and that's, you know, automotive industries really embrace that. But [00:08:00] it's also in medical devices. So if you have an MRI or you're having a radiology scan, that's all run based at its core with Linux and open source technology. 
 

So it's in, in a, in a Every smartphone, uh, most gaming consoles, you know, all these things are built upon the amazing world of open source software. 
 

Sean Martin: Yeah. International space station. I'm sure. 
 

Omkhar Arasaratnam: So one of the, one of the really interesting aspects, uh, that we get to get involved in is there's really three primary stakeholders, right? 
 

It's the private companies. It is the public sector as well, because there's a significant amount of public sector involvement. In using open source because it's a public good as well as the community and Adrian, I'm going to put you on the spot here. I think you've been doing some excellent work with the task forces, uh, which is a body of work that we started off. 
 

I guess it was last September, uh, when we [00:09:00] convened a meeting between our members and very senior executives in the U S government. Um, and kicked off a bunch of work. Adrian, did you want to cover some of those task forces and the great accomplishments we've had thus far?  
 

Adrianne Marcum: Yeah, absolutely. Um, so from from our initial meeting back in D. 
 

C. In September, um, there's basically three main focuses, um, that we decided to, you know, really focused on moving forward, um, securing open source. Repositories because that's where everything is. And that's where, um, you know, attacks are obvious to happen. Um, we also focused on getting a better incident response across industry, getting public and private sector working together to kind of share what they see happening around. 
 

Around the ecosystems and, um, also in improving education. And again, going to that point of like, not just the consumers, not just the maintainers, like everybody, you know, from the maintainers all the way downstream to make sure that, um, [00:10:00] you know, as you, you see a project, this is great. I want to incorporate it in mind, making sure, you know, as much as you can about, um, the best practices that project is or isn't using. 
 

So you can, you know, have an informed decision making process. Uh, yeah, for each of those. Lots of different initiatives that have happened. Um, we've got a couple of standards that have been set for the securing of software repos. Um, one from the package repository side, and then also trying to get, um, everybody loves SBOMs. 
 

Um, but what is an SBOM? Like, even if you know what an SBOM is, you, you, you know, there's so much variation on what it can be. And so trying to get some standards in place on that so that we can really identify, um, Some standard tooling so that we're all kind of aiming for the same, same target and giving those, um, you know, you want to kind of focus on this, what the end users actually need and actually use. 
 

And then the rest is all extra. Can I keep going on about what you've done? I feel like I've been just glad.  
 

Christopher Robinson: I'm just happy you only said S bomb twice. That means [00:11:00] Alan isn't going to show up  
 

Sean Martin: the third time and he'll be wearing his shirt. I'm sure.  
 

Adrianne Marcum: Yeah, no worries. I'm already, I'm already switched it to the next one. 
 

Um, with incidents response, um, open SSF had their first tabletop exercise, um, at, at the, um, sauce community day back in Seattle, um, which was a big success. And we're getting the feedback now and we'll be sharing out, uh, what we've Yeah, the playbook that that would happen there. Um, also we sponsor or help sponsor and help work with, um, the first phone con that happened, which croak can go, uh, into far greater detail than I can. 
 

One thing I was really excited about with that phone con. Um, Aside from there being like, I think 11 or something presenters from open SSF was also that, um, the focus wasn't on any of the individual systems for reporting vulnerabilities, but how to get them all working together. Um, and so it's, it's really that thing of like, again, you have so many different tools. 
 

Are we all saying the same thing? Are we all hearing the same thing? And what can we do, you know, what actions can we take moving forward? [00:12:00] Um, and then on the education piece, um, so much always happening with education. I feel like that's just a big part of what OpenSSF is as a foundation. Um, we've released a state of education report that kind of shows like the gaps that have been identified. 
 

Uh, we had a survey running for, I felt like every every week for months. David really was like, Look at this survey. Um, I think that's finally been wrapped up where we got a good number. I think it was approaching like 400 like really good responses, which is fantastic. So that's going to be Um, you know, all aggregated so that we can put that into the work that we're doing with our actual coursework. 
 

We've been adding labs to the introductory coursework and then also expanding that to, you know, higher level courses, um, incorporating the feedback that we get from that survey and then also targeting Um, Uh, training toward managers. So they understand the importance too, because if you're not hands on keyboard, if you're, you know, I've worked in companies for like, Hey, we've got this bug vulnerability and they're like, whatever, it's not on the roadmap. 
 

Uh, but really, [00:13:00] you know, if you get the people who make the decisions on board with getting this training, it's going to get a lot more traction than, than just the folks on the ground. You don't always get that big say. So I feel like I've covered most of it. I don't know if there's anything else to add. 
 

Thanks for listening.  
 

Christopher Robinson: I'll add that we started off engaging with, uh, us, uh, government, public policy and industry folks. But, um, through a lot of home cars work, we've also started to engage folks in the EU. I think we have an EU sauce, um, summit coming up. And then we also are in talks with folks in APAC as well. 
 

Omkhar Arasaratnam: Um, on the EU side, which will actually be the week after RSA. Okay. Uh, we're convening in similar concert, a bunch of our members, a bunch of public sector, the EU, uh, is currently going through activity around the CRA, the cyber resilience act and setting security standards. Um, and we want to be there to [00:14:00] support them. 
 

Um, in Europe, they tend to set legislation first, uh, ahead of technology. US takes a different perspective. We're software engineers, not legislators. We're just there to ensure technical correctness and make sure that the right outcome is achieved for the community. So, uh, we're going to be doing that. And I believe that same week and sorry, my travel schedule is a little ridiculous. 
 

So I'm going to be heading to Japan to meet with the Japanese government on a similar set of topics. But I think in conclusion, while we did begin, as Krohb mentioned with the U. S. This is this is an interest globally and in fact arun I might get you to mention some of the Incredible work that you've been doing with the un as well and their perspective 
 

Arun Gupta: Yeah, no, I mean, I think, um, as Omkar talked about, there are three facets to it, right? [00:15:00] One is the private sector, one is the public sector, and the third one is the community. So you just about heard about everything about community, but at some part of community, what Kruv and Adrian talked about. You heard Krobe and Omkar talked about sort of the public sector of it as well, but maybe in the private sector. 
 

I mean, I work for Intel. My day job is Intel, right? Intel is, uh, there was a Forbes survey that came out, is the most cyber secure company. You know, as we are shipping our products to customers, we want to make sure they are the most secure products. And as we are building software on top of that, as we are doing open source, we want to make sure they are open source. 
 

but secure as well. So that's where we are adapting tools that are coming out of OpenSSF. Things like OpenSSF Scorecard, things like Sixthore, things like Salsa. We are taking those tools that are coming out of OpenSSF, adapting them in the company, and as we are applying them to our hundreds and thousands of repos internally and [00:16:00] externally, The feedback we are learning is we are putting back into the community because it's a global problem, requires a global collaboration. 
 

So that's the key part of it. And I think the part Omkar was talking about UN, the United Nations have created these millennium development goals. They created them at the beginning of the century. They used to call them as MDGs. They're about no poverty, no hunger, no crime, racial inequality, climate policy, All of that, 17 of them in 2015, they renamed as it's not just for the millennium is for the sustainability of the human being. 
 

So now they call them as sustainable development goals. And as over the last year or so, I've been working a lot more closely with the UN, essentially saying that, hey, when you are creating these SDGs, Goals are great, but you and is also realizing strongly. This is a global [00:17:00] problem requires a global collaboration. 
 

And guess what? Open source is the best platform for that global diverse, inclusive perspective. So that's where we've been working with them kind of including them into our events so that we can solve those sustainable development goals. We can connect the open source community that we know off from our side. 
 

And hopefully solve those problems. Security is a key element of all of those elements as well. Because particularly when you are talking about SDGs, you are digging into a lot of PIIs. Because you're talking to the local communities. How does that jurisdiction of data work? How does that make sure that, you know, when you're looking at the medical data to solve an SDG, when you're looking at the climate data, you know, when you're looking at the racial injustice data, when you're looking at the crime records, there are certain security requirements around that. 
 

So I think security plays a very key role as we continue to work with UN. And I'm super excited. You know, we are, um, we are working with them very closely, [00:18:00] bringing them to our events. OpenSSF is well known in the open source community. So we're bringing our community connection, private industry connection to the UN and really doing, as Omkar said, secure open source for the public good. 
 

Sean Martin: Who can talk to me about, so we talked about the different sectors. We talked about the, I don't know what you call them, the three, the three programs I'll say, right? The, the, the, the education and the incident response and the repository security, um, Talk to me about how we operationalize this in terms of developers up to business, which I'm sure it touches all those three, you provide tools, you provide education, you're doing policy work and things like that. 
 

Um, but how do I'm certain this, this is a huge benefit for organizations who build stuff, right? So how do they. Embrace and ingest and consume [00:19:00] and, and take full advantage of all the stuff you have, be it tools and processes and the way to speak to the board and the executive staff, whatever it is, you have that whole stack who can start. 
 

Omkhar Arasaratnam: So prior to coming to the open SSF, um, I'd spent about 25 years of my career doing software engineering and private industry, and the headline is open source is different. And for those of you that may have developed software, um, you know, according to some kind of schedule with a business requirements document and a high level design and a low level design and unit testing and all that stuff. 
 

Open source just doesn't work that way. And I'm not saying there's a consistent way that open source works, but the beauty of open source is in this heterogeneous nature of development. So the. You know, what we'd learn in private industry about there being this top down plan [00:20:00] really doesn't happen in open source. 
 

So I think the first thing to understand before deriving how business value can be acquired through using open source is to understand, respect, and honor the fact that it's developed completely differently and that each individual project that you engage in is going to have a different rhythm, a different ethos, a different way in which it operates. 
 

The reason for this is if we extend the analogy of this being a public good It is like a natural resource. And what I mean by that is if you're taking a hike and Arun and adrian are very nature oriented Kroeb and myself find ourselves at the bottom of a glass of bourbon more often than Nature, but why either or that's well This is an and right sean so While you're going for a hike, if you come across a creek and you take a sip of water from the creek, it's, it's, it's on you, right? 
 

It's on you to [00:21:00] ensure that you're consuming good, clean water. If, however, you're a large corporation and you're consuming lots of water and bottling it and selling it for a profit, not only does the onus come upon you to ensure that it is safe and secure, but also that you're consuming this in a sustainable manner. 
 

Thank you. So the other thing that I'd encourage those that are arriving business value from open source to consider is this is an ecosystem. If it is all consume, consume, consume, consume, consume, it runs out. And it runs out in the sense that it doesn't have adequate maintenance. We have maintainers that'll be burned out. 
 

We have things that won't be done. And from a engineering management perspective. Open source is amazing, but it's also economically opaque. And what I mean by that is if you as a developer choose to download a library that handles cryptographic functions, link to it and make use of it, you've saved tons of time. 
 

I teach [00:22:00] applied cryptography, writing robust cryptographic libraries is hard and you've benefited from that. But if you don't honor that, if you don't find a way to contribute back in a way that the, Maintainers for the project would like that resource does not last forever. So I think that any examples of that, this is really interesting to me. 
 

Well, 10 years ago when I was on vacation in Hawaii, there was this little security incident called heart bleed. Uh, that resulted in a security defect in open SSL, and I'm purposely choosing an incident from long ago, so I can hand off to Crobe for a more recent incident. Um, Open SSL was essentially maintained by volunteers. 
 

There was a great rush to fix it, but open SSL was found on every internet facing device on the planet. Now, as I mentioned, I was [00:23:00] on vacation. My wife had forced me. Keep my BlackBerry as one did back then in the, uh, safe in the hotel. So I was blissfully ignorant until we came back from the beach, but the rest of my friends that were still at work did not have such a great time. 
 

Um, and we're now at the point that there's a better sustainable funding around open SSL, and there's a number of different forks that are focused on security, but. It's not fixed and Krobe, maybe you can, maybe you can, uh, describe for the audience some of the recent issues that we found with XE.  
 

Christopher Robinson: Yeah, and it's, uh, it's an interesting space as Amkar mentioned each. 
 

project, each ecosystem functions a little differently. They have different accepted norms and how they behave and how they want to take work or how they don't want to take work. And it's been a, a recent trend. And I think we were all, a bunch of us were at a CISA meeting where [00:24:00] we were talking about open source and national security. 
 

And I think they threw out a figure that The global economy has received between six and 8 trillion of value out of open source. So we went from open source being the purview and domain of a handful of people, mainly academics. Some people, you know, that used to be called hobbyists. But, you know, these are people that just loved writing software. 
 

And it's. Swung into this thing that drives the whole global economy, and we haven't necessarily applied all of the same discipline and rigor to our consumption like we should have, you know, we, uh, you only need to eat a little bit. You don't need to eat all of it. And, you know, as Amkar mentioned, there was a package called XZ utilities, which is embedded in most Linux distributions, most open source programs had touched [00:25:00] on it somehow, and it performed, it was, it's a compression library. 
 

So it helped make files smaller for transferring things around and, uh, there was, it was a single maintainer that ran this thing. And that's not an uncommon story where actually. On the order of magnitude, there are probably dozens of projects that have hundreds of developers that work on them. There are an order of magnitude of hundreds of projects that might have. 
 

Two to 50, a hundred maybe. And then the vast majority, the 16 to 20 million other projects are a single maintainer. And that's what this XZ utilities project was single maintainer doing their best. They love the software. They they're in it for, you know, not out for financial motivation, but they're just in it because of the love of development and, you know, adding value and, uh, they're just so much. 
 

of a backlog of work. So many large corporations or individual [00:26:00] people asking them to continually, will you make this fix? Will you change this? You know, all things that the other maintainer, Lassie didn't necessarily want to do, but there's trying to offer good service to their community, trying to keep up with it. 
 

Well, it just became too much. And eventually there were some. Bad people, some nation state actors realize this is a pattern in open source where you'll have these overworked maintainers and within the foundation, we like to refer to them as we have a persona, Diana, the weekend warrior. And you know, this is a person that works maybe four hours a month on the software and they spend most of their time fixing their build tools and fixing, trying to fix their dependencies to keep their project working and not necessarily adding features, adding new functions, or, you know, developing security fixes. 
 

Well, the backlog of work was so much that this maintainer, it was basically so overworked, so stressed that this bad actor came in and was able to subtly at first start to make [00:27:00] contributions to the project, kind of earned a little bit of trust and then through some social engineering, um, some other. 
 

Other people in the community who have no evidence of existing before this, these commits started harassing the developer, you know, I think you need to approve this person's commits. This fixes my problem. I want you. You must do this. You're a terrible person if you don't. And it really became kind of bullying. 
 

And the main, you know, the maintainer Lassie eventually. Agreed, accepted this unknown person who had had a couple, almost a two year track record of tiny little contributions and accepted them on as a maintainer. I kind of gave them the keys to the project. And then, uh, as you know, The original maintainer just kind of stepped back a little bit, wasn't as involved daily. 
 

This person started to insert malicious software, manipulated the build pipeline. So eventually they put in a fairly substantial malicious package that was days away from [00:28:00] being committed into major Linux distributions. But thankfully, much just like open source, we had another community member that had taken these beta packages and was testing it for their own needs, and they noticed some weird utilization. 
 

You know, why is my CPU so high? And then they noticed weird things with open SSL. They are open. This is H one of the two of basically those some weird communication. They dug into it, and they found out that there was a back door implanted in these beta things. And, uh, you know, thank through the good work of a community person, they solve, they basically cracked this nation state attack that potentially could have affected every Linux distribution, which is, you know, most of the operating Linux on the planet. 
 

And then, uh, we've found, you know, uh, Omkar and I, uh, Omkar and I continue to work with CISA and other open source people upstream, where we're finding this wasn't an isolated pattern, this has happened at least once more, we knew we have evidence of, and possibly more. So it's, it's the same pattern where there's an overworked maintainer. 
 

This [00:29:00] nice person offers to help eventually is trying to get in and become a maintainer and own the project. And then they want to go start doing badness.  
 

Omkhar Arasaratnam: Crowe, the one, the one thing that I will add is it's a true testament to the strength of our community that most of the other incidents that we've seen modulo, the XE utils one, the community stepped up and in the words of the New York MTA. 
 

They saw something and they said something like, Hey, this was weird. And we got all these reports coming in like, Hey, we saw this, you know, so many months back, we saw this a couple of years ago, thought it was weird. Didn't think anything of it. So I think that's a real testament to the strength of the community and how. 
 

circumspect they are of new people trying to come in and intrude.  
 

Christopher Robinson: And you think  
 

about it, nation  
 

states invest millions of dollars for these type of zero day attacks. And it was burnt like that. So they're not able to use that attack path. So, you know, yay open source, but we got [00:30:00] to remain vigilant.  
 

Arun Gupta: Yeah, I just want to emphasize the part that, um, Grove was talking about. 
 

You know, Frank Nagel, you know, he's an assistant professor at Harvard. He wrote that paper about the supply side and the demand side of open source. And he talks about that how the supply side, basically the people who are creating open source, is about 4 billion. And on the demand side, people who are using open source is about nine trillion dollars. 
 

So when you think about all these companies that are relying upon open source, And these kind of engineering attacks, and this is, by the way, less of an engineering attack, more of a human social engineering attack, and these are going to be a lot more prominent. So that's why the role of OpenSSF, you know, raising education, raising awareness, raising the importance of this is so much more important. 
 

And that's why, frankly, you know, when at Intel, when we look at that, hey. What level we should stay [00:31:00] engaged at in OpenSSF, you know, you could become a member at different levels It's very clear in our mind that no we want to stay engaged at the governing board level Because we believe this is not just intel problem. 
 

This is an industry problem And we want to be able to help influence, steer the direction so that we can be true to our customers. I think that's the way you want to think about it, the relevance and the importance and the critical, critical importance of this, uh, uh, foundation.  
 

Sean Martin: Tell me about the memberships because that sounds like the key here, right? 
 

So vetted, vetted folks, participating, giving back to the community, supporting the community. Trust being at the center of it, I would imagine. Tell me a little bit more about that.  
 

Christopher Robinson: I'll start at the grassroots level and then we can work our way up. Much like any open source project. Participation is open to anyone. 
 

So we don't vet identity at like a [00:32:00] technical initiative level. So you do need to prove yourself if you have to show a certain history and contributions of participation before you're granted additional control. Privileges within the projects, but we're open to everybody. So the working groups I participate in. 
 

I have people from large corporations. I have academics. I have security researchers. Um, I just have maintainers. I have, you know, uh, Greg KH from the Linux kernel shows up to my working groups just because so I have, you know, we have actual developers. So it's really, it's a really interesting mix of folks. 
 

And so again, it's, it's open to anybody. But depending on what you're working on, like it's one of our software projects, like SIG store or scorecard, there definitely is a, a, not a hazing, but a, a, a vetting process that you have to go through. You have to prove that you're a valid own contributor and that you're adding value. 
 

You're just not some joker that says, I want the screen to be blue, not green.  
 

Arun Gupta: Well, that process in open source is called meritocracy. So, I mean, that's what it's got to be, right? Yeah, exactly. [00:33:00]  
 

Omkhar Arasaratnam: The, the one point that I wanted to double click on that Crobe had mentioned, the open source community began online and it exists and thrives online. 
 

And often in the, you know, offline world where you go to work and you tap a badge on a reader and you go and sit down at your workstation, uh, part of that is vetting or tying who you are. From the get go before you even write a line of code, the open source community does not regard your government identity as a security property. 
 

And I agree with that. The perspective that you can be completely online anonymous and write good code is something that's been proven consistent and something that works well. The fact that you could be identifiable. By a passport and write bad code, um, is also a proven fact. And when we started looking at more sophisticated attacks, such as the exe [00:34:00] utils one, you know, people often clamor to, oh, we need to better vet the identity of our community. 
 

You know, if you follow the thread that this was probably a nation state actor, nation states are really good at issuing passports. So I don't want to fill anyone with false hope. But to Arun's point, like, The meritocracy is your code stands on its own. There's an even bar for security. Either it's secure or it's not. 
 

You don't get a buy because you're Greg KH or Krobe. You, your code needs to be vetted. So you don't want my code. 
 

We'll take Greg's though.  
 

Sean Martin: All right. We're we're. Coming up, uh, toward the end here, and I want to, I want to make sure we give folks a little extra, so they know what to do next. Um, what should, where should folks start? So I'm going to, I'm going to first point out, give back. If you're, if you're eating, [00:35:00] pay the restaurant, right? 
 

And some, maybe wash the dishes. If you don't have the cash, wash the dishes at the restaurant. Give back to the community. Consider becoming a member. Um, Beyond that, what, what should folks do? Maybe the first step, maybe I'm going to go to you to start this or where should they go first?  
 

Adrianne Marcum: Um, the easiest way to get started is to go to open SSF. 
 

org and go to the get involved page, um, where you will see a slew of information, see how to follow us on all the social media, how to join our Slack. Um, you'll see the community calendar that shows all of the, uh, different meetings that happen for the technical initiatives throughout the weeks. Um, And then too, I want to go back to what you said about, you know, doing the dishes. 
 

Um, as someone who works a lot with the community, um, being a member is obviously fantastic that helps, um, get, get the, the practices, you know, happening at the higher level of enterprises. Um, but if those [00:36:00] enterprises can also, you know, get their hospitals going, get developers involved to, to make sure we have people who are more than flyby contributors to be able to like really set roots in the projects. 
 

Um, I think that goes a really long way. So that's, that's my call to action. I think every time I have the chance to speak. Uh, So yeah, uh, go to opennessstuff. org slash get involved and, and come, come join us on Slack and see where you can jump in to find something you like.  
 

Sean Martin: Nice.  
 

Christopher Robinson: Yeah. I'll, I'll. Keying off of what Adrian said off of that page, you'll find a list of our 10 current working groups. 
 

These are technical initiatives, and they're just rough categories of things. We do areas of the cyber and open source where we're collaborating, and we have things like developing best practices. We have a new A. I. N. M. L. Security group where they're looking at applying. Traditional application security practices to AI. 
 

I know it's a revelationary revolutionary [00:37:00] thought, but we have things like we have dashboards. We have a whole metrics and metadata group where they're looking and analyzing different aspects of projects. We have a whole software repositories group. So if you care about things like Maven or crates or any of the big repos, you know, that's where you can kind of go and participate. 
 

We have a whole group dedicated towards writing and maintaining tools. So we have a lot. A lot of SBOM adjacent things lately, which is great. Um, we have a DE and I group, which is looking to try to solve the problem of, uh, Omkar Krobe retiring someday. I want to make sure that we have a great next generation of folks trained and they're ready to kind of take up, carry the water for us. 
 

So to speak after I'm too tired to move on. We have a supply chain integrity group that focuses in on things like salsa, which is our supply chain levels of attestation or software levels of secure attestation. Um, so basically it's a supply chain certification. So you can look at that and [00:38:00] see anyone that has earned this that you can understand how they are building and how their software stored. 
 

And we have a whole group focused towards end users. That's one of the groups I sponsor where I help kind of coach them. And that's. Banks and manufacturers, people that use open source and they come and they collectively share, Hey, how do I do this? Or how can you help? They, it's like a big support group. 
 

It's amazing. I love it. And then we have the vulnerability disclosure working group, which is another one that I help run. And that's, we're looking at things like incident response tools, like VEX, how you, that's a new way of sharing vulnerable information. We have some new excitement come on the horizon that Omkar is going to unleash on the world in a couple of weeks. 
 

And, um, That's where we talk about, you know, how do we get vulnerable, good, accurate vulnerability information out to the world through tools like OSV and OpenVAX. 
 

Sean Martin: Amazing. I'm sure you can keep going. This is incredible.  
 

Christopher Robinson: I'm just humbled to work with such great [00:39:00] folks.  
 

Sean Martin: Fantastic. Arun.  
 

Arun Gupta: Yeah, I think sometimes as a security people, we dig too deep into the technology part of it. 
 

I would say, take a look at the Get Involved page. Pick one thing, you know, don't get overwhelmed by it. Pick one thing that matters to you, that ignites your passion. Just start with that. That's a good starting point. Slack is a great place where you can hang out. Where you can be completely silent, just observe the dynamics and what the discussions are going like, who the players are, try to understand sort of the dynamics of the community. 
 

And then whoever you feel comfortable with, reach out to them. We are a very friendly bunch. We are a very inclusive bunch. That's something that we hold ourselves to very high degree. So just reach out to us on what would you like to contribute? What excites you? What are you, where are you going to have fun? 
 

There are so many areas [00:40:00] where we can leverage your help. Just reach out.  
 

Sean Martin: And I saved the hard cleanup spot for you, Omkar.  
 

Omkhar Arasaratnam: Thanks. Um, so I'm going to say something unique and say, go to opendssf. org slash get involved. I'm sure you haven't heard that yet. Um, I'll take a step back. Genuinely. And I was explaining this to somebody that I was speaking to, uh, yesterday. 
 

When we talk about different missions that we have and the different work that we get to do. If we get this right, we genuinely, without hyperbole, make the world better for 8 billion people. And if that's not inspiring, I don't know what is. So go to openssf. org slash getinvolved. Check out all the work we're doing. 
 

This is not just a group of nerdy software engineers. Yes, there are nerdy software engineers there. But it's a place where anybody can help. We need people to help with documentation. We need people to help with hosting events. We need people to help with [00:41:00] Education. We need people. We just need people. So don't think that because you didn't get an undergrad in comp sci from a a list school. 
 

Hey, I never finished my undergrad. So don't feel like that's an imposition. We just need people that are interested in helping the cause. So come on, come on. And we look forward to seeing you at open SSF.  
 

Sean Martin: Do it. Do it. I'm uh, do it. So grateful for each of you for the work you're doing. I'm, uh, I'm glad this organization exists and, and I really hope people listening to this first share it with somebody, multiple people, and then go to the, get involved page. 
 

Omkhar Arasaratnam: Thanks so much for having us.  
 

Sean Martin: So thank you all really appreciate it. And, uh, everybody listening and watching, please do get involved and, uh, And be sure to stay tuned to redefining cybersecurity as we [00:42:00] all help to do just that redefine cybersecurity for the benefit of society. Thank you all.  
 

Arun Gupta: Thank you. 
 

Thank you. Bye.