►
From YouTube: OpenSSF Day at OSS NA - Improving Global Software Supply Chain Security with Alpha-Omega
Description
OpenSSF Day at Open Source Summit North America - Improving Global Software Supply Chain Security with Alpha-Omega - Michael Scovetta, Microsoft & Michael Winser, Google
A
As
our
next
group
of
presentations,
I
am
proud
to
introduce
you
all
to
the
michaels.
They
are
here
to
talk
about
alpha
and
omega.
Our
first
michael
michael
windsor
is
a
product
manager
of
software
supply
chain
and
ci
cd
at
google.
You
might
have
heard
of
it.
Windsor
has
been
building
websites
and
applications
since
1984
and
today
focuses
on
securing
the
open
source
supply
chain
as
a
leader
of
the
alpha
and
omega
project
and
a
regular
contributor
to
assorted
openss
projects
and
working
groups.
A
The
other
michael,
mr
scovera,
is
a
principal
security
program,
manager,
microsoft
and
co-chair
of
the
identifying
security
threats
working
group.
He
helps
research
and
mitigate
security
threats
and
is
also
a
co-lead
of
alpha
and
omega,
which
I
think
we're
going
to
hear
a
little
bit
about
in
seconds
from
now,
and
he
is
trying
to
bring
better
tooling
and
resources
to
the
open
source
ecosystem.
So
please
give
the
michaels
a
warm
round
of
applause.
B
Let's
go
all
right
for
disambiguation,
I
am
michael
windsor,
michael.
Let's
go
that
in
so
we're
gonna
talk
about
alpha
omega.
We
have
a
lot
to
cover,
we'll
probably
go
too
fast
have
fun
and
we
have
a
slight
clicker
great.
So
our
mission
is
really
about
like
the
problem
here
to
solve,
which
is
common
to
everybody
here,
you
know
like
making
open
source
security
possible,
is
a
huge
undertaking,
understanding
the
problem
that
why
is
it
on?
Why
is
it
secure?
Where
are
the
problems
coming
from?
B
What
can
we
do
and
the
other
day
it
really
comes
down
to
direct
action
right,
we're
not
here
to
go
and
create
the
next
future
of
open
source,
tooling
and
protocols
and
standards.
We're
here
right
now
to
start
applying
our
energies
to
making
open
source
more
secure
today,
which
really
leads
to
a
pretty
obvious
vision.
Statement
of
where
we
want
to
what
we
want
to
achieve
won't
actually
be
possible
right.
B
We
want
critical,
open
source
projects
to
be
secure,
the
ones
that
are
the
most
critical,
the
most
important
everybody
like
just
start
by
getting
those
to
be
in
a
secure
place
and
understanding
when
they're
not
and
how
to
get
them
there
and
the
vulnerabilities
that
are
found
are
fixed
quickly.
There's
a
lot
to
put
into
that,
and
I
want
to
sort
of
understate
how
you
know
how
hard
this
is.
It's
hard,
we're,
still
learning
a
lot
of
things,
we'll
jump
right
in
this.
B
Is
the
team
there's
a
lot
of
incredible
people
supporting
from
the
linux
foundation,
helping
you,
but
ultimately,
the
sort
of
executive
function
of
the
group
right
now
is
myself,
michael
and
brian
sitting
down
here
hiding
away
and
we
meet
on
a
regular
basis
and
are
driving
towards
sort
of
the
mission
we've
described
the
vision,
we're
doing,
building
a
team
to
get
there
and
hopefully
spending
our
money.
B
We're
still
hiring.
You
know
right
now.
This
is
basically
being
done
on
my
sort
of
my
other
other
job,
including
all
the
other
jobs
I
have
at
google,
and
I
think
michael,
is
in
the
same
boat.
We
are
hiring
folks
for
alpha
mega,
we'll
talk
more
about
that
later
on
as
well.
C
C
C
It's
you
know
we're
not
forking
open
source
projects
and
taking
them
over
we're,
not
trading
zero
days
among
the
among
open
ssf
or
the
alpha
mega
team,
or
anything
like
that,
and
we're
also
not
looking
to
build
an
automated
scanner
that
just
finds
kind
of
junk
vulnerabilities
and
tosses
them
over
the
fence
to
maintainers.
We
want
the
maintainer
experience
to
be
delightful.
We
want
them.
You
know
to
get
very
high
quality
actionable
real
vulnerabilities,
along
with
the
help
if
they
would
like
it
to
to
fix
it.
C
So
we're
we're
here
with
our
sleeves
rolled
up
and
we
we
are
here
to
help,
but
apple
and
mega,
have
different
focuses.
So
alpha
is
primarily
against
the
most
critical
open
source
projects,
so
you
could
think
of
this
as
around
100
100
150,
but
there's
a
very
long
tale
of
still
very
widely
used,
but
not
in
the
top
100
150
projects.
So
what
we
thought
was
that
with
alpha,
because
it's
a
relatively
small
number
of
projects
we
could
put
dedicated
people
on
those
projects,
whether
we're
funding.
C
Only
only
because
you
know
tooling
is
not
perfect,
so
we
expect
every
the
two
results
to
come
out.
We
sort
them.
We
prioritize
in
particular,
when
we
talk
about
who
we're
actually
hiring
you'll,
see
that
that
a
lot
of
the
the
focus
is
on
this
omega
tool
chain
being
very,
very
high
quality.
C
What
this
really
means
from
from
since
we're
talking
about
omega,
we
have
lots
of
open
source
projects
we
take
the
this
is
somewhere
on
the
order
of
10
000
projects.
We
think
we
can
do
more
than
that,
but
if
we
just
start
there
and
we're
going
to
use
tools
like
codeql
and
semgrep
and
basically
the
best
tools
that
are
out
there,
we're
open
to
working
with
commercial
vendors
who
have
other
static
analysis
and
fuzzers,
and
things
like
that.
C
But
essentially
we
want
to
turn
that
into
a
black
box
that
takes
in
a
open
source
project
and
spits
out
a
list
of
high
quality
vulnerabilities
they're,
going
to
be
triaged
by
researchers
who
are
going
to
be
staff
of
for
alpha
omega
and
then
with
them.
We
work
with
the
open
source
community
to
get
them
fixed.
B
So
for
alpha,
you
know
I
mentioned
we're
hiring
did
I
mention
we're
hiring
we're
hiring,
but
we're
sort
of
like
that
kid
who
just
got
that
sort
of
you
know
gift
card
for
christmas
or
a
holiday
gift,
or
something
like
that.
There's
a
money
burning,
a
hole
in
our
wallet
and
we
want
to
go
spend
on
some
toys.
We
want
to
spend
the
money
on
making
things
more
secure,
and
we
also
really
want
to
look
at
ways
that
we
could.
B
You
know,
really
maximize
the
impact
early
on
and
you
know
because
our
so
simple
way
putting
us
we're
still
learning
about
all
the
different
ways
to
turn
money
into
security,
and
I
think
one
of
the
areas
that
we
are
sort
of,
seeing
as
a
tremendous
opportunity,
is
actually
working
through
the
single
sort
of
most
leveraged
points
of
contact
that
we
can
find
across
the
open
source,
community,
the
foundations.
B
And
so
you
know
we
will
be
working
with
the
foundations
to
directly
fund
initiatives
and
efforts
within
those
foundations
to
help
them
fix
their
security.
Culture,
improve
their
security
outcomes,
actually
fix
specific
vulnerabilities
shore
up
whatever
missing
gaps.
They
are,
I
think
we
all
need
to
start
recognizing.
This
is
an
industry-wide
tech
debt
that
has
been
unfunded,
understood,
unrealized
and
is
now
looming
large,
and
it
requires
additional
effort
to
get
there.
B
It's
sort
of
like
a
y2k
problem
without
the
same
clarity
of
the
problem,
the
solution
or
the
date
which
great
place
to
be
right.
So
we
have
some
exciting
news.
Today,
we've
actually
been
working
with
a
bunch
of
foundations
and
I'm
not
going
to
call
on
a
couple
of
our
partners
to
come
up
and
speak
dustin.
Would
you
mind
jumping
up
right
now,
I'll
procure
a
microphone
make
sure
that
it's
gotten
on.
D
Folks,
so
I'm
dustin
ingram,
I'm
on
michael's
team
on
the
google
open
source
security
team,
I'm
also
a
director
of
the
python
software
foundation
and
if
you're
not
familiar
with
the
psf,
the
psf
is
the
organization
that
sort
of
owns
and
maintains
python
the
language
and
some
other
projects.
A
D
D
It's
not
going
to
be
entirely
volunteer
based
and
then,
through
that
person,
they
will
address
new
security
issues
in
all
of
the
psf's
projects,
but
primarily
within
see,
python
and
and
things
on
pi,
pi
and
pi
pi
itself.
So
I'm
super
excited
about
this,
both
as
a
open
source
developer
and
as
a
director
of
the
psf
and
as
a
contributor
to
the
open
ssf.
So
this
is
super
exciting
and
now,
thanks.
B
All
right
great
so
we'll
also
have
them
mikhail
come
up
from
the
eclipse
foundation.
Thank
you,
dustin.
By
the
way,
dustin
had
exactly
five
minutes.
Maybe
seven
minutes
warning
he
was
gonna,
be
giving
this
talk
this
morning
he
had
not
even
seen
the
slides,
which
shows,
I
think,
just
how
well
he
understands
the
problem
here.
Miguel
you're
up.
E
Thank
you
so
one
another
michael
except
responds
differently.
I'm
michael
barbero,
I'm
the
head
of
security
of
the
aqueous
foundation.
So
for
those
of
you
who
don't
know
us,
we
are
european-based
open
source
foundation.
We
provide
an
environment
for
open
source
collaboration
and
innovation
to
individuals
and
companies.
E
We
are
a
not-for-profit
membership-based
foundation,
so
they
are
our
strategic
members,
so
those
who
are
participating
participating
the
most
and
are
part
of
our
board
of
the
foundation
by
the
number
we
are
mainly.
We
have
many
many
projects,
so
420
more
projects,
a
lot
of
contributors
as
well.
Two-Thirds
of
those
contributors
are
actually
from
europe
and
two-thirds
of
our
companies
member
companies
are
also
from
europe.
So
that's
why
we
pivoted
to
europe.
E
We
have
projects
also
around
open
hardware,
with
co5
eclipse,
gt,
the
http
server
keeper
for
nfc
keycards
power,
mqtt
implementation,
so
a
wide
range
of
projects,
all
those
projects
are
organized
into
key
focus
areas.
So
we
are
mainly
we
started
as
a
tools
foundation
providing
eclipse
id
and
other
tools
around
the
ide
community.
E
We
are
also
very
focused
on
iot,
a
lot
of
mqtt
implementations
and
other
protocols,
automotive.
We
have
the
new
working
group
that
has
just
been
created.
The
software
defined
vehicles
due
to
help
promote
open
source
software
around
the
next
generation
of
cars,
and
also
clone
ft
java
with
the
new
java
enterprise,
which
has
joined
the
foundation
a
couple
of
years
ago
already.
E
So
we
are
managing
those
projects.
We
are
working
with
this
project
by
providing
providing
to
them
four
pillars.
We
used
to
provide
them
four
pillars
of
open
source.
So,
first
in
infrastructure
we
provide
tools
and
services
hosted
at
the
foundation.
We
provide
ecosystem
development
with
marketing
conferences
and
other
communication.
E
We
provide
a
governance,
we
have
a
strong
process
for
developing
open
source
software
and
also
for
managing
iep
and
train
marks
for
those
projects,
so
that's
very
important
to
get
a
level
playing
field
and
a
freedom
of
action
for
all
those
projects
that
someone
the
foundation
manages
for
them.
And
today,
thanks
to
alpha
mega
another
initiative,
we
want
to
provide
a
new
pillar,
a
new
pillar
service,
for
projects
around
security
and,
more
specifically,
on
supply
chain
security.
E
So,
with
the
the
alpha
mega
investment,
we
would
like
to
tackle
three
main
issues
at
first,
it's
first,
the
automation
of
generating
s-bombs,
so
s-bomb
is
very
important
for
our
projects.
We
want
to
automate
that,
for
them
we
don't
want
to
put
the
burden.
The
burden
of
generating
s-bomb
on
their
shoulders,
they're
already
burned
out,
are
very
busy
doing
other
things.
So
we
want
you
to
help
them
with
that,
so
we
will
start
with
static,
source-based,
s-bomb
and
maybe
move
to
some
more
sophisticated
ones
later
on.
E
And
finally,
we
initiate
a
number
of
security
audits
with
our
projects,
with
the
help
of
osti,
for
instance,
and
other
cadet
companies,
so
for
some
of
the
high
profiles
foundation
projects.
So
we
will
start
soon,
probably
with
the
eclipse
ide
project
and
the
update
process,
and
we
are
still
working
with
other
who
are
willing
to
participate
in
such
code
audits.
B
So
this
is
all
pretty
exciting
stuff
in
the
spirit
of
like
last
minute,
presenters
anybody
from
node
here
today,
we've
been
putting
this
deck
together
kind
of
on
the
fly.
Obviously,
but
last
earlier
this
year
we
actually
already
funded
with
node
foundation,
similar
effort
investing
in
a
similar
sort
of
developer
in
residence,
focused
on
security
for
the
node
community
and
putting
together
towards
you,
know,
figuring
out
what
they
want
practices
audits.
B
You
know
triaging
the
things
like
that
they
have
a
long
list
of
things
they
already
know
needs
to
work
on
we're
very
excited
to
be
part
of
that
effort
as
well.
I
want
to
emphasize
again
that
what
we're
doing
here
is
experimentation.
B
Nobody
knows
how
to
do
this
right
and
part
of
what
the
work
is
happening
here
with
these
three
foundations.
Is
it
going
to
be
a
monthly
report
back
to
us
about
how
it's
playing
out
right
a
lot
I'm
like?
Well,
what
do
you
want
to
do?
What
details
do
you
want
us
to
have
like
you
figure
it
out?
Go
you
know
your
stuff
go
figure
it
out
and
tell
us
how
it
worked
out,
because
then
we
can
actually
play
that
back
loop.
B
It
back
to
the
community,
help
the
other
foundations
learn
from
each
other
and
build
on
that
which
is
really
how
we're
trying
to
tie
it
all
together.
Right,
alpha
omega
is
a
giant
experiment,
we're
basically
just
throwing
money
into
the
pile
and
see
if
we
can
figure
out
how
to
turn
that
into
security
of
the
day.
It's
pretty
obvious
if
somebody
could
fill
in
step.
Four
again
volunteer
is
welcome.
B
We'd,
be
super
happy
how
that
figured
out,
but
this
is
what
we're
watching
in
action
right
now
we're
gonna
watch
the
various
efforts
happening
in
these
foundations.
The
work
that
we're
going
to
do
directly
inside
omega
with
our
own
security
research.
B
What's
already
happening
right
now
and
then,
as
we
add,
more
people
to
that
project,
more
things
will
happen
and
we'll
keep
reporting
back
how
it
goes
out,
there's
a
very
clear,
hands-on,
we're
doing
it
now
we're
putting
money
into
it
now
and
we're
seeing
what
happens
with
it
as
a
part
of
the
news
today,
I'm
super
is
madeira
in
the
room
today
is
my
dare
here?
B
Is
there
there's
there's
everyone
saying
hi
to
midair
midair
is
one
of
my
colleagues
at
google
has
been
administering
this
program
called
sos
sos.dev,
which
has
been
about
paying
bounties
back
for
fixing
vulnerabilities
and
we're
pretty
excited
to
be
working
with
midair
and
the
sos
program
to
bring
in
the
alpha
omega.
It's
very
mission
aligned
to
what
we're
doing
you
know.
One
of
the
first
things
we
hear
is
like
well
you're
going
to
find
all
these
vulnerabilities
who's
going
to
fix
them,
and
there's
usually
another
word
after
that.
B
Some
epithet
of
some
kind-
and
you
know
again
we're
learning
we're
figuring
it
out,
but
sos
is
a
great
place
to
start
doing
that.
This
is
something
we
started
in
october
last
year.
We
put
a
bunch
of
money
in
towards
that
and
paying
it
out
to
developers
coming
in
some
developers
have
figured
out
are
showing
up
very
regularly
great.
We
love
that,
but
we'd
like
to
see
a
broader
involvement
there
and
we're
going
to
use
our
sort
of
umbrella
and
pulpit
if
you
will
to
broadcast
that
out.
C
So
whenever
we
present
this
people
ask
how
can
I
get
involved?
You
know
the
the
alpha
mega
team.
You
know
we're
small,
we
meet
it's,
we
don't
we.
We
have
monthly
meetings
or
monthly
public
meetings,
but
there's
lots
of
other
ways
where
you
can
get
involved
and
help
to
help
advance
the
alpha
omega
mission.
So
the
first
get
involved
in
the
work
groups,
if
you're
not
already
regularly
attending
any
of
them
just
join
pick
one
that
sounds
interesting
join
if
it's
not
for
you
join
a
different
one.
C
The
alpha
mega
mail
announcements
mailing
list-
you
can
join
that
you'll
you'll
see
at
least
the
high
level
things
that
that
that
come
up.
We
have
the
slack
channel,
which
is
pretty
regularly.
You
know,
there's
activity
going
on
there
there's
also
an
interest
form,
but
if
you're
interested
in
getting
you
know
deeper
involved,
just
contact
us.
C
Let's,
let's
talk
as
we
learn
and
as
we
experiment
we're
going
to
find
new
opportunities
where
you
know
something
can
be,
you
know
easily
kind
of
carved
off
and
run
separately,
and
what
we
really
want
to
do
is
you
know,
work
on
one
alpha
omega
to
be
driving
a
mission
but
be
spawning
off
separate
projects
that
that
are
that
are
doing
specific
things,
so
the
same
way
that
we
don't
want
to
reinvent
coordinated
vulnerability
disclosure
we
just
want
to
use
whatever
whatever
process
the
open
ssf
you
know
likes
and
advocates
for.
C
Similarly,
you
know
in
terms
of
in
terms
of
tool-
and
we
want
the
tooling
the
tool
chain
that
we
use
for
omega
to
be
public.
So
we
would
invite
contributions
and
improvements
there
from
from
anyone,
and
even
to
the
point
of
you
know
when,
when
I
talked
about
alpha
omega,
but
we're
talking
about
the
alpha
side,
you
know
those
top
hundred
hundred
and
fifty
we're
not
deciding
those
hundred
and
fifty
we're
relying
on
the
critical
projects
working
group
to
define
out
that
list
and
we're
kind
of
pulling
from
there.
C
So
there's
lots
of
opportunities
to
get
involved
and
we're
hiring.
I
mentioned.
B
C
So
we
have
three
three
roles
that
are
active
right
now
that
we're
looking
for
first
one
is
a
lead,
lead
project
manager,
program
manager.
This
is
again
mostly
because
michael
and
I
both
this
is
our
fourth
job,
and
we
do
not
want
to
be
bottlenecks
to
this,
so
we
want
someone
to
come
in
and
focus
you
know
exclusively
on
driving
this
program,
but
we
also
want
the
two
roles
on
the
on.
The
right
side
are
mostly
about
omega
the
middle
one.
C
The
the
engineer
is
to
build
this
amazing
tool
chain
that
that
takes
in
an
open
source
project
and
spits
out
a
high
quality
vulnerability
and
on
the
right
side.
It's
it's.
That's,
basically,
the
the
triager
so
understand
what
a
vulnerability
is.
C
C
So
I'm
super
excited
to
to
you
know
kick
to
have
alpha
omega
kind
of
continue.
We
haven't
been
around
for
that
long.
We've
spent
alpha
mega
was
started
with
a
five
million
dollar
investment
fund,
so
we've
to
date.
I
think
we've
spent
well
between
node,
eclipse
and
and
and
python
we're
spending
around
20
of
that.
So
we
want
to
spend
more.
We
want
to
do
do
more
with
this.
We
want
to
learn,
lots
and
iterate
and
and
keep
going.
So
if
you
have
any
questions,
if
we
have
time.
B
We
have
three
minutes
for
questions.
Three
whole
minutes
three
whole
minutes,
so
answers
might
take
longer
and
be
outside,
but
we'll
take
the
questions
and,
if
not
we're
happy
to
meet
outside
and
chat
anyway.
So
all
right,
we've
stunned
them
into
silence.
Michael
that's
perfect.
By
the
way,
there's
no
truth
to
the
rumor
that
you
have
to
be
named,
michael
in
order
to
work
at
alpha
omega.