What's in the SOSS? An OpenSSF Podcast

In this episode, CRob discusses the finer points of developer relations (DevRel) with Katherine Druckman, Open Source Evangelist at Intel and co-chair of the OpenSSF Marketing Advisory Council and DevRel Community. Katherine enjoys sharing her passion for a variety of open source topics and is a long-time open source advocate, developer and podcaster. She’s currently the host of Open at Intel and co-host of the FLOSS Weekly and Reality 2.0 podcasts. She spent over a decade at Linux Journal. A passionate Drupalist since she first downloaded a tarball in 2005, she has also been a Drupal contributor and engineer. Additionally, Katherine will be a featured speaker at SOSS Fusion/24 in Atlanta on Oct. 22-23. SOSS Fusion/24 is a collaborative and forward-thinking initiative dedicated to securing open source software. This event will bring together a diverse community of professionals from the public sector, software developers, security engineers to cybersecurity experts, CISOs, CIOs, Founders and tech pioneers.Katherine will be an active participant at SOSS Fusion/24 and will share her insight at the following presentations:Roundtable: Building Developer Confidence in Software Security with the DevRel Community, with Lori Lorusso, Percona; Tabatha DiDomenico, G-Research. Oct 22, 11:30 a.m.Keynote: Fireside Chat with Window Snyder, Founder & CEO, Thistle Technologies, Oct. 23, 9:30 a.m.  Keynote: Back to Security Basics: Evaluating, Consuming, and Contributing Open Source Software, Oct. 23, 9:55 a.m. Check out the full schedule for SOSS Fusion/24.01:42 - Katherine shares her non-traditional journey into open source03:30 - DevRel’s definition varies, depending on the organization06:11 - Tips for making connections with developers08:23 - How DevRel professionals can help integrate security practices and tooling into everyday maintainer activities09:38 - Katherine answers CRob’s rapid-fire questions11:05 - Katherine’s belief that all knowledge can be relevant — even if it’s outside of your field12:23 - Developers and security folks should be working togetherEpisode links:Katherine Druckman on LinkedInOpenSSF DevRel CommunityOpen at Intel podcastSOSS Fusion/24Get involved with the OpenSSF community

In this episode, CRob sits down with Sarah Evans, security research technologist at Dell and Lisa Bradley, senior director of product and application security at Dell. They dig into the challenges of implementing secure open software at a complex enterprise.  Sarah sits on the OpenSSF Technical Advisory Council and at Dell’s she has been instrumental in cybersecurity innovation, conducting research within the global CTO R&D organization. Her career spans pivotal roles, including being an enterprise security architect and engaging in Identity and Access Management and IT at prestigious organizations like Wells Fargo and the U.S. Air Force.Dr. Lisa Bradley is a distinguished cybersecurity expert and visionary leader. She has earned her reputation as a trailblazer in the field of security and vulnerability management. In her current role, she oversees Dell's Product Security Incident Response Team (PSIRT), Bug Bounty Program, SBOM initiative, Dependency Management, and Security Champion and Training Programs. 02:38 How Dell is managing its ingestion and productization of open source software04:54 The complex task of managing open source software for a company the size of Dell06:34 The importance of executive support when implementing security initiatives10:40 Lisa and Sarah answer CRob’s rapid-fire questions12:40 Lisa and Sarah’s advice to aspiring developers and security professionals14:12 Lisa and Sarah’s call to actionEpisode links:Lisa Bradley on LinkedInSarah Evans on LinkedInGet involved in the OpenSSF community

In this episode, CRob chats with Omkhar Arasaratnam, who has served as the general manager of the OpenSSF and was co-host of What’s in the SOSS? As Omkhar moves on to the next chapter of his occupational journey, he reflects on his tenure with the OpenSSF, shares his open source origin story and highlights the achievements of the OpenSSF and the tactics he used to engage different stakeholders. Omkhar shares his open source origin story02:14 - Things Omkhar is proud of during his tenure at the OpenSSF04:36 - The challenge of keeping myriad stakeholders engaged07:12 - Areas of open source supply chains that public policymakers and regulators should better understand09:44 - Some challenges ahead for the open source ecosystem14:58 - Omkhar answers CRob’s rapid-fire questions17:57 - Omkhar’s advice for people entering the open source communityLinksOmkhar Arasaratnam on LinkedInGet involved with OpenSSF

Join Dave LaBianca, security engineering director at Google; Mihai Maruseac from the Google Open Source Security Team; and Jay White from Microsoft for a deep dive into AI security. They discuss the Coalition for Secure AI (CoSAI) and its essential role in enhancing AI security and governance. The trio shares insights on collaboration between CoSAI and the OpenSSF AI/ML Security Working Group, covering vital topics like model provenance and best practices for AI software supply chains. Plus, they serve up rapid-fire fun and invaluable advice for aspiring tech professionals!

In this episode, Omkhar chats with Mike Hanley, Chief Security Officer and SVP of Engineering at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo’s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco’s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community. When he’s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and nine kids.01:21  Mike shares insight into transporting a family of 1102:02  Mike’s day-to-day at GitHub03:53  Advice on communicating supply chain risk08:19  Transforming the “Department of No” into the “Department of Yes And…”12:44  AI’s potential impact on secure open source software and, specifically, on software supply chains18:02  Mike answers Omkhar’s rapid-fire questions19:26  Advice Mike would give to aspiring security or software professionals20:38  Mike’s call to action for listenersLinksMike Hanley on LinkedInDARPA AI Cyber ChallengeGet involved with the OpenSSF

In this episode, Omkhar Arasaratnam visits with Aeva Black, who currently serves as the Section Chief for Open Source Security at CISA, and is an open source hacker and international public speaker with 25 years of experience building open source software projects at large technology companies. She previously led open source security strategy within the Microsoft Azure Office of the CTO, and served on the OpenSSF Technical Advisory Committee, the OpenStack Technical Committee, and the Kubernetes Code of Conduct Committee. In her spare time, Aeva enjoys riding motorcycles up and down the west coast.01:37- Aeva describes a day in the life at CISA02:38 - Details on the use of open source in the public sector04:27 - Why open source needs corporate investment to maintain security06:20 - Aeva shares what their second year at CISA looks like07:58 - Aeva answers Omkhar’s rapid-fire questions09:28 - Advice for people entering the world of security10:16 - Certs are nice to have, but they aren’t everything10:42 - Aeva’s call to action for listenersEpisode links:Aeva Black on LinkedInCISA Open Source Security RoadmapGet involved with the OpenSSF community

Episode description: Andrew Pollock is a Senior Software Engineer at Google, currently working on https://osv.dev. With a background as an Enterprise Security Engineer, he has extensive experience in large-scale Linux Systems Administration and GCP Security. Andrew is passionate about the human factors in security, focusing on scalable solutions, great user experiences and self-service opportunities. He has primarily worked in Linux/Unix environments as a Site Reliability Engineer or Security Engineer, with a strong interest in process improvement and automation.00:52 - Andrew shares his background as a “mid-90s data nerd”02:31 - Managing vulnerabilities in the open source ecosystem03:57 - How to navigate inconsistent metadata06:26 - The challenge of source attribution07:54 - The rapid-fire round09:15 - Andrew’s advice to open source developers10:22 - Andrew’s call to action to developersEpisode links:Andrew Pollock on LinkedInGetting to know the Open Source Vulnerability formatOSV.devGet involved in the OpenSSF community

Bec Rumbul is the Executive Director and CEO of the Rust Foundation, a global non-profit that stewards the Rust language, supports maintainers, and ensures that Rust is safe, secure, and sustainable for the future. She holds a PhD in Politics and Governance and has worked as a consultant and researcher with governments, parliaments and development agencies all over the world, advocating for openness and transparency and developing tools to improve digital participation.02:57 Bec shares her day-to-day activities with the Rust Foundation04:53 Bec on her sometimes tricky responsibilities during her time at the U.N.06:35 How Bec communicates the importance of memory safety and Rust with stakeholders09:47 Surprises related to organizations that are adopting Rust11:50 Impediments to Rust adoption13:44 Bec answers Omkhar’s rapid-fire questions15:49 Advice Bec would give a non-technical person entering a technical field17:09 Bec’s call to action for listenersEpisode links:Bec Rumbul on LinkedInRust Foundation homepageGet involved with OpenSSF

Brian Fox is Co-founder and Chief Technology Officer at Sonatype, bringing over 28 years of hands-on experience driving software development for organizations of all sizes, from startups to large enterprises. A recognized figure in the Apache Maven ecosystem and a longstanding member of the Apache Software Foundation, Brian has played a crucial role in creating popular plugins like the maven-dependency-plugin and maven-enforcer-plugin. His leadership includes overseeing Maven Central, the world's largest repository of open-source Java components, which recently surpassed a trillion downloads annually.As a Governing Board member for the Open Source Security Foundation, Brian actively contributes to advancing cybersecurity. Working with other industry leaders, he helped create The Open Source Consumption Manifesto, urging organizations to elevate their awareness of the Open Source Software (OSS) components they use. 00:57 Brian shares his background03:56 The confusing trend of  people downloading assets on Maven with known vulnerabilities08:16 How this trend continues in other repos11:08 Brian and CRob discuss Log4Shell16:54 Brian answers CRob’s rapid-fire questions18:46 Brian’s advice for up-and-coming security professionals19:50 Brian’s call to actionEpisode links:Brian Fox on LinkedInSonatype’s 2023 State of the Software Supply Chain ReportGet involved with OpenSSF

Arun Gupta is vice president and general manager of Open Ecosystem Initiatives at Intel Corporation and the OpenSSF Governing Board Chair. Arun has been an open source strategist, advocate, and practitioner for nearly two decades. He has taken companies such as Apple, Amazon, and Sun Microsystems through systemic changes to embrace open source principles, contribute, and collaborate effectively.On July 9th and 10th, the OpenSSF will attend the 2024 OSPOs for Good symposium hosted by the UN. What’s in the SOSS? co-host Omkhar Arasaratnam and Arun will lead a session called “Engaging the Open Source Community.”Following the symposium on July 11th, attendees are invited to come to a secondary event, What’s Next for Open Source? It will feature a collection of curated workshops to discover how to build and gather the skills you need to move forward with open source. Omkhar is coordinating the security track and presenting opening remarks. Arun will offer closing remarks. 02:13 - Arun’s general outlook on security and life03:39 - Arun shares his personal background and illustrious career history09:04 - Comparing the OpenSSF and the Cloud Native Computing Foundation (CNCF)13:30 - Arun details his work with the United Nations16:42 - Areas that a lot of security professionals are getting wrong18:20 - Arun answers Omkhar’s rapid-fire questions19:08 - Advice Arun would give to aspiring security professionals20:40 - Arun’s call to action for listenersEpisode linksOSPOs for Good 2024What’s Next for Open Source eventArun Gupta’s LinkedIn profileCNCF homepageUnited Nations Sustainable Development GoalsGet involved with OpenSSF