In this episode, Omkhar chats with Mike Hanley, Chief Security Officer and SVP of Engineering at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo’s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco’s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community. When he’s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and nine kids.01:21  Mike shares insight into transporting a family of 1102:02  Mike’s day-to-day at GitHub03:53  Advice on communicating supply chain risk08:19  Transforming the “Department of No” into the “Department of Yes And…”12:44  AI’s potential impact on secure open source software and, specifically, on software supply chains18:02  Mike answers Omkhar’s rapid-fire questions19:26  Advice Mike would give to aspiring security or software professionals20:38  Mike’s call to action for listenersLinksMike Hanley on LinkedInDARPA AI Cyber ChallengeGet involved with the OpenSSF

In this episode, Omkhar Arasaratnam visits with Aeva Black, who currently serves as the Section Chief for Open Source Security at CISA, and is an open source hacker and international public speaker with 25 years of experience building open source software projects at large technology companies. She previously led open source security strategy within the Microsoft Azure Office of the CTO, and served on the OpenSSF Technical Advisory Committee, the OpenStack Technical Committee, and the Kubernetes Code of Conduct Committee. In her spare time, Aeva enjoys riding motorcycles up and down the west coast.01:37- Aeva describes a day in the life at CISA02:38 - Details on the use of open source in the public sector04:27 - Why open source needs corporate investment to maintain security06:20 - Aeva shares what their second year at CISA looks like07:58 - Aeva answers Omkhar’s rapid-fire questions09:28 - Advice for people entering the world of security10:16 - Certs are nice to have, but they aren’t everything10:42 - Aeva’s call to action for listenersEpisode links:Aeva Black on LinkedInCISA Open Source Security RoadmapGet involved with the OpenSSF community

Episode description: Andrew Pollock is a Senior Software Engineer at Google, currently working on https://osv.dev. With a background as an Enterprise Security Engineer, he has extensive experience in large-scale Linux Systems Administration and GCP Security. Andrew is passionate about the human factors in security, focusing on scalable solutions, great user experiences and self-service opportunities. He has primarily worked in Linux/Unix environments as a Site Reliability Engineer or Security Engineer, with a strong interest in process improvement and automation.00:52 - Andrew shares his background as a “mid-90s data nerd”02:31 - Managing vulnerabilities in the open source ecosystem03:57 - How to navigate inconsistent metadata06:26 - The challenge of source attribution07:54 - The rapid-fire round09:15 - Andrew’s advice to open source developers10:22 - Andrew’s call to action to developersEpisode links:Andrew Pollock on LinkedInGetting to know the Open Source Vulnerability formatOSV.devGet involved in the OpenSSF community

Bec Rumbul is the Executive Director and CEO of the Rust Foundation, a global non-profit that stewards the Rust language, supports maintainers, and ensures that Rust is safe, secure, and sustainable for the future. She holds a PhD in Politics and Governance and has worked as a consultant and researcher with governments, parliaments and development agencies all over the world, advocating for openness and transparency and developing tools to improve digital participation.02:57 Bec shares her day-to-day activities with the Rust Foundation04:53 Bec on her sometimes tricky responsibilities during her time at the U.N.06:35 How Bec communicates the importance of memory safety and Rust with stakeholders09:47 Surprises related to organizations that are adopting Rust11:50 Impediments to Rust adoption13:44 Bec answers Omkhar’s rapid-fire questions15:49 Advice Bec would give a non-technical person entering a technical field17:09 Bec’s call to action for listenersEpisode links:Bec Rumbul on LinkedInRust Foundation homepageGet involved with OpenSSF

Brian Fox is Co-founder and Chief Technology Officer at Sonatype, bringing over 28 years of hands-on experience driving software development for organizations of all sizes, from startups to large enterprises. A recognized figure in the Apache Maven ecosystem and a longstanding member of the Apache Software Foundation, Brian has played a crucial role in creating popular plugins like the maven-dependency-plugin and maven-enforcer-plugin. His leadership includes overseeing Maven Central, the world's largest repository of open-source Java components, which recently surpassed a trillion downloads annually.As a Governing Board member for the Open Source Security Foundation, Brian actively contributes to advancing cybersecurity. Working with other industry leaders, he helped create The Open Source Consumption Manifesto, urging organizations to elevate their awareness of the Open Source Software (OSS) components they use. 00:57 Brian shares his background03:56 The confusing trend of  people downloading assets on Maven with known vulnerabilities08:16 How this trend continues in other repos11:08 Brian and CRob discuss Log4Shell16:54 Brian answers CRob’s rapid-fire questions18:46 Brian’s advice for up-and-coming security professionals19:50 Brian’s call to actionEpisode links:Brian Fox on LinkedInSonatype’s 2023 State of the Software Supply Chain ReportGet involved with OpenSSF

Arun Gupta is vice president and general manager of Open Ecosystem Initiatives at Intel Corporation and the OpenSSF Governing Board Chair. Arun has been an open source strategist, advocate, and practitioner for nearly two decades. He has taken companies such as Apple, Amazon, and Sun Microsystems through systemic changes to embrace open source principles, contribute, and collaborate effectively.On July 9th and 10th, the OpenSSF will attend the 2024 OSPOs for Good symposium hosted by the UN. What’s in the SOSS? co-host Omkhar Arasaratnam and Arun will lead a session called “Engaging the Open Source Community.”Following the symposium on July 11th, attendees are invited to come to a secondary event, What’s Next for Open Source? It will feature a collection of curated workshops to discover how to build and gather the skills you need to move forward with open source. Omkhar is coordinating the security track and presenting opening remarks. Arun will offer closing remarks. 02:13 - Arun’s general outlook on security and life03:39 - Arun shares his personal background and illustrious career history09:04 - Comparing the OpenSSF and the Cloud Native Computing Foundation (CNCF)13:30 - Arun details his work with the United Nations16:42 - Areas that a lot of security professionals are getting wrong18:20 - Arun answers Omkhar’s rapid-fire questions19:08 - Advice Arun would give to aspiring security professionals20:40 - Arun’s call to action for listenersEpisode linksOSPOs for Good 2024What’s Next for Open Source eventArun Gupta’s LinkedIn profileCNCF homepageUnited Nations Sustainable Development GoalsGet involved with OpenSSF

Adolfo García Veytia, a Staff Software Engineer at Stacklok, delves into the importance of SBOMs, VEX projects, and standards in the software supply chain. He shares insights on open source contributions, communication tools, and advice for aspiring professionals.

Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. He also serves as the Open SSF’s Technical Advisory Committee (TAC) Chair. And soon, CRob will step into another role: co-host of What’s in the SOSS? With 25 years of enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the financial, medical, legal, and manufacturing verticals. He also spent six years helping lead the Red Hat Product Security team as their Program Architect.00:57 - CRob’s day-to-day activities and his affiliation with the OpenSSF03:15 - The insight CRob will bring to the podcast as co-host05:46 - What developers writing “post-bang” code should be considering08:40 - Lessons open source could learn from corporate and vice versa12:17 - CRob explores the evolution of open source14:22 - Crob answers Omkhar’s rapid fire questions15:57 - CRob’s advice to people entering the cybersecurity field18:18 - CRob’s call to action for listeners: give backEpisode links:CRob’s LinkedIn pageMore content with CRob

Matt Knight is Head of Security at OpenAI, where he builds IT, privacy and security programs. His teams also collaborate on security research with teams across OpenAI and with the broader security research community. Their goal is to explore the frontier of AI, understand its impacts and maximize its benefits, especially in the cybersecurity domain. 00:40 - Matt’s duties at OpenAI01:52 - Matt’s accidental journey into cybersecurity05:18 - The intersection of AI and open source06:45 - Matt’s thoughts on how AI can help security professionals08:53 - Details on the AI Cyber Challenge (AIxCC)10:53 - Matt answers Omkhar’s rapid-fire questions12:29 - Advice Matt would give to aspiring security professionals13:00 - Matt’s call-to-cation for listenersEpisode links:Matt Knight’s Linkedin pageGNU RadioAIxCC ChallengeOpenAI Cybersecurity Grant Program

Professor Eric Brewer discusses improving security in corporate vs. open source environments, advancements in open source, making software repositories more secure, and the next big hurdle in open source security. He also shares rapid-fire answers about food preferences and tech tools, along with advice for aspiring security professionals.