►
Description
Fireside Chat - Brian Behlendorf, OSSF & Jamie Thomas, IBM
---
Open source software is pervasive in data centers, consumer devices, and applications. Securing open source supply chains requires a combination of automated tooling, best practices, education, and collaboration.
Join the growing list of organizations supporting the advancement of securing open source technology and funding the development and adoption of OpenSSF initiatives. https://openssf.org/
A
Having
you
on
our
board
and
and
the
leadership
you've
shown
in
helping
Russell,
you
know
a
very
large
board.
We
have
at
this
point
with
a
lot
of
diversion
ideas,
but
I
thought
it'd
be
helpful,
just
for
folks
to
understand
your
journey
and
kind
of
how
you
think
about
this
stuff
and
get
to
know
you
better
and
and
so
yeah
thought
we
could
dive
into
that.
Is
that.
B
Something
okay
sounds
good
and
first
of
all,
thanks
to
all
of
you
who
stayed
here
through
a
long
day
and
the
energy
that
we
still
got
with
all
the
presenters
at
the
end
of
the
day,
really
impressive
and
all
of
you
out
there
in
The
Ether.
This
is
such
an
important
topic
and
so
I
really
appreciate
your
time.
I
started
my
career
as
a
software
developer,
and
so
I
had
upfront
experience
over
the
years,
producing
software
and
then
being
part
of
larger,
offering
teams
inside
the
IBM
company.
B
When
I
started
really
working
on
software
in
IBM,
we
we
really
didn't
have
a
software
business,
so
I
saw
the
business
go
from
virtually
zero
to
20
billion
over
a
period
of
time.
So
it's
quite
a
quite
a
large
business
and
of
course
we
acquired
many
firms,
including
red
hat,
and
then
I
eventually
moved
over
to
the
systems
business
to
own
software
and
ended
up
owning
the
hardware
and
through
a
lot
of
this
journey.
B
First
of
all,
you
can't
really
do
anything
with
Hardware
without
software
last
time,
I
checked
so
they're
intricately
linked
to
from
a
value
proposition,
and
the
journey
gives
me
a
lot
of
perspective
on
things
that
are
really
quite
important
now
and
complex,
which
is
primarily
product
security,
and
so
over
the
years
I
had
a
lot
of
opportunity
to
work
on
product
security
domains.
In
terms
of
how
we
do
things
as
developers.
I'd
say,
the
landscape
has
changed
a
lot
over
the
last
decades.
B
B
Software
pipelines,
ineffective,
cicds,
whatever
we
want
to
call
them
only
get
manifested
in
a
much
important
rate
and
Pace.
If
you
will,
when
you
start
talking
about
the
topics
we've
discussed
here
today,
which
is
open
source
and
the
complexity
that
that
is
now
brought
to
the
table.
So
I
think
this
is
a
a
very
fascinating
topic.
It
will
keep
all
of
us
gainfully
and
poor
employed
for
as
long
as
we
want
to
work
and
I'm
happy
to
bring
my
perspective
to
to
the
governing
board
of
open
ssf.
Well,.
A
We've
heard
a
fair
bit
about
how
things
are
technically
different.
These
days,
you
know
the
rise
of
certain
kinds
of
supply,
chain
attacks
and
that
sort
of
thing.
But
what
do
you
think
is
different
over
the
last
five
years
in
terms
of
how
the
business
Community
as
a
whole
looks
at
cyber
security,
how
they
think
about
supply
chain
attacks,
but
things
that
you
think
we
as
open
ssf
should
be
tracking
or
our
tracking.
Now,
thanks
to
kind
of
this
Insight.
B
B
The
fact
that
not
all
open
source,
for
instance,
was
curated
the
fact
that
security
has
always
been
a
a
challenging
discipline
to
get
developers
to
pay
attention.
To
many
cases,
productivity
has
won
out
over
security.
The
fact
that
many
organizations
are
running
such
age
software-
and
it
was
all
about
return
on
the
investment,
not
necessarily
about
the
age
and
the
implications
of
that
age,
and
when
you
look
at
embedded
systems
when
you
look
at
things
like
Manufacturing,
Systems
and
systems
that
are
in
power
and
utilities,
it
even
becomes
a
much.
B
You
know
stronger
aging.
If
you
will
and
challenge
that
you
have
to
deal
with.
In
fact,
I
have
some
Manufacturing
Systems
that
I
just
have
to
firewall
off
in
like
triple
layers
of
firewalls,
because
they're
running
Windows
7.
and
it's
a
hardened
device
where
you
have
to
you,
know
replace
something
that
maybe
costs
millions
of
dollars
to
eliminate
the
the
Windows
7.
B
B
There
is
a
lot
of
ransomware,
of
course,
and
a
lot
of
attacks
that
do
come
in
from
nation-state
organized
actors
for
all
of
us
that
run
cyber
operations,
you're
able
to
sit
there
every
day
and
see
exactly
where,
where
they're
coming
from
which
country
the
attacks
are
coming
from,
and
so
you
sit
there
and
say:
okay,
these
are
coming
from
X.
These
are
coming
from
why
these
are
coming
from
Z.
B
So
it
really
changed
the
landscape.
So
you
see
this
tsunami
of
Regulation
I
get
copied
on
regulation
every
week
from
our
government
relations
team,
and
it
is
just
enormous.
It
is
hundreds
and
hundreds
of
pages
of
proposed
regulation
and
or
documents
coming
out
from
sisa
from
the
U.S
government
from
other
governments
around
the
world
and
I.
Can't
even
imagine
small
organizations
being
able
to
consume
this.
We
we
at
IBM
are
struggling
to
consume
this
amount
of
documentation
to
comment
on
it
and
that
kind
of
thing.
B
So
the
other
thing
that's
in
a
lot
of
this
documentation
is
that
boards
are
going
to
be
held
accountable.
You
better
have
your
cyber
act
together.
If
you're
on
a
board
of
directors,
there
is
proposed
legislation
that
boards
will
have
to
manifest
certain
skills,
and
things
like
that
now
all
this
legislation
actually
has
to
go
through
the
mill.
If
you
will,
it
has
to
be
go
through
the
the
appropriate
process,
but
just
the
level
of
commentation
on
this,
of
course,
is
causing
a
lot
of
senior
executive
and
boards
to
to
be
concerned.
B
We
at
IBM
we
meet
regularly
with
our
board
with
our
audit
committee
I
think
for
this
reason,
since
all
of
this
started,
to
get
more
active
and
you're
going
to
see
that
behavior,
because
as
soon
as
boards
get
involved,
then
you
get
lots
more
of
your
executive
team
naturally
involved
now,
my
cyber
team
would
say
well.
This
is
great
because
we
finally
get
a
lot
more
attention,
so
we've
got
the
attention
of
everyone
around
security.
B
A
May
want
to
be
careful
what
you
wish
for,
in
other
words
and
I'm
thinking
a
little
bit
about
the
the
doj,
is
kind
of
pursuit
of
Joe
Sullivan.
Who
is
the
Uber
CSO
at
a
time
when
they
suffered
a
major
data
breach
they
they
tried
to
close
it
quietly,
but
ended
up
making
a
series
of
kind
of
questionable
decisions,
and
now,
even
though
he'd
moved
on
he's
now
at
cloudflare,
at
least
taking
a
break
from
that
is
being
held
somewhat
personally
accountable
for
some
of
these
actions
that
are
being
taken.
A
B
It
that
situation
I
mean
it's
it's
it's
very
serious.
So
anyone
that's
in
a
a
point
of
power,
if
you
will,
from
a
cyber
perspective
or
product
security
perspective,
has
got
a
lot
of
responsibility
and
obligation
to
make
sure
that
they're
being
transparent,
with
the
executive
team
and
and
with
board
of
directors
and
audit
committees
Etc
well.
A
And
we
also
saw
the
the
log
for
Shell
vulnerability
itself
was
discovered
by
a
researcher
for
Alibaba
who
I
I.
Well,
let's
just
say
the
company
got
into
a
substantial
amount
of
trouble
for
the
fact
from
the
Chinese
government
for
not
having
reported
it
first,
confidentially
to
the
Chinese
government
instead
of
doing
the
right
thing
which
they
did,
which
is
they
reported
it
Upstream
to
the
Apache
software
foundation
and
and
it
started
the
process
of
getting
it.
Remediated
made
some
mistakes,
but
we
don't
have
to
go
into
that.
A
So
in
general,
governments
obviously
appear
to
be
paying
a
lot
more
attention
for
better
and
for
worse
in
this
space
and
I
have
to
say
so.
I
I
worked
in
the
White
House
in
the
office
of
Science
and
Tech
policy
in
2009
at
the
beginning
of
the
Obama
Administration,
when
we
had
this
small
little
window
of
time
to
make
the
case
for
open
data
open
source
software
open
kind
of
everything.
But
we
were
quickly
overwhelmed
by
all
of
the
stuff
that
happens
to
the
new
Administration
cleaning
up
after
the
last
one.
A
We
don't
have
to
talk
politics
but
anyways,
but
but
2009
me
saw
very
clearly
that
no
one
in
the
executive
branch
had
ever
written
a
line
of
python
or
other
code,
and
we
were
coming
off
of
30
years
kind
of
of
government
being
told
like
no
technology
is
built
by
the
private
sector.
You
guys
are
just
the
buyer
and
the
subtext
was
the
the
lesson
formed.
Buyer,
you
can
be
the
better
and
instead
today
it's
a
lot
different.
A
A
B
I
think
so,
and
it's
it
is,
it
has
placed
a
more
Challenge
on
open
ssf,
because
when
we
formulated
and
and
I
first
met
Brian
in
November
of
last
year,
we
were
formulating
a
new
governing
board
and
then
shortly
after
that,
what
happens?
Our
Christmas
holiday,
at
least
and
parts
of
the
world
was
destroyed
by
love
for
Jay
and
we
all
got
to
be
on
a
daily
call
or
many
many
daily
calls
for
every
day
for
weeks
to
come.
So
I
think
the
government
you
know
in
the
United
States.
B
Of
course,
you
can
realize
that
at
that
time,
we'd
already
had
the
Russian
invasion
and
what
the
fear
was
was
that
the
vulnerabilities
would
be
weaponized,
of
course,
right
for
the
purposes
of
that
turns
out
from
what
many
of
us
could
see.
It
was
mainly
the
Ukraine
attacking
the
Russians
and
vice
versa,
not
to
say
that
other
things
didn't
happen,
but
you
know
that
was
that
was
viewed
as
a
national
security.
B
A
14028,
you
know,
and
some
of
the
other
hints
like
here's
going
to
be
standards
for
how
they
procure
software,
but
we
haven't
yet
seen
and
we've
seen
hints
of
it
and
there's
even
some
some
language
in
a
bill
in
the
ndaa
I
think
that
might
pass
about
government
as
investor
right
government
I
mean
they
invest
in
basic
r
d.
All
over
the
place
they
invest.
I
mean
you
see
like
NASA,
et
cetera,
and
you
see
them
investing
in
building
some
technical
competency.
A
But
do
you
think
government
can
be,
and
we
see
some
governments
creating
open
source
software
too.
But
do
you
think
governments
can
play
a
kind
of
a
a
a
a
role
commensurate
to
their
consumption
of
Open,
Source
Code
and
investing
back
in
and
providing
the
kind
of
resources?
We
need
to
help
Harden
the
open
source
landscape.
B
B
We
also
do
see
evidence
that
they
fund
a
lot
of
innovation.
You
can
certainly
see
that
in
the
chips
act
that
was
recently
passed,
which
is
all
about
getting
more
semiconductor
capacity,
in
particular,
into
North
America
and
the
United
States,
it's
a
great
example
and
then
and
Intel
is
nodding
over
here.
Of
course,
you
know
that's
an
example
where
there's
prominent
active
investing
in
in
something
that's
really
going
to
make
a
difference
and
I
think
security
is
right.
B
In
line
with
that
now,
a
lot
of
the
investment
tends
to
be
the
trickle-down
effect.
I've.
Seen
that
a
lot
with
Quantum
Computing,
where
there's
these
National
Quantum
science
centers
at
National,
Labs
and
there's
the
National
Science
Foundation
that
gets
funding
and
it
trickles
down
right
so
I
think
there's
got
to
be
a
benefit.
They've
got
to
look
at
the
benefits
of
trickle
down
versus
you
know.
The
direct
attack,
if
you
will
to
get
some
of
these
things
done
faster
trickle
down,
does
work.
It
funds
a
lot
of
research.
B
It
funds
a
lot
of
interested
parties,
but
it's
not
like.
We
all
got
together
and
committed
against.
You
know
one
goal
and
one
moonshot,
and
so
when
you
look
at
your
10
pronged
list,
it's
a
it's
an
Exemplar.
If
you
will
of
a
way
that
we
can
tackle
this,
the
10
items
may
change
over
time,
but
it's
a
good
start
right
to
try
to
make
a
difference
in
a
shorter
amount
of
time.
Yeah.
A
As
I
mentioned
in
my
presentation,
you
know
I'm
hopeful
that
governments
outside
of
the
United
States
will
be
paying
attention
to
this
and
I
I
know
there's
some
activity
here
in
the
European
Union
on
that
front,
and
hopefully
we'll
see
some
more
soon.
The
other
big
topic,
I
I,
just
thought
it'd
be
worth
kind
of
talking
about.
Is
education?
I
know
how
personal
it
is
for
you
how
important
that
is
for
IBM.
A
B
We've
we've
done
a
few
things,
as
you
know
together,
which
is
IBM,
has
a
goal
to
educate
150
000
students,
the
next
few
years
with
security
education,
and
so
we
teamed
to
get
the
Linux
Foundation
open,
ssf
education
out
through
the
channel
as
well.
We
are
focusing
on
not
just
additional
universities,
but
also
historically
black
college
and
universities
to
reach
a
different
constituency,
because
even
with
just
basic
stem
today,
particularly
in
the
United
States,
which
I'm
much
more
familiar
with
than
I
am
a
lot
of
the
other
countries
we
do
not
have.
B
If
you're
a
security
expert,
you're,
probably
going
to
be
working
somewhere
for
a
reasonably
High
salary
and
that's
not
what
Academia
is
paying,
and
so
it
becomes
a
real
Challenge
and
not
that
they
don't
have
the
demand,
but
they
don't
have
the
faculty.
So
I
think
they've
got
to
come
to
grips
with
that.
It's
probably
not
going
to
be
about
hiring
PhD
level
professors
for
all
of
these
teaching
tasks.
How
do
you
marry
that
with
your
accreditation
goals?
B
Your
your
curriculum
goals,
a
lot
of
accreditation
is
tied
to
the
seniority
of
the
faculty
and
they
probably
do
need
to
find
a
way
to
embrace
more
online
education
from
experts.
You
guys
are
experts.
The
People
speaking
today
are
experts
and
providing
their
point
of
view
and
education
out
to
the
students
can
make
a
difference.
I
think
it
will
make
a
difference
and
we've
got
to
break
through
some
of
those.
What
I
call
academic
rating
rules
and
everything
that
seem
to
get
in
the
way
I
mean
I
I've.
B
A
How
about
reaching
developers
who
are
past
the
point
of
like
either
their
their
education
phase
or
like
the
first
part
of
their
career
right?
You
know
that
whether
they're
taking
that
formally
or
like
myself
or
a
lot
of
people
I,
know
kind
of
taught
themselves
informally
about
software
development.
What
what
are
some
things
you
think
we
could
do
to
reach
people
who
are
in
the
workforce
who
might
dismiss
the
idea
of
needing
to
take
what
they
might
consider
a
remedial
course
or
or
other
things.
B
Well,
I
think
one
of
the
paths
that
we
can
reach
broader
audiences
are
through
schools
that
really
teach
continuing
education,
whether
that's
through
community
colleges
or
other
forms
of
teaching
opportunities
where
they
really
encourage
ongoing
certification
for
different
career
paths
as
well
as
Badges,
and
that
kind
of
thing
so
non-traditional
approaches.
I.
Think
I
see
that
a
lot
in
you
know
where
I'm
at
North
Carolina
is
the
state
I
live
in.
A
You
know
IBM
also
said,
and
we're
going
to
put
a
billion
dollars
into
investment
into
Linux
and
it
wasn't
clear
what
the
time
frame
was,
but
I'm
sure
over
the
last
20
years,
you've
spent
well
more
than
a
billion
on
Upstream
contributions
to
to
Linux
into
everything
else,
but
most
companies
who
consume
open
source
software
probably
have
no
formal
Upstream
contribution
policy
or
prioritize
the
importance
of
that.
Many
of
them
are
starting
to
develop
osbos
and
the
like,
but
I'm.
Really.
A
What
I'm
curious
about
is
how
do
we
get
some
sort
of
way
for
the
companies
out
there
who
are
consuming
the
software
to
to
think
about
the
cyber
security
issues
when
they're
consuming
it?
That's
why
having
the
concise
guides
is
going
to
be
really
important
but
it,
but
when
they
start
to
have
their
developers
engaging
reporting
bugs
adding
features,
maybe
even
writing
code
and
shipping
it
out.
A
How
do
we
get
them
to
also
start
to
adopt
some
of
these
same
principles
and
standards
that
we're
coming
up
with
without
it
feeling
like
yet
another
burden?
That's
something
I
struggle
with,
and
I
I
I
think
I'd
love
to
try
to
figure
on
the
business
side
of
the
house
and
answer
to
that
as
much
as
on
the
technology
side
of
the.
B
There
was
a
lot
of
learning
from
log4j
I
I
personally
was
spending
half
of
my
day
on
the
phone
with
financial
organizations,
literally
in
group
therapy
sessions
over
what
does
log
for
J
mean
I'm
I'm
serious
about
it.
I
was
pretty
exhausted
after
a
few
weeks
of
this,
because
you
know
it's
right
before
the
holiday
season
and
people
are
locking
down.
They
have
a
strong
desire
to
lock
everything
down
and
change.
B
Nothing
then,
all
of
a
sudden,
Here
Comes
This
defect-
and
you
know
there
was
various
views
of
rolling
out
this
update
for
the
holiday
right.
So
it
was
very
stressful
and
so
the
learning
the
learning,
though
that
came
from
it
I
think,
is
as
well.
We
have
a
lot
of
those
commercial
organizations
in
openness,
except
today,
in
the
governing
board
is
because
they
they
are
committed
to
trying
to
understand
what
do
they
need
to
do
differently.
I
mean
one
of
the
learnings
is
don't
run
on
software.
B
B
That's
got
that
kind
of
rollout
strategy,
but
you
know
I
think
it's
just
this
awareness
that
you've
got
to
have
the
right
partnership
and
acquisition
strategy
that
says
yeah
open
source
is
very
productive,
but
who's
standing
behind
it
right
who
who's
standing
behind
it
and
how
do
I
ensure
that
I'm
getting
what
I
expect
giving
the
organization
that
I
am
and
not
every
organization
is
the
same.
Not
every
organization
is
a
bank
I
have
obviously
a
lot
of
experience
with
banks,
but
Health
Care
retail
government.
B
B
B
So
a
lot
of
them
come
from
some
of
that
right.
So
anyway,
I
think
that
you
know
there's
there's
a
landscape
change.
In
other
words,
if
your
insurer
is
going
to
pay
for
your
ransomware
attack,
maybe
you're
not
motivated
to
go
out
and
fix
what
you
need
to
fix.
Maybe
it's
cheaper
just
to
to
keep
paying
your
insurance
and
you
get
it
paid
for
right,
but
not
with
the
huge
bills
that
some
of
the
insurers
are
now
paying
out
yeah.
B
A
Yeah
well,
there's
a
lot
of
I
think
Financial
motivations
that
we
could
use
to
try
to
steer
industry
in
the
right
direction,
insurance
companies
being
kind
of
a
dark
matter
to
making
this
happen.
I,
I,
I,
I
I,
think
we're
out
of
time.
I
think
the
other
observation
I
will
throw
out
would
be
if
security
researchers
could
actually
start
their
winter
vacations.
Like
mid-november
yeah.
B
A
A
B
B
We
meet
with
a
small
group
every
month
and
a
larger
group
every
quarter,
and
then
we
have
been
at
the
board
a
lot
so,
but
just
creating
that
construct.
If
you
don't
have,
it
is
important
because
typically
you're
not
going
to
write
a
seven
page
email
about
this
kind
of
thing
right,
not
also
that's
not
a
good
practice
either.
So
you
need
a
forum
and
it
sounds
simple
where
you
have
an
opportunity
to
educate
and
it
needs
to
be
at
different
levels
and
appropriately
vetted
by
your
your
legal.
B
We
have
cyber
legal
that
helps
us
rate,
but
that
is
really
really
important
that
you
have
that
opportunity
and
back
to
his
point
about,
of
course,
my
CSO
sends
me
all
these
mails
about
Uber
and
Twitter,
and
everything
if
you're
the
ciso
I,
think
you
find
this
pretty
alarming
right.
We
as
leaders
have
to
give
those
people
the
the
ultimate
seat
at
the
table.
B
I
remember:
we
made
a
decision
on
something
this
past
year.
A
piece
of
software
and
I
won't
go
into
details
that
we
didn't
want
to
use
anymore,
and
some
of
the
users
really
were
calling
me
and
going
you
know,
bananas
basically
and
and
I
told
the
ciso
it
doesn't
matter
we're
not.
Your
ruling
is
your
ruling.
B
B
It
is
true
and
I
I
can't
change
it
right,
because
one
of
the
things
we
have
looked
at
is
the
origin
and
DNA
of
a
lot
more
software
since
solar
winds,
and
if
it's
not
the
right
DNA,
it
gets
off
the
procurement
list
and
it's
gone
right
now
there
can
be
a
remediation
path,
but
it
has
to
be
remediated
but
giving
the
people
to
see
the
table.
So
you
never
get
into
this
situation
of
you
know.