►
From YouTube: OpenSSF Day at OSS NA - Mobilizing the Open Source Industry in Fight For Better Security By Default
Description
OpenSSF Day at Open Source Summit North America - Mobilizing the Open Source Industry in the Fight For Better Security By Default by Brian Behlendorf, General Manager, OpenSSF
A
My
displays,
but
okay
I'll
read
it
so
thank
you,
anithia
for
the
for
the
really
nice
scene.
Setting
for
why
we're
here
today.
I
wanted
to
add
also
a
little
bit
of
historical
context
that
I
think
is
really
germane
to
how
the
open
source
community
actually
got
into
a
very
favorable
position.
When
it
comes
to
security,
I
might
even
use
the
term
irrational
exuberance
which,
if
anyone
is
familiar
with
where
that
term
first
came
into
the
popular
mindset.
It
was
at
the
time
of
the
2008
financial
crisis.
A
Who
was
it
who
gave
testimony
about
irrational
exuberance
in
the
stock
market
anyways?
I
think
what
we
actually
need
to
do
is
think
about.
How
do
we
substantiate
what
is
already
actually
a
really
great
reputation
for
open
source
software
when
it
comes
to
security,
but
really
try
to
understand
also
where
some
of
that
came
from
so
I
also
tried
to
look
deep
in
the
past.
I
went
to
the
internet
archive
and
the
oldest
screen
grab.
A
A
Because
not
only
could
you
see
quantitatively,
then,
if
I'd
scroll
down
to
the
bottom
you'd
see
more
that
the
apache
web
server
was
being
used,
something
like
five
times
as
much
well,
two
and
a
half
times
as
much
as
the
microsoft
web
server
was
being
used.
Apologies
to
microsoft.
It
was
being
used
about
what
almost
ten
times
as
much
as
the
netscape
server
was
being
used.
Apologies
to
anyone
who
worked
for
netscape,
but
also
you
could
ask,
through
this
website
you
didn't,
have
to
type
http
commands.
A
You
could
ask
through
this
website
what
is
that
site
running
and
it
made
it
really
easy
for
those
of
us
who
were
working
on
the
apache
web
server
back
then
to
make
the
case
to
our
own
pointy-haired
bosses,
which
is
what
php
is,
but
also
to
others.
That
not
only
can
you
know,
are
people
using
this
in
production.
You
could
also
point
people
to
cia.gov
or
to
I
believe
it
was
vatican.va.
A
It
might
have
been
something
else,
but
it
was
dot,
va
and
people
could
see.
Oh
apache
is
running
behind
those
and
if
it's
good
enough
for
the
cia
and
for
the
vatican
simultaneously,
that
probably
is
good
enough
for
for
your
company
right,
but
which
was
great,
and
it
allowed
us
to
make
the
case
that
that
you
could
trust
this,
that
it's.
What
garnered
interest
from
some
of
the
first
companies
ibm
was
really
one
of
the
first
to
say:
can
we
bundle
apache
into
our
our
web-based
products?
A
That
kind
of
thing
lots
of
others
followed
suit,
but
it
also
led
us
down.
I
think,
a
path
that
started
to
say
popularity
was
a
rough
proxy
for
perhaps
even
equivalent
to
security
that
the
more
people
use
this
stuff.
I
mean
there's
certainly
a
case
that
we
made
right
the
more
eyeballs,
just
naturally,
just
almost
by
by
by
the
you
know,
law
of
large
numbers
and
therefore
you
could
trust
it,
and
that
seemed
to
be
true.
A
Only
one
out
of
those
hundreds
said
that
they
were.
They
repeated
that
by
asking
systems
administrators
in
those
hundred
companies
and
got
back
something
like
93
of
them,
saying:
oh,
yes,
we're
using
it's
just
that
the
cios
never
saw
a
purchase
order
for
anything,
labeled
open
source
software
until
red
hat
came
along
and
others
of
course,
but
but
anyways
that
it
was
really
nice
to
have
those
those
numbers.
But
it
led
us
to
some
interesting
place.
A
The
second
places
the
second
thing
that
I
think
really
helped
the
world
come
to
trust
open
source
software.
Was
this
that
a
lot
of
the
early
communities
were
really
rigorous
about
setting
up
processes
and
setting
up
a
culture
that
said
it's
we
need
to
avoid
heroics
like
we
might
still
have
what's
what
was
the
term
for
like
one
individual
kind
of
at
the
top,
I'm
struggling,
sorry,
bdfl,
sorry
benevolent
dictator
for
life
bdfl.
Thank
you.
I
was
blanking
on
that.
A
Even
if
we
have
elena
torvalds
or
larry
wall
or
others,
they
are
surrounded
by
people
who
can
help
catch
the
falling.
You
know
hot
knives,
you
know
or
help
review
patches
who
can
help
enforce
some
process
and
even
at
apache
one
of
the
the
founding
kind
of
principles
was
community
over
code.
We
wouldn't
start
a
project.
A
Like
barn
raisings,
where
you
know
people
working
together
to
build
a
thing.
It's
not
just
about
pull
10
or
100
people
together
to
do
and
one
day
what
would
otherwise
take
one
person,
10
or
100
days,
there's
no
way
for
one
person
to
build
a
barn,
at
least
in
the
old
amish.
You
know
barn,
raising
kind
of
stereotype
right
that
one
person
cannot
pull
the
timber
up.
The
timber
frames
up
to
mount
them
in
the
right
way.
They
cannot,
you
know,
do
all
the
things
that
are
required
to
to
build
a
barn.
A
A
Writing
documentation
like
a
model
open
source
contributor
and
three
years
in
to
his
contribution
history
at
apache
he
wrote
a
note
to
the
other
maintainers
going.
I'm
really
sorry
guys,
but
I
probably
will
have
to
pull
back
a
little
bit
of
my
contributions
because
I'm
starting
as
a
freshman
in
the
fall
at
stanford
university
so
like
that
was
the
fact
that
we
have
very
low
barriers
to
entry
in
open
source
is
actually
key.
In
my
opinion,
I
mean
I
don't
have
numbers
to
back
this
up.
A
I
would
love
to
see
the
econometrics,
but
I
would
assume
a
lot
of
you
share.
This
gut
that
is
key
to
the
scalability
of
the
open
source
process
and
getting
to
what
you
know
what
eric
raymond
called
lena's
law,
which
was
with
enough
eyeballs
all
bugs
are
shallow,
which
intuitively
we
know
that
it's
not
quite
a
mathematical
equation,
of
course,
but
no
matter
what
tooling,
what
processes
we
come
up
with,
they
all
fall
down.
A
A
We
truly
are
one
of
the
last
remaining
places
on
the
net
where
you
can
productively
work
and
even
come
to
trust
people
who
are
lightly
authenticated
into
the
community,
and
I
think
that's
core
to
what
we're
trying
to
build
and
at
the
same
time
we
can.
We
can
do
that
because
we
have
processes.
How
many
people
remember
the
university
of
minnesota
hack
from
last
year?
A
I
think
it
was
where
a
team
of
researchers,
the
university
of
minnesota,
thought
it
would
be
cute
to
prove
how
valuable
our
processes
were
by
slipping
intentionally
broken
code,
not
a
back
door.
So
much
as
an
intentional
vulnerability
into
the
linux
kernel.
It
was
noticed
it
was
stopped,
but
not
before
it
consumed
a
whole
lot
of
time
on
the
part
of
greg,
crowe,
hartman
and
and
linus
and
some
others,
and
in
response
the
university
of
minnesota
has
now
been
banned.
A
I
think
by
ip
address
I
don't
know
if
it's
by
email
address
but
but
now
been
banned
permanently
from
contributing
to
the
linux
kernel
and
which
kills
jim
zemlin's
heart
because
he's
a
graduate
of
university
of
minnesota
good
old.
You
know
minnesota
kid,
but
yeah.
We
have
these
processes.
We
have
these
mechanisms,
but
they're
not
perfect.
Are
they
perfectable
that's
worth
asking,
but
but
we
need
to
to
fight
what
might
otherwise
be
a
tendency
to
slip
into
a
dark
place.
A
Certainly
we
can
be
better
at
turning
users
into
contributors,
turning
contributors
into
maintainers
that
sort
of
thing,
but
but
a
lot
of,
what's
going
on
in
the
open,
ssf
matches
that
first
kind
of
kind
of
thing.
The.
When
you'll
hear
about
a
lot
of
that
today,
the
best
practices
badge
work.
The
scorecard
work,
things
that
we're
looking
at
in
the
in
the
mobilization
plan.
All
of
that
speak
to
this
need
to
better
understand
through
processes
through
measurements
through
tools.
A
What
I,
how
do
we
get
an
objective
sense
of
the
trustworthiness
of
code?
Not
because
we
want
to
stop
using
certain
open
source
packages,
but
so
that
the
better
ones
can
know
where
to
invest?
To
increase
that
we
are
far
past
the
point
of
dunbar's
number
right
150,
which
is
about
the
number
of
social
relationships.
A
A
We
also
need
processes
that
simply
encourage
better
security
practices
by
developers
and-
and
that
also
is
a
theme
for
many
of
the
projects
you'll
hear
about
today
and
are
a
key
part
of
the
open
ssf
speaking
to
this
third
part,
though
about
teamwork.
This
is
a
place
where
I
challenge
us
a
little
bit
to
think
about
where
perhaps
some
existing
efforts
in
the
open
ssf,
perhaps
new
efforts
that
we
might
take
on,
might
encourage
a
little
bit
more
teamwork
and
shared
responsibility
amongst
open
source
projects
and
shared
responsibility
for
security.
A
I
encourage
folks
to
to
if
you're
working
on
one
bit
of
open
source
code,
you've
thrown
it
out.
You
might
have
hundreds
of
thousands
of
downloads
a
week,
that's
great,
but
what
happens
when
you
burn
out
what
happens
when
you
slip
in
a
bug
that
you
didn't
realize
and
notice,
and
it
wouldn't
be
great
to
have
other
people
help
you
find
those.
This
is
why
I
loved
open
source,
because
I'm
not
a
good
coder.
The
world
is
much
better
off
without
my
code
in
the
world.
I
I
was
it
wasn't
just
me
being
humble.
A
It
was
me
being
completely
honest.
This
is
broken.
This
is
something
I
know.
There's
something
broken
about
this
please
help
me
find
the
bugs
in
it,
and
for
me
with
that,
without
that
sounding
board,
there
is
no
point
and,
and
most
important
for
us
is
to
think
about
how
to
add
the
words
by
default
to
every
one
of
those
right.
How
do
we
make
the
lift
as
zero
cost,
as
we
can
to
adopt
better
tooling,
to
adopt
better
practices
to
get
this
into
the
default
workflows?
A
The
default
build
tools,
the
systems
that
we
use
as
open
source
developers
and
contributors
to
make
this
all
work,
and-
and
so,
as
I
mentioned,
you'll
hear
a
lot
today,
you
won't
get
everything
going
on
in
the
open
ssf.
We
are
kind
of
a
circus.
I
say
that
lovingly
and
somebody
likes
going
to
the
circus,
like
there's
lots
of
things
going
on
at
openssf
lots
of
different
teams,
and
that
is
a
part
of
our
strength,
we're
roughly
divided
out
by
working
groups
in
certain
thematic
areas.
A
A
We
can
do,
and
one
of
the
things
we
in
the
open,
ssf
community
are
actively
trying
to
figure
out
is
how
much
to
be
big,
tent
versus
best
of
breed
and
small
and
focused
right
and-
and
this
is
this-
is
something
you'll
perhaps
hear
more
about
today-
is
how
do
we?
How
do
we
tread
that
line
and
and
and
make
sure
we're
tapping
into
really
the
best
of
what's
going
on
in
the
open
source
world
and
the
best
the
best
thinkers,
the
best
developers,
the
best
people?
A
A
It's
organizations
like
these
that
are
really
helping
make
those
efforts
work
both
through
their
individual
developers,
contributing
and
participating
on
the
working
groups
and
the
projects,
but
also
by
putting
some
money
in
to
allow
us
to
spend
money
on
some
of
the
work
that
that
is
necessary
to
do
now.
I
want
to
pivot
and
talk
a
little
bit
about
this
effort
that
we
put
together
since
the
beginning
of
this
year
to
take
this
circus
so
to
speak
on
the
road
and
to
think
creatively
about.
A
If
we
were
to
to
not
just
say
here's
a
bunch
of
things
that
might
help
the
world,
but
to
get
activists
about
it
and
invest
in
it
and
say,
could
we
actually
close
some
of
the
known
issues
we
have
in
the
world
around
how
open
source
is
built
in
some
reasonable
time
frame
in
the
next
few
years?
How
would
we
do
it
and,
and
frankly,
how
much
would
it
cost,
and
a
lot
of
this
was
spurned
by
by
the
log
for
shell
vulnerability?
A
I
tried
to
avoid
saying
log
for
j,
because
the
developers
behind
log4j
and
other
apache
projects
are
professionals.
They
are
doing
a
great
job.
I
want
to
give
them
due
credit.
They
are
they're
by
large
for
for
for
a
component,
that's
used
as
pervasively
as
it
is
again.
The
law
of
large
numbers
does
say:
occasionally
we
will
stumble
over
vulnerabilities
here
or
there
and
it
should
not
reflect
upon
them.
So
I
do
try
to
say
log
for
shell
when
I
can
just
to
be
reflective
of
that.
But
log
for
shell
broke
the
internet.
A
It
caused
a
whole
bunch
of
organizations,
particularly
in
government,
to
go.
This
is
an
earthquake.
We've
got
a
scramble,
we
don't
even
know
where
we're
running
it.
You
know
the
number
of
organizations.
That
said,
oh
no
problem,
we're
using
you
know
the
the
bugs
are
in
the
cve
is
an
log
for
log4j
version
two,
but
we're
on
log
for
j
version,
one,
so
we're
not
vulnerable,
which
had
been
out
of
maintenance
for
five
years.
A
How
do
we
secure
how
the
code
is
written?
How
do
we
find
get
better
at
finding
the
vulnerabilities
that
are
out
there
and
fixing
them
and
then
apologies?
How
do
we
get
better
at
pushing
those
fixes
out
to
the
world,
and-
and
so
we
went
back
as
the
open,
ssf
and
started
a
little
bit
more
privately
kind
of
you
know
talking
about
this
talking
about
in
in
the
governing
board.
Talking
about
this,
you
know
kind
of
one-on-one
between
us
and
staff
and
a
lot
of
others
and
said.
A
Well,
maybe
what
we
should
do
is
think
about
how
to
frame
and
organize
all
those
different
efforts
in
the
circus
in
the
with
this
idea
of
what
would
it
take
to
push
those
to
the
point
where
they
can
actually
address
a
set
of
issues
that
are
responsive
to
those
goals?
What
are
things
that
are
working
now
that
we
could
double
down
on
and
and
and
put
some
more
resources
behind
in
a
somewhat
inorganic
manner?
A
I
mean
I'll
be
honest,
most
of
the
time
at
the
linux
foundation,
when
we
open
projects
we
as
linux
foundation,
staff
and
the
funding
kind
of
goes
into
air
traffic
control
right,
it
goes
into
convening
the
space
hosting
the
calls
hope
hosting.
You
know
whatever
is
required.
Even
the
build
systems
that
kind
of
thing
it
doesn't
really
go
into
top
down
driving
this
stuff
to
be
everywhere.
It
does
sometimes
in
the
automotive,
great
automotive,
grade
linux
project.
A
Other
projects
like
let's
encrypt,
actually
run
a
service
which
requires
an
ops
team
which
requires
you
know
some
actual
staff
to
go
and
run
this,
even
though
the
code
is
open
source,
even
though
it's
built
on
open
protocols
and
and
they
work
very
very
publicly
so
with
us,
it
was
a
little
bit
like
well,
even
given
all
of
the
folks
showing
up
to
our
circus
making
contributions.
How
might
we
best
organize
our
efforts
to
go
and
and
accomplish
some
of
these
things
and
we're
not
gonna
solve
them
tomorrow?
A
A
So
I
I
can't
compete
with
that,
but
I
will
try
and-
and
so
what
we
identified
to
our
surprise
was
actually
what
we
thought
was
kind
of
a
low
number
150
million
dollars
worth
of
well-vetted
spending.
That
would
go
and
pay
pay
for
itself
tremendously.
So
we
had
this
convening
in
dc,
we
I
tried
to
pull
in
more
companies,
more
open
source
community
members,
more
organizations.
It
was
never
going
to
be
enough,
of
course,
but
for
as
public
as
we'd
normally
like
to
be
about
how
we
work.
A
But
it
was
enough
to
try
to
get
across
to
the
government
we're
serious
about
this,
and
this
was
something
that
we'd
like
to
repeat
with
other
governments
around
the
world
as
well,
and
we've
got
some
conversations,
starting
in
a
few
places
to
have
a
similar
type
of
kind
of
roll
out
and
conversation
with
them.
In
that
event,
we
identified
30
million
dollars
in
pledges
to
that
project.
Thank
you
to
many
of
the
companies
who
are
here
today
who
helped
make
that
work.
These
are
pledges.
A
I
won't
be
able
to
go
in
depth,
you'll
be
able
to
find
it,
but
very
briefly,
just
to
give
you
the
highlights.
One
of
them
is
about
trying
to
reach
everybody
with
many
of
the
security
education
documents
and
processes
that
we've
developed
here.
Thank
you
particularly
to
david
wheeler,
for
that
work.
He'll
be
talking
about
it
later
today.
One
of
those
is
about
trying
to
do
that
that
risk
assessment
kind
of
that
I
talked
about.
A
How
do
we
better
understand
the
riskiness
of
code
well
pulling
together
all
the
data
that
the
tooling
we're
coming
up
with
can
give
us
as
well
as
additional
data,
sets
into
one
place
to
go
to
say,
I'm
I'm
interested
in
this
code.
What
what
is
its
risk
profile
right
and
can
I
compare
that
to
similar
code?
A
Who
can
help
manage
a
vulnerability
disclosure
process?
Another
tool
to
really
double
down
on
the
work
going
on
in
alpha
omega,
to
do
more
pervasive
scanning
of
open
source
code
on
a
regular
basis
to
try
to
find
new
vulnerabilities
to
be
you
could
think
of
it
as
an
open
source
version
of
project
zero
at
google.
Another
one
to
invest
in
code
audits.
A
Amir
here
from
austif
knows
this
process:
well,
not
for
a
large
number
of
projects,
but
for
starting
with
the
50
and
maybe
to
the
hopefully
to
200
projects
a
year
in
the
kind
of
third-party
audits.
That
really
start
to
ask
you
you
know:
did
you
mean
to
put
that
chainsaw
in
the
middle
of
that
dinner?
Cutlery
set
right,
so
not
just
the
the
potential
memory,
corruption
issues,
but
also
really
starting
to
ask
at
a
feature
level
or
an
architectural
level.
You
know.
A
So
far,
we
haven't
done
much
in
the
open
ssf
with
software
bill
of
materials
we've
we've
talked
about.
It
there's
been
some
work
in
the
security
tooling
community.
Thank
you
to
josh
bressers,
if
you're
here,
but
this
is
a
place
we
know
there's
a
need
to
invest
more.
This
particularly
was
a
big
message
from
our
partners
in
government.
I
we
need
to
also
finally
just
look
at
the
especially
the
last
few
stages
of
the
software
supply
chain.
A
All
this
work
together,
you
know
there
were
teams
that
formed
around
each
of
those
ten.
I
want
to
thank
everybody
here
who
did
participate
in
those
work
streams?
It
was
very
short
time
frames,
partly
intentionally
so
so
that
we
could
get
to
really
just
a
first
kind
of
size
of
the
bread
box
kind
of
notion.
These
numbers
will
change.
This
is
a
draft.
A
The
the
the
process
from
here
is
that
we
will
continue
working
with
interested
parties
on
those
streams
to
refine
the
proposals
to
get
to
the
point
where
we
can
start
to
match
them
up
against
pledges
or
other
sources
of
funding.
Frankly,
150
million
dollars
was
cheap
in
my
book.
I
I
talked
about
that
a
bit.
150
million
might
sound
like
a
lot,
certainly
for
any
one
open
source
project.
A
A
The
plotting
here,
because
this
is
these-
are
the
kinds
of
nudges
that
we're
going
to
see
more
of
both
from
the
public
sector.
I
think,
even
from
folks,
like
insurance
companies
who
insure
against
cyber
security
breaches
they're
going
to
start
to
raise
the
the
floor
when
it
comes
to
what
what's
the
minimum,
that
they
expect
organizations
to
do
to
be
more
secure,
and
this
is
serious.
This
is
the
government
getting
serious.
These
are
the
sticks,
and
I
am
much
more
about
carrots
frankly
much
more
about
incentives
and
like
helping
people.
A
A
A
At
the
end
of
the
day,
the
mobilization
plan
is
just
one
element
of
what
we
do
at
the
open
ssf
it's
about
sprinkling,
some
accelerant
on
top
of
existing
efforts
at
the
core
of
openssf,
though
we
are
an
open
source
project,
like
any
other
you'd
find
where
anybody
can
contribute
where
anybody
can
use
the
tools
and
the
and
benefit
from
the
standards
and
all
the
goodness
coming
out
and
the
and
the
docs
and
the
guides.
I
mean
there's
too
much
to
mention
this
is
about
just
trying
to
sprinkle.
A
You
know
douse
a
little
bit
of
fuel
on
on
on
these
different
efforts
and
make
that
work
so
come
in
and
get
and
and
check
out
the
plan,
but
but
do
check
out
the
rest
of
what's
going
on
inside,
open
ssf
and
apologize
to
james
brown
for
stealing
his
riff
but
get
involved,
and
with
that
I
think
I'd
like
to
pass
the
baton
back
to
krobe.
Thank
you
all.