Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / Town Halls / 16 Mar 2023
OpenSSF / Town Halls / 16 Mar 2023
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: OpenSSF Town Hall Meeting (March 16, 2023)

Description

No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).

A

All right, uh while we're waiting to start uh uh thank you and welcome everybody to the uh open, ssf Town Hall. uh We uh um we'll get rolling in just a minute here, but um while we're waiting for everyone to join, please take a moment to do one or more of the following um feel free to use the Q a section here in Zoom to ask questions. We will hold questions until the end.

A

Just so we can get through everybody's presentations uh quickly enough and aim to leave 10, hopefully 15 minutes at the end for questions. Please consider following us on Twitter, of course, uh Mastodon, uh which is where everyone is moving to. It seems uh as well as on LinkedIn at the open ssf.

A

um We will distribute these slides as well, uh for in fact they might already be up on the on the public website, um uh so feel free to pull these down. Follow these links um as well as, of course, the main open ssf website, and finally, we've got a lot of great training material. So for any of you who are new to either the organization or to to our Technologies new, to thinking about security and open source software, please take a look at the training courses that we have put up and made available.

A

This meeting is being recorded, and why don't we just jump in as with every meeting of the Linux Foundation? We I just want to make you aware of the antitrust policy notice that we have here. uh This keeps us all on solid legal ground as we work together and collaborate on building the technologies that everyone depends upon. We also, of course, are Guided by the openssf and Linux Foundation codes of conduct.

A

We are dedicated to providing a harassment-free experience here for participants at all of our events uh in person or virtual, uh and we expect everyone to be in accordance with Professional Standards, so definitely appreciate all of you. Learning more about these of the links provided in the deck as I mentioned, feel free to use the Q a button to submit questions, and we will answer them as we can, if not in real real time than towards the very end. Thank you very much for that. We have a chock full agenda today.

A

This is our first town hall, since August apologies for being a little bit uh quiet over the last few months, um but I will give for any of you who are new to the open, ssf kind of a quick uh top level tour of who we are what we're working on.

A

uh What some of the interesting announcements have been since August, uh but I really want to make sure that we can pass the Baton quickly to uh our other four speakers uh uh to to just cover some go into depth on a number of interesting projects here at the open ssf, as well as guidance on how all of you can get involved in the runway or another.

A

um So let me dive in uh and uh to this, this is uh really just uh an opening. I myself am your general manager at the open, ssf uh I've been on the project for nearly a year and a half now uh and I've, it's been a thrilling experience, uh it's kind of like a fire hose, there's so much going on across the community every day. It's really just an honor to be able to be here.

A

um The open, ssf's purpose is to enable the open source Community to collaborate and drive Technical Innovations around improving the state of security across open source software and the software supply chain. We are a collection of initiatives organized by working groups uh and within those. Some of those initiatives are software development projects, but some of them are also other kinds of projects, developing other kinds of of content, um be they specifications, be they educational materials.

A

uh In some cases, we're setting up services as well, there's a whole lot here and it's beyond uh just open source software and and again it's it's.

A

It's a really thriving Vibrance, um very circus-like community at times um uh at the top level- and this is how we are organized uh there- is a uh governing board uh comprised of our supporting funders, who kind of help make sure that the lights stay on that the team is uh myself and and the staff that work for me are delivering uh and and supporting the organization every way possible and we've got a few committees off to the side. But the real Heart of Open ssf is the working groups.

A

uh The uh projects uh and the technical advisory Council that tie them all together, um I'll go into depth and some of those in a bit I do want to note, of course, that the open ssf is supported by a very broad set of uh both Premier members. uh These are the organizations that have made the major commitment, both in the form of some cash that will fund our operations as well as full-time Engineers uh working on different projects, uh we're very grateful to them all um and and really believe.

A

You know, we've pulled together the core set of organizations that can help push forward better security and open source software. We're also further supported by a very amazing set of general and Associate members General members of those who are a range of companies, small, medium and large, who will also believe in our mission and Associate members are other non-profits educational organizations.

A

In some cases, regulatory organizations who also are aligned with our mission and also are here to learn and participate and help us really grow beyond what we as a single organization, could do so we're very grateful for their participation.

A

um In fact, the sum total of these organizations recently crossed 100, which is a landmark for any type of organization of ours. uh It represents a scale across not just the cloud ecosystem and the security ecosystem, but but into various sectors like finance and others, uh and we're really grateful again for all of them to be supporting our work here.

A

uh In fact, we just recently welcomed a bunch of new members uh and and I'm really most most excited to see the the new associate members, the open source business Alliance and the python software Foundation uh within uh with some really deep engagements, in trying to work together to improve the state of security in the python ecosystem. But thank you to our new general members as well.

A

um uh If your organization believes in what we do and would consider becoming a member, we would love to talk with them. Please have uh you know please reach out by emailing us at membership, openssf.org and there's lots of ways to get involved with. This is uh in particular, the kind of organizational support that helps us wake up every day. Thinking about ways to better support. The community um and I also want to emphasize that you know like any open source project. What really matters are the people who show up to help do the work.

A

uh We have a tremendous governing board who really helped us align what we're doing with their company's initiatives with the broader uh state of the ecosystem out there uh they're all major players within their own organizations as individuals, but it's really when they come together on our monthly calls or supporting the different committees that we do, but also really driving the kind of personnel investment and the adoption of these Technologies into those their own organizations where they really shine and help us and I'm deeply appreciative of each of one of them who are participating.

A

um The open, ssf technical advisory council is uh really those uh the technical community. The technical uh Council most focused on harmonizing our technical efforts at the open, ssf uh kind of loosely coordinating, Loosely overseeing, but but really at the end of the day, helping make sure that everything we do from a technology point of view is meets a high bar for quality and professionalism. We are actually about to kick off elections for the next technical advisory, Council and so we'll see some changes in this.

A

In this roster and I'm grateful for each one of them, who've been able to put forth a huge amount of work over the last year, probably get us to where we are today.

A

There is a core open, ssf staff here that is supporting us, both obviously here worldwide, as well as specifically in the Asia Pacific region, uh and it's you know uh there there we are the air traffic controllers, we're the behind the scenes uh orchestrators, we are not the ones who fly the planes, um uh that's all of you and all of our members, uh but so much of what makes this uh Project work uh is is due to their help, so I'm very grateful for my. My co-saf uh clearly make it fly.

A

So let me uh cover some of the major announcements that have hit since the last time we met here at a town hall back in October, we announced the general availability of six store. Six store is, hopefully all of you know, is a platform for signing digital artifacts uh in the software supply chain and verifying those signatures in a way that provides greater Integrity to uh to the distribution of software in a world where we're working together on source code, but so often we're actually Distributing and combining binary code.

A

You really want to know that it comes from the source that you think it comes from, uh and six store is a key part of that, and it's been great to see the adoption of this by the cloud native community and by other organizations open source organizations pushing it forward. We also have published updates to the concise guides for developing more secure software and evaluating open source software.

A

I'd say if you're an open source developer, and you want to start uh with one checklist of both how to evaluate code that you're, considering adopting as a dependency and then what you as an open source developer and your other co-maintainers should do to make your project more secure and make sure people understand that you're, taking these extra steps to make them more secure.

A

These two concise guides is, are perhaps the best place to start, and all of them have links to lots of other, or both of them have links to lots of other details that that really brush things out. But it's a great checklist to get to get started with if you're, developing or consuming open source code.

A

uh You know with a little more depth uh into something specific. The best practices working group has developed something called uh the the guide for coordinated vulnerability disclosure, uh as we found sometimes bugs uh get found security bugs get found and released to the wild in a way that creates a lot of disruption for for users of that software and they're Downstream users and the downstream users uh and coordinating a major disclosure is a challenge, and it's not something that they teach at.

A

You know computer science courses in in colleges or that many of us pick up and as we're starting our computer science, educational Journey. So this is something that we would love to see open source developers, particularly maintainers, particularly leaders in open source organizations. Pick up understand, perhaps even read ahead of time before the next major bug. Pops up that you know they have to, in a very short amount of time, scramble and figure out the right way to coordinate that process.

A

um uh Likewise, many of you are perhaps familiar with this uh course that we've developed uh called developing secure software. We've now been engaging in Translation efforts, the first of which is a translation into Japanese uh that which is just like the English language course available for free, as well as certifications around that. So we do see extending this into other major languages. Just because you know English is not a language we can assume, is universal uh and uh really happy to see this happen.

A

um Also, since August, uh one of the major new projects to come in uh to the open ssf is something called the secure supply chain. Consumption framework, the S2 c2f guy, is a framework for organizations that do software development and when they taken a dependency on open source software. How do you manage that dependency? How do you manage updates to it? uh How do you I have a basically a process for making sure that you are able to fix close-up issues uh and and for your upstreams and your Downstream uh communicate that appropriately?

A

That's what s2c2f is all about, and it nicely complements the salsa specification, which is uh very close to a stable release and we're really excited about that too. uh But so it's a very complementary framework to that, and just like with salsa you'll, see both specification work and supporting the software uh being built inside of the openssf. Both of these actually are efforts of the supply chain. Integrity working group, uh which which I highly recommend folks follow uh We've, also started to publish some content uh uh on the openss blog.

A

That's a little more, uh uh um a little more high level, a little more intended to reach a broader audience. uh We felt, at the anniversary of the log for Shell event, uh I'd like to show uh disclosure that it was worth noting what had happened since then uh What uh how the industry had moved on from that.

A

What some of the lessons were, but also some of the changes that that we've seen and that we ourselves have been pushing for uh ever since that event, um and so that's a blog post we'd, certainly encourage you to go check out and read. We also have started to play quite a role in public policy relating to securing of software. um It turns out a whole lot of governments are starting to ask questions about. How are we managing security?

A

How are we trying to to sew things up now that open source software is being dependent upon for critical infrastructure? We have an internal committee called the public policy committee that uh talks about these changes that are happening externally and how we might want to address them publicly, but we I I, one of the things we did was put out a public statement about an ax that was proposed in the last Congress called the securing open source software act uh that started to has started to incorporate many of these.

A

uh Both Technologies and ideas that that we've been talking about others have been talking about uh that. Could, we believe, could lead to more secure software by default. So it's fascinating to see both the executive side of the legislative side in United States in Europe in the Asia Pacific region in in many other places, start to wake up to the roles that they can play in both setting some new standards and demands, but also hopefully, providing resources for that. So we're really hoping to encourage that.

A

In fact, that was the broader message of another blog post. We made on engaging policy makers and the ecosystem on open source software globally. um uh My uh my LinkedIn title says nerd, Diplomat and I'm.

A

Finding that is starting to be much more relevant even to the public policy side, where simply going out and talking about what we do, what we're doing the Technologies we're building the processes we're working on specifying, but also the relevancy of that to um to everybody's interest in seeing more dependable, secure, critical infrastructure, um just that continues to be super important even a year after log for Shell, even even as we go into into 2023 um back to the openssf one of the major uh new working groups.

A

In fact, the very the last working group that was created the most recent working group that was created I I- and this is new since August- is the open, ssf end users working group. This is uh actually convened by a number of participants at Citigroup at a number of other Financial organizations and some of the the folks who serve those uh that industry, um but not it's not exclusive to finance by any means.

A

What it's intended to do is to say from the perspective of people who are not Cloud providers who are not tools makers but who are consuming this technology and who are having to put it to work in critical infrastructure. uh What what are the Technologies? We should be building. What are the the kinds of dashboards we could should be building the kinds of processes we should be promoting that make them uh participants in in this entire thing.

A

um So that's what the end users working group is focused on uh they've already been working on some technologies uh relating to pulling these different pieces together into a unified, secure software Factory. In fact, a project called Fresca is underneath that working group uh and- uh and it's a really exciting way, to frame a lot of the work that we're doing um uh back to something more nitty-gritty, uh We've I uh jumped in as you're many of you are familiar.

A

We have a project called the security scorecards, uh which has gone from strength to strength um based on the success of uh an API, the API driven uh uh kind of display of best of of the open, ssf best practices badges.

A

uh We felt it would be useful to also display badges derived from Project scorecards uh scores that uh from the million different repositories that we've uh analyzed so those scorecard badges are now able to be shown inside of GitHub uh and and in other relevant places, with a pretty easy, pretty easy link um and a lot of the work from the open ssf uh was put together and summarized at the end of last year into the 2022 annual report, uh and uh it would be really uh if there's one thing that you want to read or pass off to your manager or to somebody else to help them understand the breadth of work that we work, that we do here at the open ssf.

A

The annual report is really a great way to get that all in one place, um we've had a number of face-to-face events as well. uh uh Over the last uh year. uh Open ssf days have been the predominant kind of vehicle for this, and we've done that, both here in the United States back in last May, I I, but also since August, in Japan, in Europe uh and as well as meetups, uh just earlier this month in Tokyo and in Hong Kong late.

A

Last month, uh we also had a booth and participated quite a bit as a sponsor at the cloud native security con uh in Seattle a few weeks ago. All of this is about getting out there pulling together a community showing our faces to each other talking about the tech, but also building a sense of codependence in the community, uh so that we can. We can move forward on some important projects and in that vein of the one upcoming thing I want to put in front of you is uh that openssf day is coming up.

A

May 10th. uh We still have a cfp open for this for one more day. The deadline is tomorrow to submit a talk for that. um We hope whether you submit a talk or not. All of you consider joining us there. It is happening concurrent to the open source security Summit, North America, which is another great reason to attend, so uh come for. Both events come for one or the other, but uh it'd be great to see you there in person and with that I'd like to pass the Baton to Michael scavetta Michael.

B

Awesome thanks Brian.

B

Co-Lead the alpha omega project, uh as well as the identify security defense working group um I've been with openssf since, since the Inception and I've been at Microsoft for about uh 10 years, where I lead an open source security team next slide.

B

So Alpha Omega is a uh is a project within within openssf. Our goal really is to you know the slogan we've been using is turning money into security, so we are funded uh with a uh with grants from Microsoft, Google and AWS, and we're extremely thankful for that, and we've been able to take that money and put it toward um improving the security of the very most critical, uh open source projects and ecosystems, as well as looking for um vulnerabilities in a slightly longer tale of critical projects, just not in the top 100..

B

So we've had uh We've also published an annual report at the end of last year. Please please go read it. It goes into lots of details about what we do and why we do it. um I'm told I have the wrong mic selected. Thank you, um I'm, not sure it looks like the right might. um Maybe I'll just Mount closer to the mic um anyway.

B

So uh super happy to have uh uh Jonathan uh lycha, and um can you send a yes, sir, uh who joined the team at the end at the end, in the beginning of the end of 2022 and the beginning of 2023, uh also super thankful for uh my co-lead um Bob Callaway from Google uh and Brian Russell, uh also from Google and helping move this initiative forward and uh making great things happen next slide, so the next uh yeah so so for for Alpha, as I said, you know we um we've awarded about two and a half million dollars in Grants.

B

We have another million or so uh earmarked, um and these are currently spread out over five uh organizations, so node jQuery, Eclipse, rust and python Foundation.

B

um We chose these number one because these are extremely critical, ubiquitous uh structural um uh ecosystems and and tools and platforms, um and it's really important that these things um are safe, because these are things that when people build things on top of um the next couple, slides are just as a um I'm not going to read them. But uh please read them when you when you look at the slides later or tonight, um but what what I think impresses me most about how alpha works?

B

Is you know we work very closely with these organizations to come up with the a directional strategy on the types of things that we we all want to see happen from a security perspective, and then we get out of the way and we let let the organizations choose how best to implement and have how best to go chase those things we've been really happy with. um If you go to the next slide, um there have been a number of individuals that have been hired uh into these organizations um a lot of cleanup.

B

um You know the security improvements in the jQuery server Fleet next slide.

B

uh Eclipse has uh is, uh is doing security audits of Jenny jcube and mosquito they've hired three people to um to take on security work within the eclipse. Foundation next slide.

B

um Rust is doing some some excellent work, um including higher security engineer and a GitHub security scanning partnership with their their integrity is a secret scanning um integrator next slide uh and python. Surfer Foundation is hiring a security developer in Residence as well, so uh next slide. So the the point of all that is that you know: we've we've found that you know. While money doesn't solve all problems, some problems can be solved with appropriate funding and I.

B

Think the open source ecosystem is one of those that has been for a long time neglected from a um from a a serious funding perspective, I'm glad I'm super thankful and appreciative to everybody involved that we're able to um move the needle here. So that's all on the alpha side, the Omega side, oops, sorry that one uh the Omega side uh is about tools and automated automated analysis at scale scanning.

B

um So we've we've built some tools. All these tools are open sourced and available. Now, um including you know, tools that orchestrate you know, lots of different static analysis tools, um a portal for uh which is still in development, but a portal for triaging and managing uh lots and lots of security findings.

B

Assurance assertions to give a um to essentially measure and then write apply policy to the security quality of Open Source, which is different than um metadata like is it maintained, or does it have publicly known? Cbes Assurance assertions is more like when we scanned it with a static analysis tool.

B

Did it find SQL injection things like that and then we're doing other Integrations to more rapidly and efficiently report vulnerabilities at scale and get them fixed, because, no matter how many people we have you know involved and how much money we can apply to this, the scale of the open source ecosystem is, is immense and, and we have to do things efficiently next slide.

B

So coming soon, um we are planning to do more Alpha engagements, more tools, we're advancing all of these. Every day uh we have been speaking at conferences, we're going to continue to do that.

B

We have a mentorship program um that will be announced pretty soon uh we are looking at or partnering with some universities on on how to um you know, essentially helps students kind of build the next generation of security researchers and with a focus on open source security uh and a automated vulnerability fixed campaign, so that with ideally the push of a button we can get fixes out to thousands or tens of thousands of projects for these ubiquitous um vulnerabilities that we find uh We've also been helping out uh in the vulnerability management space, uh helping to advance uh disclosure policy and process so that when we find vulnerabilities, how can we report them like we have to write down what we're going to do so that we can repeat it and do it do it um uh reliably, and how does that work with with automated vulnerability reporting next slide?

B

Oh we're also going to have some swag at some point, so uh stay tuned. uh If you want to get involved, um there's a public meeting on uh it's the first Wednesday of every month, so the next one is April 5th um come help us improve our tools, we're, but all of our tools are on GitHub public um get involved. um Come chat with us on SLAP we're super friendly.

B

um We're on the alpha omega slack, Channel um I, tried I! Think! That's it back to you.

A

Great, thank you um and Josh I believe this. Is you right? That's.

C

Me.

C

All right, awesome, hello, everyone, my name is Josh Brussels I'm, the vice president of security at a company called Angkor. We are the people behind the sift and gripe scanners. You may have heard of but I've kind of been around security forever. So I'm, not if you want to know more just search, Google or something so, let's jump right into it.

C

Brian all right, so I lead the espion everywhere group with Kate Stewart, who many of you may know from spdx Fame, and this group has its roots from the mobilization plan for from the ssf, which I know is I, mean man, that's been what it's more than a year now, I think, but basically what the the purpose of the group is to start to answer the questions of how do we take some of the ideas and usage of s-bombs and bring it into the open source Universe which, to date I think s-bombs have been very government in regulated industry focused, but there's definitely I think some interest in how we can be more engaged with open source, and so that's kind of one of the goals.

C

For for this group, we obviously want to bring s-bombs to everyone, but obviously the open source Focus being the open ssf. It's kind of a big part of that. So, let's jump to the next slide and we'll kind of talk about some of the things we're doing so.

C

These are the I guess work in progress at the moment. Some of this is farther along than others, but obviously anytime. You start a group like this there's a certain amount of like. Why are you here and that always sounds silly. Every time, I start a new group or work with a new group, and but it's really important, because you have to Define your scope and make sure you're not often left field. Doing who knows what that.

D

Doesn't matter.

C

So kind of the things we list here are what we're we're really trying to focus on. Is we want to work with projects? It's very easy to not invent it here, anytime, you create a a new project or a group, or anything like that, and there's a lot going on in S1 I tell people that every time we have an s-bomb everywhere, meeting I learn about some new group or effort or project or something going on in the outspomb world.

C

That I didn't know about I thought I knew a lot of this stuff and it is very clear I do not so the first big focus is that we want to work with groups. We don't want to replace groups, we don't have any intention of doing it ourselves if someone else is working on it. We want to be the connections between two other groups that maybe aren't talking today and I'm, going to skip the next one and go to there.

C

There's the landscape is kind of our our vision of how we want to do that, and so, if you've ever looked, the cncf has this really cool tool.

C

They call the landscape and just search for it on Google and take a look at it and it's a really nice way to visualize an enormous number of projects and how they interact in the cncf universe, and we would like to do something similar with s-bomb and the purpose of that is to help groups and projects and people find one another and understand exactly what's going on and so we're putting together a proposal for that again. This is kind of like back to Michael's concept of you know. How can we turn money into security?

C

Well, we want to turn money into s-bombs in this case, so we're looking to get that funded at some point in the near future. I'm going to jump back up then there's the spdx python Library. One of the things we did early on was because Kate Stewart's involved. She she said, you know we have this spdx python Library. It needs some love and attention.

C

It would be lovely if we could have the open, ssf fund, then and I'm super proud of this project, because this is an instance where the openssf took some of their funds and they sent them into another project. Like excuse me, the spdx work is not happening inside the open, ssf, so I think this is very forward thinking and it really impressed me that the open, like there wasn't even a second thought about it like Yep.

C

This is a project that means some funding to get some work done, we're absolutely on board with this, which is awesome, and then the the last thing on the list is what we're calling connecting resources to open source and what we mean by this is. It is very common when you're part of a working group to have someone show up and say, I want to help, and then sometimes you have things they can do.

C

Sometimes you don't, it can be frustrating there's this huge gamut of what it can be, and so what we really want to do is find people interested and willing to help open source projects start on their s-bomb journey, and this isn't an instance where we're going to try to turn money into security.

C

But rather this is an instance where we want to send people in to do the work, because you there's no way we can show up to an open source project and say: oh hey, you should do s-bombs they're going to be like oh hey. No, we shouldn't go away, and so this one we're working on its early days, but I'm I'm, extremely hopeful, because I think there's a lot of people in s-bomb everywhere that are saying, like I have folks who want to help. What can they do?

C

And we also don't want to just like send people out into the world with no direction or purpose, because that's that isn't going to be good for anybody and jump to the next one Brian, and then this is just kind of the group right. This is where we are. We meet every other Tuesday 1105 is not a typo I. We start five minutes early and five minutes early on the hours, because we all have bio breaks and too many meetings as it is uh next meeting March 28th join us everyone's welcome.

C

We'd love to talk to you. We've got a great group of people. We've got a bunch of cool ideas. We've been working hard. It's it's not a lot of Hands-On at the moment, but we're definitely a lot of planning so by all means and jump in slack if you want So yeah. Thank you everyone. If anyone has questions or anything, find me on slack or ask them here. Thank you.

A

Thank you, Josh, and uh turning now to um uh Christine um and Jay right uh would be um leading the conversation on diversity and inclusivity in the open, ssf.

E

All right, so uh uh thanks, Ryan and so quickly. uh My name is Christine and I lead the open source program office at F5 I've been uh uh sitting in on open ssf meetings for a little over a year, uh primarily in the best practices working group. Next slide.

F

Hi I'm Jay I am a member of the open source strategy ecosystem team at Microsoft. um My co-lead, this, the Deni education sync with Christine by Coley risk dashboard Sig under the identifying security threats working group um coming in as a vice. As a co-vice chair of the supply chain, Integrity working group and I co-lead, the S2 c2f Sig under the supply chain, Integrity working group um yeah I, have to be.

E

All right, yes, next slide, so uh just to kind of give you a quick uh just like Josh said in the wire. We here is that's a good question and to just the history behind this. Is that uh one of the mobilization plans stream one was around uh security, education and so- um and this was uh then adopted by the developer, best practices, working group and the goal for this thing I wanted to adopt.

E

It is because there is um traditionally cyber security is not something that a good cyber security hygiene or even just good security practices is not something that has been paid attention to. In addition to that, there is a shortage of cyber security uh professionals, so wanted to adopt this stream to basically put that into uh into motion, and so the first part of that is, there were, like uh three streams were created out of that um to tackle this problem in in different in different areas, one included just curating and seeing what was out there.

E

The second was related to expanding the content, based on the findings from the curation process, and there was a third around. How do you reward and incentivize developers who either go through the training or what kind of certifications should be there, and part of that was also like? How can you get meaningful employment, so this education plan was put together, uh refined and reviewed and formalized, and as we were going through that process, we noticed that there was some gas related to diversity, equity and inclusion.

E

Some parts of the plan that needed a little bit more fleshing out. So that's where uh Jay and I kind of like uh put our hand out and said, we would like to form something that would specifically be tackling these and some of the initial goals that we've talked we've thought about is like: how can we look at the education materials and make them more accessible specifically to underrepresented groups, so as we're looking at creating the content or even looking at expanding the training, what did we need to pay attention to?

E

Additionally, we were looking at seeing. How can we ensure that the pathways to success were made available to the same underrepresented groups and what are some of like the barriers that seem to be there, whether traditionally in software or even like, specifically, in cyber security, and we find that this actually aligns really well with? If you look at the U.S cyber security strategy that was uh released, I think about a couple of weeks ago, there's a section uh 4.6 that you can read out here and it's looking at.

E

uh We need to take a comprehensive and a coordinated approach and how we want to expand. Cyber Workforce needs to look at improving diversity and making sure that the educational, the training, Pathways and the path to success are are in place, and so this that really aligns with the why we are doing what we are doing and there's the small group that's been meeting our uh regularly.

E

uh The groups started meeting regularly December last year and uh we've been talking about like what are the different things that we need to do, and the folks from different uh backgrounds spanning or this educational folks, who are specifically looking at targeting some of the communities that we want to reach. So that's basically who we are and why we're doing this so I'll hand it over to Jay next slide.

F

Thank you Christine.

F

um So, in order to do this effectively right, we wanted to identify um really a few Focus areas that we wanted to to hone in on, and um you'll see those Focus areas off uh to the left hand up to the left-hand part of the slide. We really want to Target in advocacy and communication uh as a first one. So what kind of uh what kind of stewards are we going to be uh in this space?

F

And how are we going to communicate that out to the community at large and we we really want to understand those things and then research and thought leadership what's already out there uh what's already out there? What are some of the great things that a lot of organizations have already done and what a lot of the thoughts out there around the eni, um including how to be better allies um and and respective uh cultures and spaces um partnership development?

F

Who can we partner with what organizations are doing some of this great work out there that we can lean on? um How do we reach up into into uh the LF and reach across uh to other uh communities and organizations underneath and see what kind of efforts they have going on, whether or not we can collaborate and, of course, training and engagement?

F

What kind of training is currently out there and then, and how can we better uh orchestrate ourselves um to meet some of that demand and, of course, as we March over into the education element down into the schools and into the different educational institutions, where we have those underrepresented communities or the of those uh underrepresented voices that we can Target and provide those kind of resources too?

F

um Well that leads us into the right side, uh where we talk about some of the things that we've done thus far, um so we've we've aligned ourselves around the groups that we want to Target now. This is important, and this is important because we didn't just look domestically with this and I think that's something that's extremely important.

F

We took a global look at this and really challenged ourselves to think dynamically um about what true d e and I is uh including what it means to be allies, as I said before, um we wanted to make sure that that being aware, where constructiveness of Mind here, we wanted to make sure that we're allies in other places where there might not be as many resources and what kind of resources can we provide. So we we went ahead about this.

F

We went about this in a way where we said how can we expand uh our thoughts and how can we use this tool that we have to do that?

F

um A large part of that uh is including, and then Mike talked about this earlier uh within the alpha omega project and and the colleges and universities pilot that that is currently being designed, um the mentorship opportunities there in interview skills opportunities, the Outreach opportunities um you know, looking at whether or not we can get institutions I believe we want to start with at least one to two institutions to get this uh to get this off the ground, um but really targeting.

F

Who can we partner with here and and then do we look at um hbcus?

F

Do we look at um you know other institutions and other Latin or predominantly Latin institutions and other you know: where do we go uh and actually partner with organizations to get some of the stuff off the ground, so that stuff is extremely important as well, and what what this allowed us do when you see that final bullet comment, there um we constructed and and I and I can't wait to show this to any new people who actually join and we'll talk about how you can join here uh in in the next couple of slides, but we constructed this amazing uh spreadsheet, probably the first of his kind.

F

When we put together this this list, Global list of organizations, partnership opportunities- we even are boiling it down to sponsorship Etc. So that's that's uh gives you an idea of how we went about our thought process. The things we've done done uh thus far, and and uh this next slide, let's talk about what we got coming up next and Christine and I are both the collab on this one. So next slide, please.

F

um Right.

D

So, what's.

F

Next, as I said to you before um our four focal points, um those four focal points they they're, they lend themselves to have a higher calling so to speak. So one of the things that we have coming up next is perhaps lobbying for centralized Deni Stig of which the education sync Falls underneath and then we can expand that out now to outreach. We can take those other pillars, advocacy communication. They could be their individual uh on six, so that gives the opennesses up as a whole uh fuel.

F

To then reach uh to you know, make the make the reach a little shorter into the LF and how we build that Bond and how we expand across uh to the other other organizations, um so you'll see that there um we do have uh uh in the o, Open Source Summit, coming up, uh Christine and I'll be hitting the uh hitting the stage once again to to talk about our Deni efforts, um we'll be uh focusing on also Outreach across the different security conferences as well.

F

um So you see, we got some big things coming up next uh Christina Jonathan on our partnership, development and training and engagement opportunities.

E

Yeah so, um as we kind of look Jay mentioned, uh go back to the slide when we're looking at uh some of the opportunities we want to actually be on like alpha and omega as an example, we want to also reach out to the other, open, ssf working groups to see if there's any opportunities to collaborate with them. So that's one of the things that we want to look at and there are existing Linux, Foundation, dni uh initiatives or programs such as LFX mentorship.

E

Where can we go in and actually partner with them as well and uh I started that the way we began? The subcommittee was under the education six, so I want to go back with our learnings and go back and refine that plan so that we can include any of the work we're doing especially things around Partnerships and as we think about what we want to do in the future.

E

One of the things that is measuring the effectiveness of what we're trying to do in the education and overall requires us to actually be very thoughtful about how we are resourcing the statistics, because a large number folks that we need to reach may not be places where it's really actually easy to measure um some of that work. So, when I look at our strategic Partnerships, uh who may already have that information, how can they actually provide ethical and accurate sources? So that's the risk.

E

If we actually do not do this work, that we want to be really mindful of next slide.

E

So Jay you want to finish this off yep.

F

So you have here where you can come find us where you can come join where you can come be a part, see some of the great work that we're doing and be part of that great work as well. We meet every other Tuesday uh at 11, A.M Eastern. Our next meeting is March 28th. You could find us on slack that slack channel right there um yeah. We got some big things coming and thank you guys for listening.

A

Thank you so much Christine and Jay. This is incredibly important work. um uh The work of the open ssf will only be successful if we can really broadly reach everybody involved in the software community and ecosystems, so uh your work is incredibly important. uh Thank you. So much for this and and to bring us home I wanted to uh get uh David wheeler on the mic uh to talk with you all about how to get involved in the open ssf in our various working groups and projects. David. Do you want to take it from here?

A

Absolutely.

D

Next, uh so thanks very much for letting me talk next, uh so we've got a number of different working groups um and I'd like you to very much think about gee. What could I be involved in? What's interesting? What do you uh find? You could add value in um these? Shows our various working groups, uh projects I'm, going to look on real, quick note: the real, quick best practices, identification, awareness, education, vulnerability, disclosures? How do we improve vulnerability, disclosures and use this working group, the voice of public and private sectors?

D

uh We have a top level project. Sig store. uh Identifying security threats is all about metrics reviews, security. Tooling. We want to improve the state of art security tools, as mentioned earlier, absolutely includes that's bombs. Securing our software repositories supply chain Integrity includes both salsa and sgc2f uh securing critical projects trying to identify. What's what are critical? How do we analyze them and some Associated projects, including say Alpha Omega next.

D

um So this is an attempt to show how our various projects and sigs work together and the real Point here is. uh There is no one Silver Bullet, um and indeed our projects span all the way from in developers heads through source code management, building, packaging handling dependencies, all the way out to end users, um and so we basically have projects that go throughout all of those processes. Next,.

D

And so really what I want to emphasize in a very very short time? Is we really want more participation? You know if you're not already involved in the open ssf, please get involved, there's a lot of ways to get involved listed a few here, we're going to talk about just a few in the next couple slides. But my point really is: if you're interested, Come and Talk come and find out, what's going on and uh see if there's a uh you know something that speaks to you next.

D

So an obvious one is joining a technical working group. We have um online meetings pretty much all the working groups uh meet every other week.

D

um You can join them by actually showing up at a meeting or even just various other mechanisms that we'll talk about in a moment, but that's certainly a way to find out. What's going on, see how you can help next, um then public, meaning like say this one. You know uh we we'd love to. Have you here, love to have participation next.

D

uh We use slack for our real-time Communications. We, um this is not recorded forever, so this is not, for you know, major things that need to be recorded for posterity, but things like hey I've got a question. Where is this? Where is that you know um uh please, we've we have uh way to quickly answer those kinds of questions. Next, you know following us following that we've got a lot of different presences and various kinds of social media. uh We've got a couple links right here. Next.

D

We have a number of maybe lists sign up uh if you in particular, though, all the working groups have mail lists, a member of these sigs and projects have their own um enables you to communicate and work with in an async way. Next, and of course, you know hey, you can provide feedback on this very uh uh meaning right now, we're having today uh film survey. How are we doing? How can we improve?

D

uh Fundamentally openssf is all about collaboration, and so we really need to have everyone collaborating together to make the world a better place. Next.

A

Okay, thank you, David and, and poor David I I told him to make sure that we left time for questions and answers at the end, um but uh just do want to continue to emphasize uh how important it is to to to get involved and what the opportunities are so I'm gonna stop. Sharing I'm gonna ask everybody to turn on uh their cameras. If they can, um and uh hopefully you can, let's see, uh turn mine on there. We go uh and I um I'd like to go through some of the questions.

A

I've been asked, uh but actually I want to start with some that were kind of answered and taken off the Q, a thing because there was one one that seemed to be pretty important um from Tad Taylor.

A

Are there particular projects or areas that are more in need of volunteers, help than others um now I I feel like every project under openssf uh could use more I, don't think, there's any who are like whoa too many volunteers, no more needed um if you ever get a sense that it's maybe hard to figure out where that locus of activity is definitely tell us, tell me personally tell because what we're really trying to be is as transparent about where the community activities are and that kind of thing we know that sometimes as Zoom centered culture can make it hard for people to participate.

A

uh But we really try to emphasize. You know, get things done over async tools, that kind of thing, but um well the one I would love to draw some attention to. Is the security scorecard effort um I? We would love to see more folks participate in that it's it writing code. Helping us move that along they've got a really ambitious roadmap for this year and we've got some resources to help. Do some work on that, uh but uh um that's a place where some volunteer time would be incredibly High leverage.

A

uh Does anyone else on the group want to throw out their their favorite call for help uh from some part of the open, ssf.

D

It's a lot like asking us to pick our children, our favorite.

A

Child every one of them can use some help. I I think the most important thing is find something that really interests. You become a a user of that code. You know a consumer of it, um get to understand it well and that'll just naturally happen. You'll find bugs you'll you'll, find things to add. You know get get to know folks, but but I really appreciate the broad.

A

The broad-based kind of like query of where somebody with some some time could be able to help us further in the mission um and, if you're not quite sure, find a working group that is like in a domain you're interested in, because that might be one way of understanding the different things going on under that working group and then get more specific. As as you as you learn more there isn't any anybody else want to add anything from the, but thank you. Okay um and I'll make another plug for the Dei effort as well.

A

That's one that also could use lots of voices, lots lots of help from people to get involved. There was another question that got answered very quickly: moved on I want to just bring up, which is I, I feel obligated to mention it uh this week, which is um from Christoph, uh will AI be used for the industrialization of vulnerability, hunting and Foss. Ask Chad GPT for all uh um uh I think it's SQL injections in projects, um uh Michael scavetta I, think I'll pass that one to you.

A

Where do you see chat, gbt, potentially uh making it possible to you know, find find security holes more quickly, and is there a role for that at the open, SSS.

B

I, so I I think that Ai and ml, especially are emerging. um Gpt3 gpt4 um will make both Defenders and attackers better. um So if Defenders don't get on board and and use AI um to make better decisions and find better, you know find things that are cheaper. Faster uh attackers are going to so it's inevitable that we're gonna go there.

B

um I, don't I, don't know if it's it's just incremental like we're going to have a decade or two of antivirus Cat and Mouse, um maybe we'll see, but we all need to be very cognizant of it. I know that AI is being used in some places to you know, essentially share it out um false positives and do better prioritization things like that. um I think that there's a there's, you know a thousand times more that we could do with AI um the next. The next couple years gonna be interesting.

A

Thanks Michael uh David, do you have a comment on this? Is your thought on this yeah.

D

I, first of all, I do agree with Michael that I think it's. You know it's like many other tools, it's an accelerant. It can be used by both Defenders and attackers.

D

um So you know Defenders need to take advantage of the Technologies where it makes sense uh we're still trying to figure out. You know where it where it makes uh was useful, whereas not mean gpt4 is just recently coming out, come out um official. At least um that said um you know we are always interested in improvements and so on The Good.

D

The good news is that you know from the point of view of you know: hey what's the code: if code doesn't have vulnerabilities, they can't be you an attacker can't create vulnerabilities that don't exist.

D

So um I think there is room for hope, uh longer term here uh and we're still trying to figure out exactly where these Technologies uh come into play.

A

Yeah and inside the open, ssf I think this is the kind of thing I might Merit its own working group uh at some point, um or at least a dedicated kind of group to focus on because I don't know where it would live right now, under our current kind of hierarchy. um Let's um move on I I want to ask one from the current open queue from Gil Yehuda, which is McGill says long ago. The stack was represented by four letters. Lamp today, dependency trees are in the thousands.

A

Cves are published at an increasing rate, but researchers note that most are not event exploitable. That suggests we're heading towards a scalability failure. What can the open ssf do to address the volume of work, so we can address Security in more efficient ways such as through bulk categories, I'm, not sure what he means by both categories, but I'm thinking. This might be something that Christine, Jay or Josh might have some insight on. Do one of the three of you want to want to jump for this.

C

No I can I mean I'll. Add a comment is just that. There's a vulnerabilities, I think there's a couple of vulnerabilities working groups: Crow heads them up, go talk to those folks like they're the ones who are talking about this stuff and they probably have the most Insight of anybody.

A

Yeah well, I think I. Think really that part answering this question as part of the story of the open ssf. You know I think it's through a combination of tools like salsa and stc2f, uh that we get to a sort of process, implementation and conformance it's through Sig store uh and uh that that we sign artifacts through this and can systematically check their their veracity without having to recompile the world from scratch. uh It's through things like s-bombs that uh and and increasingly Technologies like Vex.

A

uh That uh will help us drive automation around handling of of those CVS at scale uh to hopefully get to the point where Enterprises can have a dashboard each morning. That gives them only only the things that they have to worry about and not try to boil the ocean by updating every component every day um uh it's kind of my take I and and Jay I, don't know if you wanted to throw in anything about stc2f and salsa in. There is perhaps ways to help address that.

F

um So you know the the beauty of of partnership and collaboration, um so we you know, bringing in s2c2 up and thinking about dependency management. Also, um you know the evolution of salsa from from it it's in its Inception, it's an initiation incubation into what has become to now. What is actually thought around the build portions and the source portions and then and then and then, where all of that can come.

F

It just creates a situation where we can now think about end to end uh supply chain security, and this is a caveat to what what Brian's just said um when we consider the tools that are available out there and and the tools that are available in the open out there and those tools that we can then uh conceptual.

F

You know and concept think about in their application implementation into these Frameworks in the work efforts that this there is no place that we can't go um considering how we address uh supply, chain security problems um and and we're doing that as a community which, which is which is always uh amazing, to see amazing to witness.

F

We got bumps and bruises right as every as every Community does, but, but um you know, as we March four we March forward hand in hand and the The Innovation that gets created as a result can only be looked at in awe. So um you know that's the thing about s2c2f, and it's also also think about that. That's not the that's, not the Finish Line! That's still! That's still the beginning.

A

Very much so, um okay I'm trying to look through the other uh uh questions here.

A

um I, I and I want to add one from uh there's a couple of clarifications uh just for where folks can go to contribute where some of the conversations are happening uh and again, uh the the list of links that are in this deck will be kind of your guide to where to get started on this uh I think this is actually since we're in the last minute, a good time to wrap up I want to thank my panelists uh uh for the presentations and for the participating.

A

The participation in the conversation I want to thank all of you, who've, given us an hour of your day, uh to learn more about the open ssf and where we're headed uh and I hope we've. Given you a taste of what's going on, certainly it's not everything uh that would take about six or eight hours of a webinar to go through. There's a lot more here, Beyond, even those things that we've been barely been able to touch on so I.

A

Really, if you're interested in this topic at all, come and visit us on slack, uh get to know us uh in the different working groups, uh and we will find a way to put you to work if you've got at the time and the talent um I again just want to thank everybody involved in putting this together, and we will see you at the next town hall, if not sooner thanks. Everyone.