Open at Intel

Kat Cosgrove, a lead developer advocate at Dell, talks about DevOps culture, reinventing ourselves and our technology, and how to get involved in projects like Kubernetes. They discuss the increase in gender diversity in the open source industry and the importance of soft skills. They also highlight positive experiences with open source communities and the challenges of releasing Kubernetes versions. The chapter emphasizes the value of technical writers and the need for more contributors in the open source world.

Cisco's Michael Chenetz, host of the Cloud Unfiltered podcast, joins us to talk through security challenges unique to Kubernetes, and the journey to the cloud native ecosystem for everyone from beginners to veterans. Resources: Overview of Cloud Native Security Guest: Michael Chenetz is the head of technical product marketing and has lead cloud strategy in the CTO org for Cisco. Michael has consulted for many fortune 500 companies in Networking, Security, and Cloud. Michael is the host of the popular podcast, Cloud Unfiltered that discusses trends in cloud native technologies. You can find Michael speaking at most major cloud native events and online media outlets.   Guest Host: Chris Norman An avid promoter of open source ecosystems, Chris writes documentation and presents at open source events, helping developers better understand Intel’s contributions to operating systems, languages, and runtimes. He also moderates the Clear Linux community forum.

Jessica Marz, Director of Intel's Open Source Program Office, discusses the role of the OSPO in securing the software supply chain and the role she plays in encouraging good open source citizenship. Guest: Jessica Marz  Director of Open Source Program Office An expert at explaining legal concepts to software developers and software development concepts to lawyers, Jessica is responsible for defining and managing Intel’s open source approval policies and practices. She’s also an avid arts-and-crafter known for her creative reuse of materials.

The open source software ecosystem has always faced tough challenges related to community, governance, and scalability. More than ever before, much conversation about open source struggles is devoted to the security of the software supply chain, especially when considering the unique challenges of a distributed, often anonymous, community-based development team. Josh Bressers, VP of Security at Anchore, fellow podcaster and Open SSF volunteer, joins us to talk about why, despite these challenges, open source isn't broken and how to address the very human aspects of open source security and communities. Resources: Avoiding the success trap: Toward policy for open-source software as infrastructure I am not a supplier All About SBOMs: The Software Bill of Materials Open Source: The Nerd Version of Formula One XKCD: Dependency Guest: Josh Bressers is the Vice President of Security at Anchore. Josh has helped build and manage product security teams for open source projects as well as several organizations. Josh is the co-lead of the OpenSSF SBOM Everywhere project and co-hosts the Open Source Security Podcast and the Hacker History Podcast. He also is the co-founder of the Global Security Database project to bring vulnerability identification into the modern age.

Jorge Castro of the Cloud Native Computing Foundation joins us to geek out on taking the desktop cloud native with immutable Linux, talk open source community sustainability, and have a lot of fun along the way. Episode Transcript Resources: Universal Blue The Cloud Native Linux Desktop Model (video) Architecture Of The Immutable uBlue Linux (video) The Cloud Native Landscape   Guest: Jorge O. Castro is a community manager, specializing in Open Source. He's basically a cat herder – a combination of engineering, developer relations, and user advocacy. Jorge graduated with a degree in Telecommunications from Michigan State University and rode with the 11th Armored Cavalry Regiment for four years. He first entered the technology field at SAIC and then moved to system administration at the School of Engineering and Computer Science at Oakland University in Rochester Hills, Michigan. Jorge then joined Canonical to work on Ubuntu for about 10 years before moving to Heptio to work on Kubernetes. Heptio was then acquired by VMware in December 2018. He's currently at the CNCF working on developer relations.   Guest Host: Chris Norman An avid promoter of open source ecosystems, Chris writes documentation and presents at open source events, helping developers better understand Intel’s contributions to operating systems, languages, and runtimes. He also moderates the Clear Linux community forum.

In this episode, we dive deep into the concept of attestation as it relates to building trust in our software and systems.  Marcela Melara and Vinnie Scarlata take us on a technical tour of both software and remote attestation and how these relate to ideas we've covered previously with software supply chain security and confidential computing. We talk trust and integrity, standards and projects, and share some best practices.   Guests: Dr. Marcela Melara is a research scientist in the Security and Privacy Group at Intel Labs. Her current work focuses on developing solutions for high-integrity software supply chains and building trustworthy distributed systems. She has several publications and patents filed related to her research, and leads a number of internal, academic and open-source efforts on software supply chain security. Prior to joining Intel, she received her PhD in Computer Science from Princeton University and did her undergraduate studies at Hobart and William Smith Colleges. She is a Siebel Scholar, a member of Phi Beta Kappa, and her research on CONIKS was awarded the Caspar Bowden PET Award. Outside of work, Marcela is an avid gardener, bookworm, hiker, and gamer. Vinnie Scarlata is a Principal Engineer in the Security & Privacy Research lab in Intel Labs. He is one of the architects for Intel® Software Guard Extensions and Trust Domain Extensions, and has 20+ years of research experience in various areas of security, e.g. Trusted Computing, Trusted Execution Environments (TEE), Attestation, Recoverable Platforms, Runtime Integrity, and Key Management. He has been granted 50+ patents and co-authored several papers. Vinnie received a MS in Information Security from Georgia Tech and a BS in Computer Science from the University of Massachusetts, Amherst.

Evaluating security risk associated with open source software projects can be a complex or even daunting task, but an Open Source Security Foundation project called OpenSSF Scorecard helps put some order and automation into the process. In this episode, we chat with one of OpenSSF Scorecard's contributors, Brian Russell of Google, and Ryan Ware, Director of Open Source Security at Intel, about the problems Scorecard addresses, and how it might help improve the experience of developers and consumers of open source software. We'll take a deep dive into the automated security checks, how to use the data, and how to include Scorecards in a workflow. Links SCaLE 20x presentation: How do you trust your open source software? Guests: Brian Russell is a Product Manager on Google’s Open Source Security Team. He focuses on software supply chain security and is actively involved in the OpenSSF Scorecards project. In his spare time, Brian enjoys 3D printing and Atari video game programming. Ryan Ware recently returned to Intel to focus on Open Source Software (OSS) security.  He is currently helping drive Intel’s efforts in the Open Source Security Foundation (OpenSSF). Ryan is an industry veteran who has always worked at the intersection of open source software and security, be it implementing security features in open source software stacks, using open source software to find security vulnerabilities in software and hardware, or helping teams utilize OSS in a secure way.

In this episode, we discuss best practices for evaluating and consuming open source software with Ryan Ware, director of open source security at Intel. Ryan will share his wisdom earned over decades working with open source software security. Guest: Ryan Ware recently returned to Intel to focus on Open Source Software (OSS) security.  He is currently helping drive Intel’s efforts in the Open Source Security Foundation (OpenSSF). Ryan is an industry veteran who has always worked at the intersection of open source software and security, be it implementing security features in open source software stacks, using open source software to find security vulnerabilities in software and hardware, or helping teams utilize OSS in a secure way.

This episode explores an open source software vulnerability scanner called CVE Binary Tool, which scans binaries and component lists in your project and reports back known vulnerabilities based on data from NIST’s National Vulnerability Database (NVD) list of Common Vulnerabilities and Exposures (CVEs). My guest is Dr. Terry Oda, a security researcher at Intel and the lead maintainer of CVE Binary Tool, and co-host Chris Norman, Intel Open Source Evangelist joins us to explore the inner workings of the project and discuss contribution, community and the importance of developer-focused initiatives like Google Summer of Code. Guest: Terri Oda has a PhD in horribleness, assuming we can all agree that web security is kind of horrible.   She specializes in saying “no” and explaining things in varied roles as an open source security professional, a parent, and the volunteer coordinator of a summer mentoring program for Python.

This episode continues our confidential computing conversation from our previous episode. Mona Vij, principal engineer at Intel Labs, leads Intel's efforts on the Gramine project, which is a library OS that allows for running unmodified applications and, among other things, solves the problem of running applications out-of-the-box on Intel SGX-enabled hardware. We'll dive into Gramine, a Confidential Computing Consortium Project and discuss easing the path to running in a trusted execution environment. Guest:  Mona Vij is a Principal Engineer and Cloud and Data Center Security Research Manager at Intel Labs, where she focuses on Scalable Confidential Computing for end-to-end Cloud to Edge security. Mona received her Master’s degree in Computer Science from University of Delhi, India. Mona leads the research engagements on Trusted execution with a number of universities. Her research has been featured in journals and conferences including USNIX OSDI, USENIX ATC and ACM ASPLOS, among others. Mona's research interests primarily include trusted computing, virtualization, device drivers and operating systems.