►
Description
Keynote: Nithya Ruff, Head, Open Source Program Office, Amazon
---
Open source software is pervasive in data centers, consumer devices, and applications. Securing open source supply chains requires a combination of automated tooling, best practices, education, and collaboration.
Join the growing list of organizations supporting the advancement of securing open source technology and funding the development and adoption of OpenSSF initiatives. https://openssf.org/
A
Wonderful
to
be
here
in
Dublin
Ireland,
it's
my
second
time
here
and
it's
always
been
such
a
welcoming
and
wonderful.
City
I
also
appreciate
the
fact
that
the
island
network
is
doing
a
lot
of
work
in
open
source
and
they
had
a
meet
up
last
night
to
discuss
open
source
and
governments
open
source
in
communities
here
and
I,
unfortunately,
could
not
make
it.
But
that
was
a
really
terrific
event.
A
It.
It
really
needs
to
start
in
the
1980s
and
1990s
I.
Think
before
the
80s
and
90s.
There
were
a
period
of
time
where
opens,
or
software
was
free
in
the
Mainframe
era.
It
was
given
away
because
the
hardware
was
what
was
sold,
but
then
we
went
into
a
proprietary
period
where
software
became
monetized
and
software
became
proprietary
and
soon
you
know
people
did
not
have
access
to
the
source
code
as
they
used
to,
and
this
was
what
really
spurred
someone
in
the
labs
in
MIT
and
I.
A
Think
all
of
you
know
who,
that
is
to
say,
we
need
better
freedoms
in
software.
We
need
to
have
access
to
the
source
code,
so
we
can
actually
examine
it.
We
can
actually
modify
it.
We
can,
you
know,
change
it
for
working
with
our
situation,
our
use
case,
our
Hardware
and
so
Richard
started
the
free
software
Foundation
to
preserve
these
freedoms
and
to
advance
these
freedoms.
A
He
also,
along
with
a
group
of
very
talented
people,
created
the
gnu
tools
chain
system
and
the
most
important
one
was
the
creation
of
the
GPL
license
the
the
gnu
public
license,
because
that
then
started
modifying
or
creating.
If
you
will
a
license
that
could
be
used
to
freely
share
software
across
the
world
and
protect
the
Four
Freedoms
of
being
able
to
see
the
source
code
being
able
to
modify
it
use
it
for
anything,
you
want
and
to
also
distribute
it
freely.
A
A
A
A
lot
of
us
in
companies
were
a
little
nervous
about
the
words
free
software
and
we
thought
that
meant
that
we
couldn't
monetize
it
or
that
it
needed
to
be
free
and
so
the
words
open
source
which
Christine
created
in
in
a
Consulting
Group
around
1998
I
think
before
91.
Perhaps
I
Brian
May
know
the
exact
date,
but
that
helped
us
make
it
safe
and
and
kind
of
be
descriptive
about
what
it
is
and
how
to
use
it.
And
that
became
very
important
to
the
future
of
Open
Source.
A
If
you
will,
in
companies
in
governments
Etc
around
1998,
you
see
the
beginning
of
osdl,
which
is
open
source
development,
labs
and
a
bunch
of
companies
like
HP,
IBM,
SGI,
sun
and
others
came
together
to
create
open
source
development
labs
to
really
work
on
making
Linux
more
Enterprise
grade,
because
it
had
entered
the
Enterprise
through,
say,
system,
admins
and
others
bringing
it
into
the
company
and
and
management
said.
Yes,
we
do
need
to
acknowledge
that
Linux
is
something
that
is
a
part
of
how
we
compute
how
our
Stacks
are
built,
and
we
do
need
to.
A
At
the
same
time,
I
used
I
was
working
at
silicon
Graphics.
At
that
time
about
1998
and
I
found
I
I.
Remember
the
Linux
World
used
to
be
the
event
that
we
all
went
to
and
you
had
Sun
SGI
HB
IBM,
Red,
Hat
blnx.
Everyone
working
really
hard
to
understand
what
it
meant
to
work
in
open
source,
how
to
Market
in
open
source,
how
to
use
it
in
products
how
to
commercialize
it,
how
to
take
it
to
Market,
and
this
particular
slogan.
A
You
see
peace,
love
and
the
Penguin
was
a
really
good
promotion
that
IBM
did
in
the
in
on
the
streets
of
San
Francisco.
They
had
these
markers
and
these
identities
so
so
to
speak,
kind
of
all
over
the
place,
and
they
were
actually
fined
for
do
doing
that
for
graffiting.
A
So
it's
not
surprising
that
soon
after
you
start
seeing
web
scale,
companies
like
Google
Facebook,
Amazon
Netflix
in
building
their
data,
centers
and
building
their
infrastructures
start
using
open
source,
and
they
start
using
at
scales
that
no
one
had
really
thought
about
before,
and
they
help
professionize
and
Harden
and
scale
Linux
and
scale
open
source
and
and
then
they
do
something
interesting.
Also,
they
start
open
sourcing,
critical
components
that
they've
been
using
in
their
data
centers
to
enrich
you
know
the
world
and
also
to
collaborate
with
others
on.
A
So
you
start
seeing
things
like
Hadoop
come
out
of
Yahoo
I
think
it
came
out
of
Yahoo
and
then
Facebook
also
open
sources.
Cassandra
and
you
start
seeing
you
know:
Google,
open
sourcing,
kubernetes
and
so
so
many
other
components
and
Netflix
also
open
sources
Spinnaker
and
you
have
open
rtos
from
Amazon
and
so
many
other
components
that
start
kind
of
building
this
vast
sea
of
Open
Source
that
we
can
all
draw
from,
and
these
are
hardened
tested
in
data
centers
used
at
scale,
and
so
it
starts
becoming
building
blocks.
A
If
you
will
for
a
lot
of
us
to
use
which
led
to
the
starting
of
the
cloud
and
Cloud
really
the
data
centers
behind
the
cloud
are
built
on
open
source
and
then
there
is
an
opportunity
to
also
deliver
Services
open
source,
Based
Services
in
the
cloud.
So
you
start
seeing
the
rise
of
AWS
and
Google
cloud
and
IBM
clouds
and
and
Microsoft's
Azure,
and
really
trying
to
solve,
making
it
easy
for
companies
and
making
it
easy
for
businesses
to
use
open
source
effectively
and
use
it
at
scale
and
use
it
as
a
service.
A
This
becomes
an
important
component
to
what
happens
next,
which
is
all
of
us
Enterprises
when
I
was
at
Comcast
and
all
other
banking
Enterprises
that
I've
talked
to
and
Retail,
and
so
many
other
businesses
are
digitizing
are
moving
to.
The
cloud
have
already
moved
to
the
cloud
and
you
can't
not
be
digitally
transformed
today
as
a
company,
and
you
find
that
reaching
customers
providing
compelling
experiences
managing
back
the
back
office.
A
So
many
many
new
Industries
industries
that
never
really
were
collaborating
together
were
very
physical
needed,
a
lot
of
infrastructure
to
work
together,
other,
whether
it's
agriculture
or
energy,
or
even
you
know,
medicine
and
Health.
Care
are
industries
that
are
being
transformed
by
open
source
and
I.
Think
having
institutions,
whether
it's
the
Apache
software
Foundation
or
the
Linux
Foundation,
make
it
easy
for
these
organizations
to
come
together
in
one
place
and
then
decide
what
are
the
common
components
that
we
need
to
work
together
on,
and
how
do
we
put
that
into
software?
A
An
open
source
and
governments
has
been
growing
steadily
and
government
interest
in
open
source
has
been
growing
steadily.
Governments
need
to
reach
a
number
of
different
constituents.
They
need
to
reach
their
citizenry,
they
need
to
develop
industry
in
their
countries.
They
also
need
to
attract
great
talent
into
their
own
organizations.
They
are
left
behind
if
they
don't
have
great
talent
in
government
and
open
source
has
been
a
powerful
enabler
for
governments
to
digitally
transform,
just
like
Enterprises
did
and
to
reach
all
of
these
constituents.
A
It's
also
been
a
great
software
or
a
great
if
you
will
way
to
create
trust
among
their
citizenry
and
among
their
Industries
as
well.
By
having
transparency
in
terms
of
the
software
that's
used
and
to
collaborate
with
citizenry
and
with
Industries
to
grow
government
services
and
to
connect
government
to
all
of
these
constituents
and
in
the
pandemic
in
particular,
governments
that
digitally
transformed
and
were
able
to
work
with
their
citizens
in
a
digital
way
did
extremely
successfully.
A
So
what
happens
is
with
success
now,
with
open
source
being
everywhere
and
being
used
by
everybody
comes
great
responsibilities,
and
you
know
I
think
it
exposes
some
of
the
challenges
that
openssf
is
trying
to
solve.
You
find
that
the
open
source
security
challenge
is
that
those
who
are
supplying
the
software
sometimes
are
a
number
of
different
projects.
They
are
sometimes
big,
sometimes
small,
some
are
highly
funded.
A
So
this
is
the
nature
of
the
supply
side
from
a
security
perspective
and
then
on
the
user
side,
you
find
that
users,
you
know
today
use
it
for
all
kinds
of
mission,
critical
purposes,
it's
it.
It
is
not
said
that
this
is
only
to
be
used
for
experimental
work.
It's
used
everywhere
to
support
major
clouds
to
support
major
missions
to
the
Mars.
A
It's
it's
such
a
big,
critical
component
of
all
of
our
infrastructures,
and
what
that
means
is
it
then
starts
showing,
or
it
becomes
even
more
critical
to
fix
things
quickly
when
we
discover
it
and
developers
today
may
not
know
some
of
the
history
of
licenses
or
vulnerabilities
or
how
open
source
is
created
because
their
world
exists
with
open
source
in
it,
and
so
they're
used
to
seeing
open
source
as
a
as
something
that
they
can
use
in
their
development
work,
and
so
they
take
it
for
granted.
A
They
don't
examine
it
as
carefully
as
they
would
if
they
were
creating
it
themselves
or
getting
it
from
A
supplier
and
some
of
the
dependency
management
tools
have
also
been
not
as
good
and
not
as
adequate
to
use
for
understanding
supply
chain
and
understanding
where
the
problems
are
coming
from
and
it's
hard
to
in
a
large
company
find
a
single
owner.
A
If
you
will
for
a
certain
component
and
say
if
you're
using
this
component,
you
need
to
work
with
upstream
and
make
sure
that
it's
secure
and
safe
and
and
if
you
find
vulnerabilities,
you
will
communicate
to
the
rest
of
the
company.
So
it's
hard,
so
companies
are
still
working
on.
How
do
we
work
Upstream?
How
do
we
establish
ownership
inside
the
company
for
a
component?
How
do
we
work
together
to
make
sure
that
everyone
in
the
company
who's
using
this,
is
using
this
effectively?
A
So
this
is
the
the
conundrum
that
openssf
is
also
trying
to
solve.
Is
how
do
we
help
suppliers
do
better
software?
How
do
we
help
users
use
the
software
more
effectively,
and
this
leads
us
to
the
reason
why
collaboration
is
so
important
today,
security
learns.
The
power
of
collaboration
security
typically
has
worked
in
isolation.
Different
security
teams
and
different
companies
have
been
very
mum
and
and
kind
of
quiet
about
any
issues
that
come
up,
but
now
you
really
need
to
collaborate
and
help
each
other
with
solving
these
problems.
A
Sharing
vulnerabilities
sharing,
secure
coding
practices
sharing
best
practices
for
how
to
write
secure
code,
but
how
to
work
better
together,
and
we
need
to
also
respond
very
very
quickly
when
problems
happen.
So
collaboration
is
really
at
the
heart
of
what
openssf
is
trying
to
do
and
is
so
badly
needed,
particularly
in
open
source
security,
whether
it's
the
government
mandating
things
or
industry
saying
we
need
to
work
better
together,
because
this
is
the
problem
we
all
face
and
then
really
finding
a
foundation
or
a
central
place
to
work
together.