►
Description
OpenSSF Day at Open Source Summit North America - A New Era for Open Source Security - Nithya Ruff, Chair, Linux Foundation Board of Directors
A
She
actively
works
to
advance
the
mission
of
the
linux
foundation
in
building
sustain
a
sustainable
ecosystem.
That's
built
upon
open
collaboration,
which
is
pretty
amazing.
Nydia
joins.
She
joined
amazon
as
the
head
of
the
open
source
program
office,
where
she'll
continue
to
drive
investment
and
compliance
and
open
source
she's,
a
passionate
advocate
and
a
speaker
for
opening
doors
to
new
and
diverse
people
and
technology.
A
First,
as
the
founder
of
apache
software
foundation
and
then
later
as
a
founding
member
of
both
the
open
source
initiative
and
the
mozilla
foundation,
brian
is
co-founded
or
was
a
cto
of
a
series
of
startups,
including
wired
magazine,
organic
online
and
collab
net
before
pivoting
towards
public
service
in
the
white
house,
as
a
cto
office
under
president
obama,
and
then
served
as
a
cto
for
the
world
economic
forum.
So
please
welcome
me
in
joining
nydia
and
let's
give
her
a
nice
round
of
applause.
Thank
you.
B
I
know
it's
common
to
say,
gray,
beards
in
open
source,
there's
also
others
with
gray
hair
like
me,
and
I
must
admit
that
one
of
the
privileges
of
having
been
in
open
source
for
so
long
is
a
chance
to
talk
about
history
and
what
we've
learned
from
history
and
why
we
are
at
the
moment
we
are
today
with
openssf
and
what
we
need
to
do
to
move
the
needle
from
an
open,
ssf
perspective.
B
As
as
we
indicated,
I
sit
on
the
board
and
I'm
very
excited
to
also
be
part
of
the
amazon,
open
source
program
office
and
really
acknowledging
juneteenth
acknowledging
pride
month,
and
I
love
love,
love
the
linux
foundation.
Logo,
that's
really
reflecting
what
we're
celebrating
this
month.
B
So
let
me
start
with
the
80s
and
90s
when
I
actually
was
around
and
I
was
involved
in
open
source
around
1998..
So
I
think
we
we've
got
to
acknowledge
that
open
source
came
from
very,
very
fringe
elements
code.
If
you
will
it
wasn't
an
enterprise
thing,
it
wasn't
invented
by
some
company.
It
wasn't
created
in
some
company.
B
It
was
really
you
know,
folks
in
the
mit
research
lab
saying,
how
can
we
give
people
the
freedom
to
actually
examine
software,
modify
software
change,
software
et
cetera,
and
so
therein
was
bond
gnu
and
the
free
software
foundation
and
the
license
called
gpl,
which
gave
people
a
number
of
freedoms,
freedom
to
modify
freedom
to
share
source
code,
freedom
to
distribute
freedom,
to
use
it
for
any
purpose
that
they
want,
which
was
a
dramatical
departure
from
how
software
was
typically
shared.
B
I
think
this
is
important
because
during
these
days
in
the
80s
and
90s
companies
really
hadn't
fully
discovered
open
source
yet
and
they
feared
open
source
and
it
was
kind
of
on
the
side
and
then
comes
the
90s,
and
you
start
seeing
you
know.
People
like
lena
sturval's
reveal
releasing
the
the
kernel
that
he
had
created
and
he
used
gpl
to
share
this
with
others,
which
some
people
say
is
the
reason
why
linus
linux
became
so
widely
adopted
and
shared
and
the
innovation
was
so
fast
and
so
aggressive.
B
And
you
know
there
was
just
so
much
collaboration,
open
collaboration
going
on
and
then
comes.
You
know
the
open
source
initiative,
which
was
founded
to
kind
of
protect
the
freedoms,
open
source
definition
and
the
freedoms
of
open
source
and
the
term
open
source
really
came
into
being
before
that
it
was
really
free
and
open
source
software.
A
lot
of
companies
thought,
oh,
my
gosh
free
sounds
economically
free
and
I
don't
want
to
associate
myself
with
something
that
people
have
an
expectation
that
I
give
away
for
free.
B
You
know
as
from
an
economic
perspective,
so
the
word
open
source
was
coined
actually
by
a
woman
consultant
christine-
and
I
forget
christine's
last
name
and
then
comes
open
source
development,
labs
and
here's
an
interesting
thing,
because
companies
actually
came
together
to
create
open
source,
dl
and
also
free
standards
group,
because
they
felt
that
they
needed
to
collaborate
together
to
take
this
new
thing,
called
linux
and
open
source
forward
and
make
it
enterprise
ready,
and
so
they
felt
that
they
needed
to
come
together
in
a
neutral
way.
B
You
know
in
some
sort
of
a
foundation
way
to
really
work
on
this
together
and
that
no
one
company
could
do
it.
You
know
by
themselves,
then
comes
the
foundation
called
apache,
which
brian
knows
very
well,
and
he
may
cover
some
of
that
in
his
in
his
talk.
Apache
is
a
501c3,
so
it
was
started
as
a
non-profit
started
to
protect
the
emerging
development
of
tomcat
and
other
apache
web
servers.
B
You
know
creating
the
constructs
like
open
governance
and
how
do
we
deal
with
trademarks
and
legal
constructs
around
open
source
and
how
do
we
build
community
and
and
so
on
and
so
forth?
And
then
you
start
seeing
some
young
new
companies,
tech
companies
like
sun
and
sgi
and
hp,
who
start
saying?
How
can
I
start
using
linux
in
my
servers?
How
can
I
ship
product
based
on
linux?
How
can
I
support
linux
and
ibm
here
hit
it
out
of
the
park
by
doing
a
one
billion
dollar?
B
I
think
support
jeff
will
correct
me
if
I'm
wrong.
One
billion,
I
think,
is
the
number
and
started
the
eclipse
foundation
and
started
saying
we
believe
in
linux,
and
that
then
became,
I
guess,
a
call
to
action.
If
you
will
for
other
companies
to
say
I
think
linux
is
something
that
companies
should
use
and
adopt
and
it's
become
mainstream,
and
you
know
it's
something
that
we
can
work
with.
B
Then
you
start
seeing
a
number
of
companies
that
were
born
in
the
age
of
open
source
like
google
and
facebook
and
amazon
and
netflix,
and
they
built
from
ground
up
using
open
source.
They
built
these
hyper
scale
web
scale,
companies
using
open
source
to
fuel,
their
search
engines
or
social
media
or
dot
com
or
streaming,
and
they
also
did
something
interesting.
B
They
started
kind
of
contributing
back
projects
that
they
had
used
in
production,
so
you
started
seeing
things
like
hadoop
and
other
big
big
projects
being
contributed
back,
and
so
you
now
start
seeing
a
huge
body
of
work.
That's
scalable
and
usable
by
companies
and
you
know,
become
safe
to
start
kind
of
really
building
on
open
source.
B
The
clouds
start
building
on
open
source.
So
if
you
pivot
a
lot
of
companies
who
really
created
their
own
infrastructures
for
say
in
the
case
of
amazonfor.com,
they
start
saying,
I
wonder
if
other
companies
could
use
the
same
infrastructure
and
could
benefit
from
this
infrastructure
and
start
creating
cloud
services,
and
so
also
you
can
see
google
doing
the
same
microsoft
doing
the
same
and
other
cloud
companies
and
then
people
started
saying
I
want
to
see
use
open
source,
but
can
you
deliver
it
as
a
service?
B
The
other
adoption
that
started
happening-
I
would
say
in
the
2000s
and
beyond-
and
I
actually
worked
for
an
enterprise
company
called
comcast-
is
that
enterprises
which
were
not
at
all
in
the
business
of
systems
right
were
in
banking
or
in
media
and
entertainment
or
were
in
retail,
started
saying
you
know
what
I
need
to
build
my
business
on
software.
I
need
to
digitally
transform.
B
I
need
to
become
a
software
company
because
I
am
competing
with
new
upstarts
in
the
technology
side
and
my
customers
want
a
transformed
experience
and
in
order
to
be
agile
and
digitally
forward,
I
need
to
start
using
software.
So
you
start
seeing
enterprises
using
open
source
software
very,
very
prevalently.
I
ran
the
open
source
program
office
at
comcast,
so
you
can
imagine
capital.
One
has
one
target:
has
an
open
source
program,
office,
fidelity
and
so
on
and
so
forth.
B
Our
digital
infrastructure
is
built
on
open
source,
so
there's
so
much
writing
on
open
source
today,
and
so
the
protection
of
all
this
is
so
so
critical
today
and
open
source
and
governance
is
such
a
thing,
because
governments
are
realizing,
they
need
to
transform
digitally,
but
they
also
need
to
be
transparent
and
working
much
more
closely
with
their
citizens
and
also
develop
industry
in
their
country
and
encourage
innovation,
etc.
B
B
It
means
that
we
need
to
grow
up.
It
need
means
that
we
need
to
find
a
way
to
secure
open
source,
and
especially
in
the
last
decade
or
so,
there's
been
so
many
many
issues
with
heartbleed
and
log4j
et
cetera
that
have
really
kind
of
created
an
alarm
for
us
to
say.
B
I
think
we
need
to
work
better
at
this.
You
know,
unlike
working
with
one
monolithic,
maybe
blob,
of
code
from
a
proprietary
company
where
you
can
hold
them
accountable,
it's
a
whole
different
ball
game
in
open
source,
and
so
what
happens
with
open
source
suppliers.
Now
we
have
suppliers
who
are
diverse.
B
There's,
like
I,
don't
know
millions
of
projects
that
we
consume.
Big
and
small.
Some
have
maybe
great
security
posture,
some
don't
some
are
well
maintained,
some
don't
so
you
really
don't
have
a
standard
in
terms
of
how
you
work
with
them.
How
you
maintain
them
et
cetera
and
most
of
the
open
source
projects,
were
started
with
solving
a
technical
problem
in
mind.
So
most
of
the
maintainers
tend
to
be
innovators
and
problem
solvers,
but
they're,
not
security.
Folks
they're,
not
documenters
they're,
not
community
leaders,
and
they
need
the
help.
B
They
need
to
know
how
to
do
it
right
and
many
lack
security
training.
Frankly,
security
and
open
source
groups
used
to
be
separate
right
in
companies
and
in
you
know,
in
in
life,
so
they
were
different
disciplines,
and
so
they
often
never
talked
and
maintain.
A
burnout
is
also
real.
A
lot
of
maintainers
are
saying:
I
can't
do
this
much
anymore,
and
so
I
need
help.
I
need
help
to
maintain
the
software.
B
You
start
seeing
us
using
open
source
more
and
more
for
mission,
critical
things
I
mean
company,
businesses
and
infrastructure,
like
energy
grids,
are
built
on
open
source.
These
are
pretty
mission.
Critical
things,
they've
gone
are
the
days
when
people
would
say
I
think
I'll
do
something,
light
on
open
source
and
for
production,
I'll
use.
You
know
proprietary
and
developers.
I
I
feel
a
lot
of
new
developers
take
open
source
for
granted,
because
it's
just
there
it's
used
by
everybody,
you
see
it
as
a
de
facto
standard.
B
You
say:
oh
it's,
it's
it's
already
vetted
by
so
many
people.
I
don't
need
to
do
my
due
diligence.
I
can
just
download
it.
I
don't
need
to
know
the
license.
I
don't
need
to
know
the
health
I'll
just
use
it,
and
a
lot
of
dependency
management
tools
are
also
pretty
lacking
and
need
a
lot
more
development.
B
You
can
see
your
direct
dependencies,
but
you
may
not
be
able
to
see
all
of
your
transitive
dependencies
and
then
how
to
deal
with
it,
which
ones
to
deal
with
and-
and
I
know,
there's
a
lot
of
work
going
on
with
our
sponsors
and
others
to
improve
this.
But
it's
still
still
a
challenge
and
a
lot
of
companies
still
struggle
with.
How
do
we
work
with
upstream?
How
much
should
we
invest
in
upstream?
B
So
I
want
to
end
by
saying
that's
why
history
has
taught
us,
as
you
can
see,
throughout
the
adoption
of
open
source
in
various
industries
and
various
phases
of
open
source
collaboration
has
always
come
to
the
rescue
collaboration
of
industries
coming
together.
Companies
coming
together
foundations,
kind
of
acting
as
a
as
a
neutral
home.