Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / Alpha-Omega / 15 Jul 2022
OpenSSF / Alpha-Omega / 15 Jul 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: OpenSSF Day at OSS NA - Improving Global Software Supply Chain Security with Alpha-Omega

Description

OpenSSF Day at Open Source Summit North America - Improving Global Software Supply Chain Security with Alpha-Omega - Michael Scovetta, Microsoft & Michael Winser, Google

A

uh As our next group of presentations, I am proud to introduce you all to the michaels. uh They are here to talk about alpha and omega. Our first michael michael windsor is a product manager of software supply chain and ci cd at google. You might have heard of it. uh Windsor has been building websites and applications since 1984 and today focuses on securing the open source supply chain as a leader of the alpha and omega project and a regular contributor to assorted openss projects and working groups.

A

The other michael, mr scovera, is a principal security program, manager, microsoft and co-chair of the identifying security threats working group. He helps research and mitigate security threats and is also a co-lead of alpha and omega, which I think we're going to hear a little bit about in seconds from now, and he is uh trying to bring better tooling and resources to the open source ecosystem. So please give the michaels a warm round of applause.

B

Let's go all right for disambiguation, I am michael windsor, michael. Let's go that in uh so we're gonna talk about alpha omega. We have a lot to cover, we'll probably go too fast um have fun and uh we have a slight clicker great. So our mission is really about like the problem here to solve, which is common to everybody here, you know like making open source security possible, uh is a huge undertaking, understanding the problem that why is it on? Why is it secure? Where are the problems coming from?

B

What can we do uh and the other day it really comes down to direct action right, we're not here to go and create the next future of open source, tooling and uh protocols and standards. We're here right now to start applying our energies to making open source more secure today, which really leads to a pretty obvious vision. Statement of where we want to what we want to achieve won't actually be possible right.

B

We want critical, open source projects to be secure, the ones that are the most critical, the most important everybody like just start by getting those to be in a secure place and understanding when they're not and how to get them there and the vulnerabilities that are found are fixed quickly. There's a lot to put into that, and I want to sort of understate uh how you know how hard this is. It's hard, we're, still learning a lot of things, um we'll jump right in this.

B

Is the team uh there's a lot of incredible people supporting from the linux foundation, helping you, but ultimately, the uh sort of executive function of the group right now is myself, michael and brian sitting down here hiding away um and we meet on a regular basis and are driving towards sort of the mission we've described the vision, we're doing, building a team to get there and hopefully spending our money.

B

um We're still hiring. You know right now. This is basically being done on my sort of my other other job, including all the other jobs I have at google, um and I think michael, is in the same boat. We are hiring folks for alpha mega, we'll talk more about that later on as well.

B

So michael, you get the clicker now wonderful.

C

Thank you, so I do want to talk about and just level set like what is alpha omega really so alpha alpha and omega are two different kind of sub projects or areas.

C

The we all understand that open source is is key to the security of our society really, and I think this is a theme that you're going to hear you know throughout this week. Society needs open source to be secure. It's super important alpha omega is just one way of doing this. It is an experiment.

C

We want to try lots of different things and fail at some of them and succeed in others, and hopefully we move things forward, but alpha omega also is not certain things. It is not purely a fund to pay maintainers. It is not a certification process.

C

It's you know we're not forking open source projects and taking them over we're, not trading zero days among the uh among open ssf or the alpha mega team, or anything like that, and we're also not looking to build an automated scanner that just finds kind of junk vulnerabilities and tosses them over the fence to maintainers. We want the maintainer experience to be delightful. We want them. You know to get very high quality actionable real vulnerabilities, along with the help if they would like it to to fix it.

C

So we're we're here with our sleeves rolled up and we we are here to help, but apple and mega, have different focuses. So alpha is primarily against the most critical open source projects, so you could think of this as around 100 100 150, but there's a very long tale of still very widely used, but not in the top 100 150 projects. So what we thought was that with alpha, because it's a relatively small number of projects we could put dedicated people on those projects, whether we're funding.

C

You know, contract work working with other foundations, but this is where you can have someone spending months of time, helping a project or project ecosystem be be more secure.

C

Omega takes the opposite approach, where we do use automated tooling to look for high quality, real vulnerabilities, and then we triage them- and this is where it's even omega- is expensive.

C

Only only because you know tooling is not perfect, so we expect every the two results to come out. We sort them. We prioritize um in particular, when we talk about who we're actually hiring you'll, see that that a lot of the the focus is on this omega tool chain being very, very high quality.

C

What this really means from from since we're talking about omega, we have lots of open source projects we take the this is somewhere on the order of 10 000 projects. We think we can do more than that, but if we just start there and we're going to use tools like codeql and semgrep and basically the best tools that are out there, we're open to working with commercial vendors who have other static analysis and fuzzers, and things like that.

C

But essentially we want to turn that into a black box that takes in a open source project and spits out a list of high quality vulnerabilities they're, going to be triaged by researchers who are going to be staff of for alpha omega uh and then with them. We work with the open source community to get them fixed.

B

So for alpha, uh you know I mentioned we're hiring did I mention we're hiring we're hiring, um but we're sort of like that kid who just got that sort of you know um gift card for christmas or a holiday gift, or something like that. There's a money burning, a hole in our wallet and we want to go spend on some toys. We want to spend the money on making things more secure, and we also really want to look at ways that we could.

B

You know, really maximize the impact early on um and you know because our so simple way putting us we're still learning about all the different ways to turn money into security, and I think one of the areas that we are sort of, seeing as a tremendous opportunity, is actually working through the single sort of most leveraged points of contact that we can find across the open source, community, the foundations.

B

uh And so you know we will be working with the foundations to directly fund initiatives and efforts within those foundations to help them fix their security. Culture, improve their security outcomes, actually fix specific vulnerabilities shore up whatever missing gaps. They are, I think we all need to start recognizing. This is an industry-wide tech debt that has been unfunded, understood, unrealized and is now looming large, and it requires additional effort to get there.

B

uh It's sort of like a y2k problem without the same clarity of the problem, the solution or the date which great place to be right. So uh we have some exciting news. Today, we've actually been working with a bunch of foundations and I'm not going to call on a couple of our partners to come up and speak uh dustin. Would you mind jumping up right now, I'll procure a microphone make sure that it's gotten on.

A

The switch, I think it's already on.

B

So get you up come on up and you get a click or two.

D

Does this work okay,.

B

There we go hi, hey.

D

Folks, uh so I'm dustin ingram, I'm on michael's team on the google open source security team, I'm also a director of the python software foundation and uh if you're not familiar with the psf, the psf is the organization that sort of owns and maintains python the language and some other projects.

D

We also operate the python package index and we also produce pycon us, which is the largest python conference in the u.s, and we are there.

A

We go.

D

You don't know python whether you like it or not. Python is one of the most widely used programming languages and we've sort of recognized that security improvements for python and the ecosystem around it sort of have huge dividends for the entire open source community.

D

So alpha omega is planning to make an investment in the psf to support a security developer in residence.

D

This person, in addition to a security audit, so the security developer in residence, will sort of work with the psf as a staff, member of the psf to formalize some existing security practices that we have in terms of responding to security vulnerabilities in python, the language and packages on pipi, though we're going to also become more proactive in making some security improvements to those things.

D

It's not going to be entirely volunteer based uh and then, through that person, they will address new security issues uh in all of the psf's projects, but primarily within see, python and and things on pi, pi and pi pi itself. uh So I'm super excited about this, both as a open source developer and as a director of the psf and as a contributor to the open ssf. So this is super exciting and now, thanks.

D

And there's more so.

B

All right great so we'll also have them mikhail come up from the eclipse foundation. Thank you, dustin. By the way, dustin had exactly five minutes. Maybe seven minutes warning he was gonna, be giving this talk this morning um he had not even seen the slides, which shows, I think, just how well he understands the problem here. Miguel you're up.

E

Thank you so one another michael except responds differently. I'm michael barbero, I'm the head of security of the aqueous foundation. So for those of you who don't know us, we are european-based open source foundation. We provide an environment for open source collaboration and innovation to individuals and companies.

E

So we are very focused on the business friendly part of open source.

E

We are a not-for-profit membership-based foundation, so they are our strategic members, so those who are participating participating the most and are part of our board of the foundation by the number we are mainly. um We have many many projects, so 420 more projects, uh a lot of contributors as well. um Two-Thirds of those contributors are actually from europe and two-thirds of our companies member companies are also from europe. So that's why we pivoted to europe.

E

In the last couple of years, we used to be a 501 c3 and we now are based in brussels, belgium, as a a sbl, so international association not for profit.

E

You may know us by our projects, so we have many various projects, so we started with the eclipse id the good old desktop id, but you may have heard about adoption, which is a new adopt-a-pen jdk, which provides free, open source, secured build of open jdk.

E

We have projects also around open hardware, with co5 eclipse, gt, the http server keeper for nfc keycards power, mqtt implementation, so a wide range of projects, all those projects are organized into key focus areas. So we are mainly we started as a tools foundation providing eclipse id and other tools around the ide community.

E

We are also very focused on iot, a lot of mqtt implementations and other protocols, automotive. We have the new working group that has just been created. The software defined vehicles due to help promote open source software around the next generation of cars, um and also clone ft java with the new java enterprise, which has joined the foundation a couple of years ago already.

E

So we are managing those projects. We are working with this project by providing providing to them four pillars. We used to provide them four pillars of open source. So, first in infrastructure we provide tools and um services hosted at the foundation. We provide ecosystem development with marketing conferences and other communication.

E

We provide a governance, we have a strong process for developing open source software and also for managing iep and train marks for those projects, so that's very important to get a level playing field and a freedom of action for all those projects that someone the foundation manages for them. And today, thanks to alpha mega another initiative, we want to provide a new pillar, a new pillar service, for projects around security and, more specifically, on supply chain security.

E

So, with the the alpha mega investment, we would like to tackle three main issues at first, it's first, the automation of generating s-bombs, so s-bomb is very important for our projects. We want to automate that, for them we don't want to put the burden. The burden of generating s-bomb on their shoulders, they're already burned out, are very busy doing other things. So we want you to help them with that, so we will start with uh static, source-based, s-bomb and maybe move to some more sophisticated ones later on.

E

We will implement surveys, service, badging program for our projects, so that all of our projects will start at level zero and then we work with them to actually get their current level and help some of them to reach higher level of salsa.

E

And finally, we initiate a number of security audits with our projects, with the help of osti, for instance, and other cadet companies, so for some of the high profiles foundation projects. So we will start soon, probably with the eclipse ide project and the update process, and we are still working with other who are willing to participate in such code audits.

B

Perfectly here, thank you.

B

So this is all pretty exciting stuff um in the spirit of like last minute, presenters anybody from node here today, um we've been putting this deck together kind of on the fly. Obviously, but uh last earlier this year we actually already funded with node foundation, similar effort uh investing in a similar sort of developer in residence, focused on security for the node community um and putting together towards you, know, figuring out what they want practices audits.

B

um You know triaging the things like that they have a long list of things they already know needs to work on we're very excited to be part of that effort as well. I want to emphasize again that what we're doing here is experimentation.

B

Nobody knows how to do this right and part of what the work is happening here with these three foundations. Is it going to be a monthly report back to us about how it's playing out right a lot I'm like? Well, what do you want to do? What details do you want us to have like you figure it out? Go you know your stuff go figure it out and tell us how it worked out, because then we can actually play that back loop.

B

It back to the community, help the other foundations learn from each other and build on that which is really how we're trying to tie it all together. Right, alpha omega is a giant experiment, we're basically just throwing money into the pile and see if we can figure out how to turn that into security of the day. um It's pretty obvious if somebody could fill in step. Four again volunteer is welcome.

B

uh We'd, be super happy how that figured out, but this is what we're watching in action right now we're gonna watch the various efforts happening in these foundations. The work that we're going to do directly inside omega with our own security research.

B

What's already happening right now and then, as we add, more people to that project, more things will happen and we'll keep reporting back how it goes out, there's a very clear, hands-on, we're doing it now we're putting money into it now and we're seeing what happens with it um as a part of the news today, I'm super is madeira in the room today is my dare here?

B

Is there there's there's everyone saying hi to midair midair is one of my colleagues at google has been administering this program called sos sos.dev, which has been about paying bounties back for fixing vulnerabilities and we're pretty excited to be working with midair and the sos program to bring in the alpha omega. It's very mission aligned to what we're doing you know. One of the first things we hear is like well you're going to find all these vulnerabilities who's going to fix them, and there's usually another word after that.

B

Some epithet of some kind- um and you know again we're learning we're figuring it out, but sos is a great place to start doing that. This is something we started in october last year. We put a bunch of money in towards that and paying it out to developers coming in some developers have figured out are showing up very regularly great. We love that, but we'd like to see a broader involvement there and we're going to use our sort of umbrella and pulpit if you will to broadcast that out.

B

So with that michael you're, back up clicking for you cool.

C

So whenever we present this people ask how can I get involved? You know the the alpha mega team. You know we're small, we meet it's, we don't we. We have uh monthly meetings uh or monthly public meetings, um but there's lots of other ways where you can get involved and help to uh help advance the alpha omega mission. So the first get involved in the work groups, if you're not already regularly attending any of them just join pick one that sounds interesting join if it's not for you join a different one.

C

The alpha mega mail announcements mailing list- you can join that you'll you'll see at least the high level things that that um that come up. We have the slack channel, which is pretty regularly. um You know, there's activity going on there there's also an interest form, but if you're interested in getting you know deeper involved, just contact us.

C

Let's, let's talk um as we learn and as we experiment we're going to find new opportunities where you know something can be, you know easily kind of carved off and run separately, and what we really want to do is you know, work on one alpha omega to be driving a mission but be spawning off separate projects that that are that are doing specific things, so the same way that we don't want to reinvent coordinated vulnerability disclosure we just want to use whatever whatever process the open ssf you know likes and advocates for.

C

Similarly, um you know in terms of in terms of tool- and we want the tooling the tool chain that we use for omega to be public. So we would invite contributions and improvements there from from anyone, uh and even to the point of you know when, when I talked about alpha omega, but we're talking about the alpha side, you know those top hundred hundred and fifty we're not deciding those hundred and fifty we're relying on the critical projects um working group to define out that list and we're kind of pulling from there.

C

So there's lots of opportunities to get involved um and we're hiring. I mentioned.

B

That right we're hiring. I think I mentioned that a couple of times yeah, we are rob you looking for job.

C

So we have three three roles that are active right now that we're looking for uh first one is a lead, lead project manager, program manager. This is again mostly because michael and I both this is our fourth job, and we do not want to be bottlenecks to this, so we want someone to come in and focus you know exclusively on driving this program, um but we also want the two roles on the on. The right side are mostly about omega the middle one.

C

The the engineer is to build this amazing tool chain that um that takes in an open source project and spits out a high quality vulnerability and on the right side. It's it's. That's, basically, the the triager so understand what a vulnerability is.

C

How is it, what rating is it working with the upstream projects to get it fixed and owning that kind of end to end so job descriptions are all on the front page of openssf.org. If you know anybody, please refer them. If you're interested, please apply.

C

So I'm super excited to to you know kick uh to have alpha omega kind of continue. We haven't been around for that long. um We've spent uh alpha mega was started with a five million dollar investment fund, so we've to date. I think we've spent well between node, eclipse and and and python um we're spending around 20 of that. So we want to spend more. We want to do do more with this. We want to learn, lots and iterate and and keep going. So if you have any questions, if we have time.

B

We have three minutes for questions. Three whole minutes three whole minutes, so answers might take longer and be outside, but we'll take the questions and, if not we're happy to meet outside and chat anyway. So all right, we've stunned them into silence. Michael that's perfect. um By the way, there's no truth to the rumor that you have to be named, michael in order to work at alpha omega.

B

But you know it doesn't hurt all right again. Thanks very much. Everyone have a great talk for the rest of sessions.