Inside a $150 Million Plan for Open Source Software Security
Skills:
Staying Current in AI60%
Key Takeaways
The video discusses a $150 million plan for open source software security, highlighting the importance of scrutinizing dependencies and choices in open source software, and the need for better signals and metrics for choosing open source projects. The plan includes 10 different business plans, such as education, adoption of Sig store, and standards for secure software development.
Full Transcript
[Music] welcome to this special edition of the new stock makers on the road we're here at the open source Summit in Austin Texas discussions from the show floor with technologists giving you their expertise and insights to help you with your everyday work hi everyone we're here in Austin Texas at the open source Summit sponsored by the Linux foundation and uh today uh I'm Heather Joslin as I am every day and I'm a features editor at the new stack and I'm here with Brian bellendorf of he's general manager of the of open OSF and we're going to talk about the open source security mobilization plan um and security seems to be on everyone's Minds um so Brian I just wanted I also I guess I already introduced you but you just tell a little bit about what you do at open sff so uh it's the open source security Foundation uh that I've been leading since about September although it's been around for about two years now and it's really a coming together of companies large and small and individuals who've been active in the open source Community focused on addressing uh how is it that we in the open source Community write code how do we build on top of other people's code how do we ship things in ways that could be enhanced to provide better reassurance and trustworthiness us I feel often like people trust open source code by default you know but presuming it's open if it has lots of stars in GitHub it's it's uh it's probably going to be secure but there's a lot that we really could be doing to meet those high expectations for open source security so openssf really focuses on that problem and uh there's I know there's we've this week there we've uh there's been the release from uh Linux foundation and and uh also uh uh sneak uh about uh open the state of open source security uh it's been pretty it's paints quite a picture there's uh I think it's 41 of organizations said that they don't entirely they're not sure about the security of their open source software um what what do you think is the overall message people should derive about the state of open source security well I think it's been really hard to understand risk in relation to software at all let alone open whether it's open source or not um and I think organizations are increasingly realizing that these uh earthquakes that happen in the industry right the log for Shell vulnerability even things like colors JS fakers.js which were these small JavaScript programs that were written by one person and then caused a whole lot of companies that use them to see their websites go blank right there's say there's a there's a risk that's hard to quantify especially these long tail but high impact kinds of risks and so this is I think the software industry this year really woke up to not only the the fact these earthquakes were happening and how it's getting more and more expensive to recover from them systematically but that there are opportunities to improve that and so the research report was a great way to see that Quantified I think people should be worried about uh how they're using code and should be more scrutinizing about uh the dependencies they have and and their choices because for whether it's for databases for JavaScript Frameworks you have a choice usually of at least three if not several dozen different uh viable and production ready options in the open source world but today rarely do we have better signals than popularity um or or what's better documented you know as like our guide to what to use or what are the what are the people tweeting about right as like our guide to what to use but there are objectively measurable kinds of things you can uh metrics you can look at in addition to trying to understand are there real communities around this code pushing out the security updates responding to vulnerabilities as a guide to your choices about uh which open source projects to use and then which ones to invest back Upstream into yeah yeah projects don't have a don't have a lot of regular maintainers or they've they made no there's there's a there's a big there's a big distribution graph right that shows especially in some communities like the JavaScript and npm Community um uh uh some some of these graphs are sharper than others if you take for example number of contributors to a project and then number of projects that have only that many contributors um the I think the median number in the npm community is one uh for you know majority of projects have only one contributor and they tend to be these small modules right 100 lines of code or the like yeah which um you know I've been I've been in open source for 25 years most of the time I've been more at the here's a community of people working for different organizations collectively depending upon this code so contributing a little bit to helping make it happen as maintainers which not only is better for uh security purposes right like it's more eyeballs looking at code because we only we know open source is only secure because you have multiple eyeballs looking at the same body of code right um also participating in approving releases and that and and having architecture conversations as well um uh but uh but so much recently has been more like the one person kind of project so leads to security issues also leads to burnout issues and sustainability issues we hear a lot about yeah yeah it seems like that we're hearing more about that as well over time um uh so I wanted to dive into the uh open ssf and the Linux Foundation have launched the open source security mobilization plan yeah uh what is this plan designed to do so the open ssf overall is a kind of lovingly refer to it as a circus we've got lots of different folks working on different things from educational materials uh for you know secure software development best practices right we've got actually best practices badge the projects can certify themselves against in a scorecard we've got software like Sig store which is a new approach to signing software artifacts pervasively through the supply chain in a very approachable easy to set up way to standards and specify patients like salsa which are really about levels of attestation through the software development process that there was really a rigorous process for the development of this module and that modulus as it flows through the chain and what all this stuff needed though I mean like many open source projects were very opportunistic right people show up they want to work on a thing other people are interested our job as the Linux Foundation is to give them a space to do that but earlier this year the White House came to a bunch of communities and said um you guys seem to be working on some stuff but what's it going to take to actually solve these problems that these projects aim to address like and what time frame are you going to solve them is it going to take you 10 years 20 years right and we couldn't really answer that without being able to say well what would it take if we were to invest because most of the time we sit there we wait for folks to show up and hope for the best um but but it's fondest to ask what would it take to take these educational materials and try to reach millions of people with them not only to take the to take the the course but also to show that they've passed it what would it take to get Sig store adopted by the vast majority of Open Source projects out there as like the default way they do signing um and so we've kind of fanned out as a community came up with these uh 10 different basically business plans uh that all of them called for funding which we refined it's not like money is No Object but if we needed an if if there was a way to get enough resources to solve these problems what would it take personally I thought it was going to be billions of dollars you know to solve this which would still be cheap compared to the positive impact we would have across those 10 for the first two years of investment on uh collectively across all 10 streams it will cost about 150 million dollars measurably those would have each of those 10 would would have a tremendous amount of impact combined I think we'd make a serious dent in some of these earthquakes some of the instability that happens through open uh through a lack of security and open source code and where will the funding come from for for for that 100 like I said I was telling people you know we'll find the funding later um the good news is so in May when we publish the plan we held an event in Washington DC again partly because it was the White House prompting us to to think about how to put together a plan um not that we were going to ask them for funding but to basically because look when governments do allocations of funding when they decide where to put money there's all sorts of rules around that they're not just like hey somebody showed up and rewrote a check um we're not naive about that right um uh but we said we're let's let's show what's possible and as government decides where it's going to invest they know where where they might be able to put some money to put it to work whether it's through us or whether it's on their own right but at that meeting we brought many of our members together and collectively our membership said uh about uh six of the different organizations in that membership said uh we're going to pledge 30 million dollars against these streams now the 150 was really an estimate and we're these plans are still uh being refined right but but I I what will eventually set up will be basically a funding kind of process to be able to go when this stream is ready let's let's let's call in some of those pledges when that stream is ready let's call some in and 30 is still not 150 but we have lots of continuing conversations with other types of organizations to potentially contribute to that that's that's great um so I just wanted to to pause for a minute um there was some news about sick story like there's a new training program yeah you want to talk about that so training is at the core of being able to to really get adoption for you know any open source project because you know it's it's one thing to find a GitHub repo you know it's another to realize hey I can I can not only come up to speed in an organized way on how this works it's like you remember when O'Reilly books were like the signal that an open source project had arrived yeah you know there's still kind of that but I think the new signal is there's a course for it and I can certify to my employer or to potential my next employer that I know what I'm talking about when I say let's use six store so uh it was great to get the security fundamentals out we did that last year six door are being one of the next kind of major projects from the open ssf it was we've put out a course for that that again is free people can take that and and certify against that and demonstrate that that you know they've come up to speed Sig story as well is also mature enough that Not A lot's going to change before it's one Auto release so now is a good time to get that out and it just means hopefully it can be additive to our effort to get six store adopted pervasively across the software landscape not just for Open Source by the way you could use six store for a commercial for proprietarily licensed software too it's great that's great um when we've we've written quite a bit about Sig store as well so just viewers you can listeners you can you can find that on our site we've also written about salsa slsa uh just go you can just search for that on our site as well um so I just want to go through the the areas I'm just gonna I'm just gonna list them and if there's anything in particular um when I get to the end that you'd like to to highlight for for people let us know um so the 10 areas that that are going to be invested as part of the plan are security education risk assessment digital signatures memory safety incident response better scanning code audits data sharing improved software Supply change and s-bombs everywhere software bill of materials for all my friends yeah and I keep getting people coming up going I've got an 11th I've got a little 12. you know and I'm like but yeah yeah it by by no means do we think that it's that's the end of the story that will be you know no doubt there's other important things to invest in but but if we feel like this is a good combination to focus some efforts on so yeah that's great that's great is there anything else um about this plan that you in terms of uh how the community can get involved how yeah well um because these are basically business plans like these are funded kind of entities we're figuring out now how to like refine the targets but then also find the types of organizations and individuals who help us actually turn money into security right some of those we already have in place like Alpha Omega and Sig store have like separate funding Vehicles actually for for some of their effort others will need to spin up brand new uh parts of openssf I think to be able to do that others will be we'll be working with external organizations like ostiff around secure the third party code audits right um so I I that work we're setting up we'll be setting up special interest groups within openssf to help refine the plans further working even more publicly than we were before uh to help just Technic vet and qualify those and then frankly it's the funding organizations who will you know because they're the ones writing the check that will go and say okay this one is now ready for its first tranche of investment uh and and if it meets their satisfaction we can get started on that right that's a delicate thing that's not something that we do a lot of in open source right um uh uh but it's a little bit more top down but it'll be really exciting to Pioneer this kind of work um but meanwhile nothing is being weighted on at open ssf there's a lot of things going on one of the things that we didn't talk about is um in the alpha omega project which is partly focused on how do we help the most important open source projects with their capabilities around open source development we announced this week that we're making 400 000 grants uh to each of both the the python foundation and the eclipse Foundation to help fund their in-house security teams and also to adopt better standards and practices around security to do capacity building you know uh to help their Community understand the value of that kind of work eventually hoping their stakeholders pick up the the bill for like future future years of that right but just to help demonstrate that there's uh better standards and practices and also help Drive some reuse and learning across the different uh communities that we help fund about the best ways to to implement a security team best ways to implement s-bombs best ways to you know do the kinds of things that call for in the plan but that are really other parts of open ssf that's terrific well thank you very much for sharing all this with our audience um obviously security is in open source is continuing to be an issue that everyone's concerned about and and looks like you're you're your organization is uh making some making some strides toward making us also everyone's software more secure thank you and uh this has been uh uh TNS on the road uh makers and we will see you next time if you like this video please give us a thumbs up and if you'd like to see more videos like this you can always subscribe to our YouTube channel we're on all the major social media platforms you can always find us at the newstack.io we hope to see you soon [Music]
Original Description
Read the full article and listen to the audio only version on our website.
https://thenewstack.io/inside-a-150-million-plan-for-open-source-software-security/
AUSTIN, TEX. —Everyone uses open source software — and it’s become increasingly apparent that not nearly enough attention has been paid to the security of that software. In a survey released by The Linux Foundation and Synk at the foundation’s Open Source Summit in Austin, Tex., this month, 41% of organizations said they aren’t confident in the security of the open source software they use.
At the Austin event, The New Stack’s Makers podcast sat down with Brian Behlendorf, general manager of Open Source Security Foundation (OpenSSF), to talk about a new plan to attack the problem from multiple angles. He was interviewed for this On the Road edition of Makers by Heather Joslyn, features editor at The New Stack.
The New Stack - https://twitter.com/thenewstack
Heather Joslyn - https://twitter.com/ha_joslyn
Brian Behlendorf - https://www.linkedin.com/in/brianbehlendorf/
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from The New Stack · The New Stack · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
What's Next for the Cloud Foundry Foundation in 2017 with Executive Director Abby Kearns
The New Stack
How Unikernels Can Better Defend against DDoS Attacks
The New Stack
Weaveworks is Bringing Horizontal Scaling to Prometheus
The New Stack
TNS Analysts Thanksgiving Special: The Evolution of Kubernetes and the Container Ecosystem
The New Stack
How Rancher Labs is Seeing Kubernetes Put to Work in Production
The New Stack
SAP Tests Kubernetes for Cloud-Native Enterprise Software Deployments
The New Stack
Event Marketing for Today's Developer Evangelists and Community Managers
The New Stack
NodeSource Introduces Certified Modules to Improve Node.js Security
The New Stack
How Lightstep is Illuminating the Case for Distributed Tracing
The New Stack
How OpenStack Aims to be More Inclusive without being Exclusive
The New Stack
How Shuttlecloud Saves Time and Money by Monitoring with Prometheus
The New Stack
Creating Analytics-Driven Solutions for Operational Visibility
The New Stack
Understanding the Application Pattern for Effective Monitoring
The New Stack
Building On Docker's Native Monitoring Functionality
The New Stack
The Importance of Having Visibility Into Containers
The New Stack
How Getting Your Project in the CNCF Just Got Easier
The New Stack
Tectonic Summit Pancake Breakfast: How to Sell Kubernetes to the Hypervisor-Minded
The New Stack
The Buzz at Tectonic Summit 2016 in New York City
The New Stack
Bringing Clarity to the Future of Node.js Modules
The New Stack
How FluentD Can Help Monitor Microservice Architectures Through Unified Logging
The New Stack
Reshaping Front End Development with Warehouse.ai
The New Stack
2016 Year End Wrap-Up: Discussing Docker, OpenStack, and Open Source
The New Stack
Here's Why You Should Build a Robot Using Node.JS: Because You Can
The New Stack
How the Node.js Foundation is Utilizing Participatory Governance Models
The New Stack
Set Up an MongoDB Replica Set in Less Than an Hour Using Bitnami Packages
The New Stack
Determining Who Bears the Burden of Ensuring NPM Module Security
The New Stack
How Intel Snap uses Telemetry and Kubernetes to Drive Enterprise Efficiency
The New Stack
How the NFL Scored a Touchdown with its Open Source React Framework Wildcat
The New Stack
Aporeto CEO Dimitri Stiliadis: When it Comes to Security, Context is King
The New Stack
The Buzz at Node.JS Interactive
The New Stack
Why Going Serverless Doesn't Mean 'No Ops'
The New Stack
How Node.js is Transforming Today's Enterprises
The New Stack
JJ Asghar Interview
The New Stack
How Capital One is Using APIs to Streamline Auto Financing
The New Stack
SXSW 2017: How Machine Learning Differs From Regular Programming
The New Stack
SXSW 2017: Data-Driven Applications with Capital One DevExchange's Hydrograph
The New Stack
SXSW 2017: How Good Engineers Make Bad Business Decisions
The New Stack
CloudNativeCon & KubeCon EU Pancake Breakfast 2017: Kubernetes and the Multi-Cloud
The New Stack
CNCF Executive Director Dan Kohn: What's Next for CNCF in 2017
The New Stack
Exploring the Latest Container Runtime Projects in the CNCF
The New Stack
Exploring the Future of the Kubernetes Ecosystem
The New Stack
Kubernetes and Continuous Deployment
The New Stack
Kris Nova of Deis at CouldNativecon/Kubecon in Berlin
The New Stack
Docker's Quest for Simplicity with the Evolution of Containerd
The New Stack
Developers First: The Cloud Foundry Service Broker API and Kubernetes
The New Stack
Mapping the Future of CoreOS's rkt in the CNCF
The New Stack
Red Hat and Dell EMC: Two Perspectives from DockerCon
The New Stack
Capital One Opened its APIs to Third-Party Developers — Here’s What They Learned
The New Stack
SUSE Joins the CNCF, Brings Kubernetes to OpenStack Cloud 7
The New Stack
How Capital One Brings Open Source To The Banking Industry
The New Stack
OSCON Is Coming Back To Portland, A Show Wrapup With Co-Chair Kelsey Hightower
The New Stack
Dev Or Ops Doesn’t Matter, You Need Observability
The New Stack
Taking The Next Steps In Developing An Open Source Culture
The New Stack
SXSW 2017: How Capital One Became Technology-First With Open Source
The New Stack
Apcera Old Apps Spanning New Clouds
The New Stack
Provenance: The Peace of Mind Chef Habitat Seeks to Deliver
The New Stack
InSpec: Human Readable, Automated Compliance
The New Stack
The Evolution of SAP HANA Express
The New Stack
Women Engineers Who Inspire And Never Give Up
The New Stack
Three Perspectives on the Evolution of Container Security
The New Stack
More on: Staying Current in AI
View skill →Related Reads
📰
📰
📰
📰
Bond Investors Push Back As AI Debt Heads Toward $570 Billion
Forbes Innovation
'The SaaS apocalypse is overrated': How Workday and other software provders plan to survive AI
ZDNet
TSMC’s $265B US Expansion: Four New Chip Fabs Planned
TechRepublic
Google Is Winning the AI Race and Losing Its Business Model at the Same Time
Medium · AI
🎓
Tutor Explanation
DeepCamp AI