The New Stack Podcast

AUSTIN, TEX. — How safe is the open source software that virtually every organization uses? You might not want to know, according to the results of a survey released by The Linux Foundation and Snyk, a cloud native cybersecurity company, at the foundation’s annual Open Source Summit North America, held here in June. Forty-one percent of the more than 500 organizations surveyed don’t have high confidence in the security of the open source software they use, according to the research. Only half of participating companies said they have a security policy that addresses open source. Furthermore, it takes more than double the number of days — 98 — to fix a vulnerability compared to what was reported in the 2018 version of the survey. The research was conducted at the request of the Open Source Security Foundation (OpenSSF), a project of The Linux Foundation. For this On the Road episode of The New Stack Makers, Steve Hendrick, vice president of research at The Linux Foundation, and Matt Jarvis, director of developer relations at Snyk, were interviewed by Heather Joslyn, features editor at TNS. Despite the alarming statistics, Jarvis cautions against treating all vulnerabilities as four-alarm fires, our guests said. “Having a kind of zero-vulnerability target is probably unrealistic, because not all vulnerabilities are treated equal,” Jarvis said. Some “vulnerabilities” may not necessarily be a risk in your particular environment. It’s best to focus on the most critical threats to your network, applications and data. One bright spot in the new report: Nearly one in four respondents said they’re looking for resources to help them keep their open source software — and all that depends on it — safe. Perhaps even more relevant to vendors: 62% of survey participants said they are looking to use more intelligent security-focused tools. “There's a lot from a process standpoint that they are responsible for,” said Hendrick. “But they were very quick to jump on the bandwagon and say, we want the vendor community to do a better job at providing us tools, that makes our life a lot easier. Because I think everybody recognizes that solving the security problem is going to require a lot more effort than we're putting into it today.”Jumping on the ‘SBOM Bandwagon’Many organizations still seem confused about which of the dependencies the open source software they use has are direct and which are transitive (dependent on the dependencies), said Hendrick. One of the best ways to clarify things, he said, “ is to get on the SBOM bandwagon.” Understanding an open source tool’s software bill of materials, or SBOM, is “going to give you great understanding of the components, it's going to give you usability, it's going to give you trust, you're gonna be able to know that the components are nonfalsified,” Hendrick said. “And so that's all absolutely key from the standpoint of being able to deal with the whole componentization issue that is going on everywhere today. Additional results from the research, in which core project maintainers discussed their best practices, will be released in the third quarter of 2022. Listen to the podcast to learn more about the report’s results and what Linux Foundation is doing to help upskill the IT workforce in cybersecurity.

AUSTIN, TEX. —Forty-one percent of organizations in a new survey said they expect to increase hiring for open source roles this year. But the study, released in June by the Linux Foundation and online learning platform edX during the foundation’s Open Source Summit North America, also found that 93% of employers surveyed said they struggle to find the talent to fill those roles.At the Austin summit, The New Stack’s Makers podcast sat down with Hilary Carter, vice president for research at the Linux Foundation, who oversaw the study. She was interviewed for this On the Road edition of Makers by Heather Joslyn, features editor at The New Stack.“I think it's a very good time to be an open source developer, I think they hold all the cards right now,” Carter said. “And the fact that demand outstrips supply is nothing short of favorable for open source developers, to carry a bit of a big stick and make more demands and advocate for their improved work environments, for increased pay.”But even sought-after developers are feeling a bit anxious about keeping pace with the cloud native ecosystem’s constant growth and change. The open source jobs study found that roughly three out of four open source developers said they need more cybersecurity training, up from about two-thirds in 2021’s version of the report.“Security is the problem of the day that I think the whole community is acutely aware of, and highly focused on, and we need the talent, we need the skills,” Carter said. “And we need the resources to come together to solve the challenge of creating more secure software supply chains.”Carter also told the Makers audience about the role open source program offices, or OSPOs, can play in nurturing in-house open source talent, the impact a potential recession may have (or not have) on the tech job market, and new surveys in the works at Linux Foundation to essentially map the open source community outside of North America.Its first study, of Europe’s open source communities, is slated to be released in September at Open Source Summit Europe, in Dublin. Linux Foundation Research is currently fielding its annual survey of OSPOs; you can participate here. It is also working with the Cloud Native Computing Foundation on its annual survey of cloud native adoption trends. You can participate in that survey here.

In this episode of The New Stack’s On the Road show at Open Source Summit in Austin, Matt Yonkovit, Head of Open Source at Percona, shared his thoughts on how economic uncertainty could affect the open source ecosystem. Open source, of course, is free. So what role does the economic play in whether or not open source software is contributed to, downloaded and used in production? “Generally, open source is considered a bit recession proof,” Yonkovit said. But that doesn’t mean that things won’t change. Over the past several years, the number of open source companies has increased dramatically, and the amount of funding sloshing around in the ecosystem has been huge. That might change. And if the funding situation does change? “I think the big differentiator for a lot of people in the open source space is going to be the communities,” Yonkovit said. When we talk about having ‘backing,’ it’s usually in reference to financial investors, but in open source the backing of a community is just as important. In the absence of deep pockets, a community of people who believe in the project can help it survive — and show that the idea is really solid. If you look back at the history of open source, Yonkovit said, it’s about people having an idea that inspires other people to contribute to make it a reality. Sometimes those ideas aren’t commercially viable, even in the best of times — even if they do get widespread adoption. The only thing that’s changing now is that financial investors are going to be a bit more picky in making sure the projects they fund aren’t just inspirational ideas, but also are commercially viable.

AUSTIN, TEX. —Everyone uses open source software — and it’s become increasingly apparent that not nearly enough attention has been paid to the security of that software. In a survey released by The Linux Foundation and Synk at the foundation’s Open Source Summit in Austin, Tex.,  this month, 41% of organizations said they aren’t confident in the security of the open source software they use.At the Austin event, The New Stack’s Makers podcast sat down with Brian Behlendorf, general manager of Open Source Security Foundation (OpenSSF), to talk about a new plan to attack the problem from multiple angles. He was interviewed for this On the Road edition of Makers by Heather Joslyn, features editor at The New Stack.Behlendorf, who has led OpenSSF since October and serves on the boards of the Electronic Frontier Foundation and Mozilla Foundation, cited the discovery of the Log4j vulnerabilities late in 2021, and other recent security “earthquakes” as a key turning points.“I think the software industry this year really woke up to not only the fact these earthquakes were happening,” he said, “and how it's getting more and more expensive to recover from them.”The Open Source Security Mobilization Plan sprung from an open source security summit in May. It identifies 10 areas that will be targeted for attention, according to the report published by OpenSSF and the Linux Foundation:Security education.Risk assessment.Digital signatures, such as though the open source Sigstore project.Memory safety.Incident response.Better scanning.Code audits.Data sharing.Improved software supply chains.Software bills of material (SBOMs) everywhereThe price tag for these initiatives over the initial two years is expected to total $150 million, Behlendorf told our Makers audience.The plan was sparked by queries from the White House about the various initiatives underway to improve open source software security — what they would cost, and the time frame the solution-builders had in mind. “We couldn't really answer that without being able to say, well, what would it take if we were to invest?” Behlendorf said. “Because most of the time we sit there, we wait for folks to show up and hope for the best.”The ultimate price tag, he said, was much lower than he expected it would be. Various member organizations within OpenSSF, he said, have pledged funding. “The 150 was really an estimate. And these plans are still being refined,” Behlendorf said. But by stating specific steps and their costs, he feels confident that interested parties will feel confident when it comes time to make good on those pledges.Listen to the podcast to get more details about the Open Source Security Mobilization Plan.

 British telecommunications provider, Vodafone, which owns and operates networks in over 20 countries and is on a journey to become a tech company focused around digital services, has plans to hire thousands of software engineers and developers that can help put the company on the cloud-native track and utilize their network through API’s.In this episode of The New Stack Makers podcast at MongoDB World 2022 in New York City, Lloyd Woodroffe, Global Product Manager at Vodafone, shares how the company is working with MongoDB on the development of a Telco as a Service (TaaS) platform to help their engineers increase their software development velocity, and drive adoption of best-practice automation within DevSecOps pipelines. Alex Williams, Founder of The New Stack hosted this podcast.Vodafone has built a backbone to keep the business resilient and scalable. But one thing they are looking to do now is innovate and give their developers the freedom and flexibility to develop creatively. “The TaaS platform – which is the product we’re building – is essentially a developer first framework that allows developers and Vodafone to build things that you think could help the business grow. But because we’re an enterprise, we need security and financial assurance and TaaS is the framework that allows us to do it in a way that gives developers the tools they need but also the security we need,” said Woodroffe.The idea of reuse as part of an inner sourcing model is key as Vodafone’s scales. The company’s key initiative ‘one source’ enables their developers to incorporate such a strategy, “We have a single repository across all our markets and teams where you can publish your code and other teams from other countries can take that code, reuse it, and implement it into their applications,” said Woodroffe. “In terms of outsourcing to the community, our engineers want to start productizing APIs and build new, innovative applications which we'll see in a bit,” he added.“The TaaS developer platform that we’re building with MongoDB acts as our service registry for the platform. When you provision the tools for the developer, we register the organizations, the cost center and guardrails that we’ve set up from a security and finance perspective,” said Woodroffe. “Then we provision MongoDB for the developers to use as their database of choice.”“What we'll see ultimately, as the developer has access to these tools [TaaS] and products more, is they'll be able to build new innovations that can be utilized through our network via API's,” Woodroffe said.

VALENCIA – The goal of DevOps was to break down silos between software development and operations. The side effect has become the blurring of lines between dev and ops. For better or for worse. Because the role of software developer is just continuously expanding causing cognitive overload and burnout. This is why the developer tooling market has exploded to automate and assist developers right when and where they need to build, in whatever language they already know. In this episode of The New Stack Makers podcast, recorded on the floor of KubeCon + CloudNativeCon Europe 2022, Matty Stratton, staff developer advocate at Pulumi, talks about this recently universal Infrastructure-as-Code and that impact on both dev and ops teams. Earlier this May, Pulumi released updates that took the platform closer to becoming a truly polyglot way to enforce best cloud practices, including support for: Full Java ecosystem YAML Crosswalk for Amazon Web Services (AWS) in all Pulumi languages Deploying AWS Cloud Development Kit (CDK) in all Pulumi languagesThese are significant updates because they dramatically expand the languages that are available in this low-code way of creating, deploying and managing infrastructure on any cloud. "A lot of times, in Infrastructure-as-Code, we're using domain-specific language using a config file. We call it Infrastructure as Code and are not actually writing any code. So I like to think about Pulumi as Infrastructure as Software." For Stratton, that means writing Pulumi code using a general purpose programming language, like TypeScript, Python, Go, .NET languages, or now Java. "The great thing about that is, not only do you maybe already know this programming language, because that's the language you use to build your applications, but you're able to use all the things that a programming language has available to it, like conditionals, and loops, and packages, and testing tools, and an IDE [integrated development enviornment] and a whole ecosystem. So that makes it a lot more powerful, and gives us a lot of great abstractions we can use," he continued. Pulumi now follows the low-code development trend where, Stratton says, "We're enabling people to solve a problem with just enough tech." But specifically in their common coding language, to limit the tool onboarding needed. This is not only attractive to new customers but specifically to expand Pulumi adoption across organizations, without much adaptation of the way they work. Just making it easier to work together. "I've been part of the DevOps community for a long time. And all that I want to see out of DevOps and all of this work is how do we collaborate better together? How do we be more cross functional?"

Proper tooling is perhaps the primary key to unlocking developer productivity. With the right tools and frameworks, developers can be productive in minutes versus having to toil over boilerplate code. And as data-hungry use cases such as AI and machine learning emerge, data tooling is becoming paramount. This was evident at the recent MongoDB World conference in New York City where TNS Founder and Publisher Alex Williams recorded this episode of The New Stack Makers podcast featuring Peggy Rayzis, senior director of developer experience at Apollo GraphQL; Lee Robinson, vice president of developer experience at Vercel; Ian Massingham, vice president of developer relations and community at MongoDB; and Søren Bramer Schmidt, co-founder and CEO of Prisma, discussing how their companies’ offerings help unlock developer productivity.Apollo GraphQL and SupergraphsApollo GraphQL unlocks developers by helping them build supergraphs, Raysiz said. A supergraph is a unified network of a company's data services and capabilities that is accessible via a consistent and discoverable place that any developer can access with a GraphQL query. GraphQL is a query language for communicating about data. “And what's really great about the supergraph is even though it's unified, it's very modular and incrementally adoptable. So you don't have to like rewrite all of your backend system and API's,” she said. “What's really great about the Super graph is you can connect like your legacy infrastructure, like your relational databases, and connect that to a more modern stack, like MongoDB Atlas, for example, or even connected to a mainframe as we've seen with some of our customers. And it brings that together in one place that can evolve over time. And we found that it just makes developers so much more productive, helps them shave, shave months off of their development time and create experiences that were impossible before.”[sponsor_note slug="mongodb" ][/sponsor_note]Vercel: Strong DefaultsMeanwhile, Robinson touted the virtues of Next.js, Vercel’s popular React-based framework, which provides developers with the tools and the production defaults to make a fast web experience. The goal is to enable frontend developers to be able to move from an idea to a global application in seconds. Robinson said he believes it’s important for a tool or framework to have good, strong defaults, but to also be extensible and available for developers to make changes such that they do not have necessarily eject fully out of the tool that they're using, but to be able to customize without having to leave the framework library tool of choice. “If you can provide that great experience for the 90% use case by default, but still allow maybe the extra 10% power, you know, power developer who needs to modify something without having to just rewrite from scratch, you can get go pretty far,” he said.Data ToolingWhen it comes to data tooling, MongoDB is trying to help developers manipulate and work with data in a more productive and effective way, Massingham said. One of the ways MongoDB does this is through the provision of first-party drivers, he said. The company offers 12 different programming language drivers for MongoDB, covering everything from Rust to Java, JavaScript, Python, etc. “So, as a developer, you’re importing a library into your environment,” Massingham said. “And then rather than having to construct convoluted SQL statements -- essentially learning another language to interact with the data in your database or data store -- you're going to manipulate data idiomatically using objects or whatever other constructs that are normal within the programming language that you're using. It just makes it way simpler for developers to interact with the data that's stored in MongoDB versus interacting with data in a relational database.”MongoDB and PrismaBramer Schmidt said while a truism in software engineering is that code moves fast and data moves slow, but now we are starting to see more innovation around the data tooling space. “And Mongo is a great example of that,” he said. “Mongo is a database that is much nicer to use for developers, you can express more different data constructs, and Mongo can handle things under the hood.” Moreover, Prisma also is innovating around the developer experience for working with data, making it easier for developers to build applications that rely on data and do that faster, Bramer Schmidt said. “The way we do that in Prisma is we have the tooling introspect your database, it will go and assemble documents in MongoDB, and then generate a schema based on that, and then it will pull that information into your development environment, such that you can, when you write queries, you will get autocompletion, and the IDE will tell you if you're making a mistake,” he said. “You will have that confidence in your environment instead of having to look at the documentation, try to remember what fields are where or how to do things. So that is increasing the confidence of the developer enabling them to move faster.

"Developers aren't cryptographers. We can only do so much security training, and frankly, they shouldn't have to make hard choices about this encryption mode or that encryption mode. It should just, like, work," said Kenneth White,  a security principal at MongoDB, explaining the need for MongoDB's new Queryable Encryption feature.  In this latest edition of The New Stack Makers podcast, we discuss [sponsor_inline_mention slug="mongodb" ]MongoDB[/sponsor_inline_mention]'s new end-to-end client-side encryption, which allows an application to query an encrypted database and keep the queries in transit encrypted, an industry first, according to the company. White discussed this technology in depth to TNS publisher Alex Williams, in a conversation recorded at MongoDB World, held last week in New York.   MongoDB has offered the ability to encrypt and decrypt documents since MongoDB 4.2, though this release is the first to allow an application to query the encrypted data. Developers with no expertise in encryption can write apps that use this capability on the client side, and the capability itself (available in preview mode for MongoDB 6.0) adds no noticeable overhead to application performance, so claims the company. Data remains encrypted all times, even in memory and in the CPU; The keys never leave the application and cannot be accessed by the server. Nor can the database or cloud service administrator be able to look at the raw data. For organizations, queryable encryption greatly expands the utility of using MongoDB for all sorts of sensitive and secret data. Customer service reps, for instance, could use the data to help customers with issues around sensitive data, such as social security numbers or credit card numbers. In this podcast, White also spoke about the considerable engineering effort to make this technology possible — and make it easy to use for developers. "In terms of how we got here, the biggest breakthroughs weren't cryptography, they were the engineering pieces, the things that make it so that you can scale to do key management, to do indexes that really have these kinds of capabilities in a practical way," Green said.  It was necessary to serve a user base that needs maximum scalability in their technologies. Many have "monster workloads," he notes. "We've got some customers that have over 800 shards, meaning 800 different physical servers around the world for one system. I mean, that's massive," he said. "So it was a lot of the engineering over the last year and a half [has been] to sort of translate those math and algorithm techniques into something that's practical in the database."

For the past six years, WSO2 has been developing Ballerina, an open-source programming language that streamlines the writing of new services and APIs. It aims to simplify the process of being able to use, combine, and create network services and get highly distributed applications to work together toward a determined outcome.In this episode of The New Stack Makers podcast Eric Newcomer, Chief Technology Officer of WSO2 discusses how the company created a new programming language from the ground up, and the plans for it to become a predominant cloud native language. Darryl Taft, news editor of The New Stack hosted this podcast.Founded on the idea that it was too hard to do development with integration, Ballerina was created to program in highly distributed environments. “Cloud computing is an evolution of distributed computing of integration. You're talking about microservices and APIs that need to talk to each other in the cloud,” said Newcomer. “And what Ballerina does, is it thinks about what functions outside of the program that need to be talked to,” he added.With Ballerina, developers can easily pick it up to create cloud applications. The language design is informed by TypeScript and JavaScript but with some additional capabilities, Newcomer said. “Developers can create records and schemas for JSON payloads in and out to support the API's for cloud mobile or web apps, and it has concurrency for concurrent processing of multiple calls transaction control but in a very familiar syntax, like TypeScript or JavaScript.”WSO2 is using Ballerina in the company’s low-code like offering, Choreo, which includes features such as the ability to create diagrams. “The long-time challenge in the industry is how do you represent your programming code in a graphical form. [Sanjiva Weerawarana, Founder of WSO2] has solved this problem by putting into the language syntax elements from which you can create diagrams. And he did it in such a way that you can edit the diagram and create code,” said Newcomer.Engineering for the cloud requires a programing language that can reengineer applications to achieve the auto scale, resiliency, and independent agility, said Newcomer. WSO2 is continuing push their work forward to tackle this challenge. “We're thinking Choreo is going to help us because it's leveraging the magic of Ballerina to help people get their job done faster. Once they see that, they'll see Ballerina and get the benefits of it,” Newcomer said.

VALENCIA – Open source code is part of at least 70% of enterprise stacks. Yet, a lot of open source contributors are still unpaid volunteers. Even more than tech as a whole, the future of open source relies on the community. Unless you're among the top tier funded open source projects, your sustainability replies on building a community – whether you want to or not – and cultivating project leadership to help recruit new maintainers – whether you want to hand over the reins or not. That's where the Tech Advisory Group or TAG on Contributor Strategy comes in, acting as maintainer relations for the Cloud Native Computing Foundation. In this episode of The New Stack Makers podcast, recorded on the floor of KubeCon + CloudNativeCon Europe 2022, we talk to Dawn Foster, VMware's director of open source community strategy; Josh Berkus, Red Hat's Kubernetes community manager; Catherine Paganini, Bouyant's head of marketing and community; and Deepthi Sigireddi, a software engineer at PlanetScale. Foster and Berkus are the co-chairs of the Contributor Strategy TAG, while Paganini is the creator of Linkerd and Sigireddi is a maintainer of Vitess, both CNCF graduated projects. Each brought their unique experience in both open source contribution and leadership to talk about the open source contributor experience, sustainability, governance, and guidance.     With 65% of KubeConEU attendees at a CNCF event for the first time, albeit still during a pandemic, it makes for an uncertain signal for the future of open source. It either shows that there's a burst of interest for newcomers or that there's a dwindling interest in long-term contributions. The executive director of CNCF Priyanka Sharma even noted in her keynote that contributions for the foundation's biggest project Kubernetes have grown stagnant. "I see it as a positive thing. I think it's always good to get some new blood into the community. And I think you know, the projects are working to do whatever they can to get new contributors," Foster said. [sponsor_note slug="kubecon-cloudnativecon" ][/sponsor_note] But it's not just about how many contributors but who. One thing that was glaringly apparent at the event was the lack of diversity, with the vast majority of the 7,000 KubeConEU participants being young, white men. This isn't surprising at all, as open source is still based on a lot of voluntary work which naturally excludes those most marginalized within the tech industry and society, which is why, according to GitHub's State of the Octoverse, it sees only about 4% women and nonbinary contributors, and only about 2% from the African continent.  If open source is such an integral part of tech's future, that future is built with more inequity than ever before. "The barrier to entry to open source right now is having free time. And to do free work? Yes, and let's face it, women still do a lot of childcare, a lot of housework, much more than men do, and they have less free time." Sigireddi continued that there are other factors which discourage those widely underrepresented in tech from participating, including "not having role models, not seeing people who look like you, the communities tend to have in-jokes [and other] things that are cultural, which minorities may not be able to relate to." Most open source code, while usually forked globally, exists in English only. One message throughout KubeConEU was, if a company relies on an open source project, it should pay some of its staff to contribute to and support that project because business may depend on it. This will in turn help bring OSS up a bit closer to the standard of the still abysmal tech industry statistics. "I think from an ecosystem perspective, I think that companies paying people to do the work on open source makes a big difference," Foster said. "At VMware, we pay lots of people who work primarily on upstream open source projects. And I think that does help us get more diversity into the community, because then people can do it as part of their regular day jobs." Encouraging those contributors that are underrepresented in OSS to speak up and be more representative of projects is another way to attract more diverse contributors. Berkus said the Contributors Strategy TAG had a meeting at KubeConEU with a group of primarily Italian women who have started in inclusiveness effort, starting with some things like speaker coaching and placement. "It turns out that a lot of things that you need to do to have more diverse contributors are things you actually needed to do anyway, just to make things better for all new contributors," Berkus explained. Indeed, welcoming new open source contributors – at all levels and in both technical and non-technical roles – is an important focus of the TAG. Paganini, along with colleague Jason Morgan, is co-author of the CNCF Landscape Guide, which acts as a welcome to the massive, overwhelming cloud native landscape. What she has found is that people will use the open source technology, but they will contribute to it because of the community. "We see a lot of projects really focusing on code and docs, which of course is the basics, but people don't come for the technology per se. You can have the best technology, it's amazing, and people are super excited, but if the community isn't there, if they don't feel welcome," they won't stick around, Paganini said. "People want to be part of a tribe, right?" Then, once you've successfully recruited and onboarded your community, you've got to work to not only retain but promote from within. All this and more is jam-packed into this lively discussion that cannot be missed! More on open source diversity and inclusion efforts: Beat Affinity Bias with Open Source Diversity and Inclusion Open Source Communities Need More Safe Spaces and Codes of Conducts. Now. WTF is Wrong with Open Source Communities Look Past the Bros, and Concerns About Open Source Inclusion Remain How to Give and Receive Technical Help in Open Source Communities Navigating the Messy World of Open Source Contributor Data How to Find a Mentor and Get Started in Open Source