Jamie Thomas: What is the OpenSSF

Alan Shimel 0:06
Hey, everyone, we’re back here live at the Linux Foundation’s Open Source Summit here in Austin, Texas. And as we mentioned earlier, today is is a day of, I don’t know if you want to call it daughter-sister foumdations or satellite conferences, the main event really starts tomorrow. But there’s several important foundations who are holding conferences today. One of which, and kind of the one kind of the nearest to me is the Open Source Security Foundation. OpenSSF. And we are really happy to be joined by Jamie Thomas, who is the governing chair or the chair of the governing board. Jamie, welcome to our show. Thanks for joining us. So, look, when you’re not busy running, or being Chair of the Board for OpenSSF you have a day job as well. If you want to share with our audience feel free.

Jamie Thomas 1:05
Well, first of all, Alan, thanks for having me. I’m really pleased to be here to talk about OpenSSF. But I am a general manager at IBM responsible for systems development and delivery as well as IBM’s enterprise security program. And enterprise security, of course, is how I got involved in this particular topic.

Alan Shimel 1:22
Absolutely. And that look, that is a world and job unto itself. And we could probably do a few hours on that. But we’re going to focus on on OpenSSF today. So, you know, for most of our audience is familiar, we’ve covered,we’ve had the pleasure of speaking with Brian from OpenSSF a few times. It was a nice idea I think when it was first conceived about yes, we need to do something about security, about the security of open source tools specifically.

Alan Shimel 1:53
And then kind of all hell broke loose. You know, sometimes, sometimes things just work like that. Right? History runs in currents. So we started the OpenSSF. And then we had this spate of supply chain security issues and the whole SBOM thing with the White House. And then like kind of the cherry on top was log4j, it was around when January or December of last year. And that’s really, I guess, accelerated has it accelerated. Maybe you had big plants to begin with. Talk to us a little bit about kind of the whole OpenSSF and how it all came together. And what’s happened?

Jamie Thomas 2:33
Well, I think it was very fortuitous that the industry did come together last year with the Linux Foundation to create a new governing body around open source security called the OpenSSF. Because as you say, not long after that we had this industry compelling event log4j and realized the industry had already had we’d already had Solarwinds that year before, which also ruined our holiday in December. We had Kaseya, we had a number of these big supply chain attacks.

Jamie Thomas 3:00
But the difference I would say in log4j is just the predominance of the asset in code. It had been out there for over 20 years, it was a very utilized, a very popular piece of code. And so it affected a lot of software.

Jamie Thomas 3:14
So one of the things that you realize when this kind of thing happens, it’s not just about your fidelity of being able to identify it and get it patched. But for all those downstream consuming organizations, how fast do they roll out these patches, because we’re talking about a huge amount of affected software. So I think that there’s nothing like a true test of your governing body. And this was actually a real test run of what we needed to do in OpenSSF. And, of course, it garnered a lot of tension from the US government and other entities that we can we can talk more about.

Alan Shimel 3:48
Sure. Okay. So let’s talk a little bit about the charter or the mission of the OpenSSF. And it’s something I brought up to you off camera, which is okay. Log4J, let’s make that the poster child for a second. So log4j is basically this open source component, if you will, right, that many, many, many, many, many applications have incorporated into their package, if you will, into their source code. And it’s not, look, I’m not blaming the log4j developers or anything. There was a defect, I don’t even want to you know, it became a vulnerability but there’s a defect, while software has defects that we haven’t even found yet. But nevertheless, this one kind of went public and then we saw exploits with it and in the wild and such as the world of security we both live in. What is the chart is that what OpenSSS is about to prevent, or not prevent, but deal with future log4j kinds of events?

Jamie Thomas 4:55
Well, I think first and foremost, OpenSSF is focused on a proactive posture. Right. So how do we prevent these kinds of events? And so to do that, we think there’s a number of things we have to do. First and foremost is education, of course, in terms of basic security education for developers.

Jamie Thomas 5:14
Another key tenant is how do you put automation on steroids? So the automation and best practices that are reflected in that automation that open source projects can consume? How do you get that out to the most critical projects, and then provide some support for the long tail projects, if you will?

Jamie Thomas 5:31
It’s also about working, frankly, with other industry consortia as well as the government. Particularly we’ve been working with the US government in the OpenSSF to define what are some actions that are really going to make a difference. And I think critical to all of this is getting collaboration across the different insights from the governing body, which includes a lot of technology firms, as well as commercial firms. Like there’s a lot of financial firms actually involved in the governing body. What are the key elements that we really need to address first. So getting those priorities set, and then having an execution agenda and really getting something done in the short term, I think is really going to be important for this group?

Alan Shimel 6:14
Well, look, a lot of people look at what you guys have done, and you’ve gotten stuff done, right? There’s been a tremendous groundswell of support. And granted, log4j didn’t hurt you in that regard. But there are others. But there’s been a tremendous groundswell, right, there’s been a I think, about $30 million raised right, between some of the biggest names in tech kicking in here. There’s been the White House and CISA involvement. So it’s certainly, for a relatively new foundation, it has really garnered a lot of, I don’t want to say market share, but a lot of publicity, a lot of attention.

Alan Shimel 7:02
Now, of course, the question is, okay, how does this translate to rubber meets the road? How do we prevent the next slide? I don’t know if we can prevent the next log4j. But how do we minimize that?

Jamie Thomas 7:14
minimize the impact Exactly. Because I would say, if you look at what happened with log4j, the level of preparedness was not there. So how do you get it remediated fast? And how do you identify it? How do you help the open source projects be more effective. In this case, it was of course tied to the Apache Foundation. But not only that, how did the commercial entities then take advantage of that patch and act expeditiously to benefit the clients?

Jamie Thomas 7:45
So I think there’s a real opportunity here. In the world of cybersecurity, you often learn that no one pays attention to a lot of things unless there’s a huge compelling event. And that’s what this was. So while it was not desired, it was helpful in that in that vein, so coming out of all of the meetings that we’ve had, the collaboration that we’ve had across the industry, is going to be imperative that we execute, and that the things that we have identified as top priorities that we make measurable progress on those projects this year. And I think that’s the importance of this OpenSSF day here today in Austin, which is allowing us, with a key set of stakeholders, to start to share perspectives of the projects that are underway, and how others can engage in those projects. And how, once again, working together, we can actually make a difference.

Jamie Thomas 8:36
I think this on this ongoing level of engagement, making sure that we have the right stakeholders engaged, is going to be important to make progress. And as you know, in the world of open source, the nice thing about OepnSSF is we do have the ability to hire critical roles that can focus on this full time. Because the nature of open source typically is that it’s a it’s a volunteer army. Right? And there’s 1000s and 1000s of volunteers out there. But then how do we help with these resources, enable those volunteers to be more effective.

Alan Shimel 9:10
And frankly, that’s been one of, I think, the key ingredients to the Linux Foundation’s formula for success is, you know, herding. It’s a bit like herding cats herding the open source community, it’s vast, the 1000s, hundreds of 1000s, millions, but you need a few full timers who are, this is their day job, right? This is their this is what they do.

Alan Shimel 9:36
Jamie, I want to talk a little bit for people who are watching this now at home. Or maybe, you know, recorded later on. They weren’t here. They didn’t get what was happening, especially today, which is kind of you know, the OpenSSF’s day. Give them if you don’t mind a little bit of maybe a synopsis of what they’re missing.

Jamie Thomas 9:58
Well, we just got started of course, so we have a little bit more to go today, of course, in terms of the actual kickoff of OpenSSF Day. But I think what I see is real commitment, particularly from the presenters I’ve seen so far, a commitment that they’ve all personally made and outside of their day jobs, frankly, to make a difference in security for open source software. And that’s really the key here.

Jamie Thomas 10:23
Are we turning the corner on a new level of commitment around security, there’s always been a commitment in open source around innovation, around feature function. I mean, that’s what’s, loved it, you know, that’s what’s driven open source and allowed it to be so successful. And for others, other corporations like IBM, we take an enormous advantage out of that, right, we’ve all gotten a huge advantage in productivity out of that. But now, it’s really about turning the focus a little bit more, getting that focus on security, so that we can use open source and continue to have that productivity, but with confidence as we go forward. And I’ve really been, I’ve been impressed with all the speakers today and their personal commitment to this topic. And, and that’s really impressive. And I think we’ll see that for the rest of the day as well.

Alan Shimel 11:12
I’m gonna come back to it that to you in one second. I want to touch on something else, though. And that and that is this look, I’ve been in security for 25 going on 30 years. Well, security 25, IT 30 plus years. And, I, you know, if I had a nickel for every survey I read that said security is one of the top three priorities of IT, or the CIO, or an organization, I’d be a rich, rich person right now. But as like I always said their arms were too short to reach their pockets oftentimes. And it wasn’t until something bad happened like a log4j. You know, some incident. Yeah, Code Red. And I could go through a whole history of the things that people trying to get religion, right.

Alan Shimel 12:00
Excuse me, sometimes it takes that for them to get religion. I don’t, I don’t know why. I hope I always hope that it changes that people finally do start taking it seriously. I think for the OpenSSF though, the important thing to remember, especially in our audience, this is a fact we give them all the time, today’s applications, they are 75% 80% open source components added kind of stitched together with maybe 20- 25% of you know, sort of original code, if you will.

Alan Shimel 12:35
And so if someone’s not watching the store on those open source components, whether they’re artifacts or scripts or whatever. Your it’s only a matter of time. It’s not if, it’s when right. And so that’s why I think this is such a vital, it’s such a vital function, this Foundation. Something needed to happen. Yeah. And this is a perfect place for it. And we I step off the soapbox, you mentioned a couple of speakers anything stand out to you or that you can kind of clue our audience and tell

Jamie Thomas 13:11
I think other than the commitment of there’s a keen focus on making it easy for the developers, right? How do we make it easy for the maintainers of these open source projects? How do we make it easy for the contributors, because without doing that, it will not have the consumption by developers at large, right. And I know this, even inside a corporation, we have the same challenge, really, it’s all about codifying the best practices in an automation framework. And, you know, whatever that is for your organization, that’s going to be critical. And that’s why it’s so critical for these open source projects.

Jamie Thomas 13:45
You know, I think that with the right approach, we will make a difference. But it also, as you said, require stakeholders involved to continue to educate their organizations about why is it important, because all of us actually have the ability to increase the number of contributors we have on these projects, to contribute our expertise. And that’s going to be very important. I think that we as the governing body and other organizations really create a sustaining promise around open source. So it’s not just what the OpenSSF is doing itself. But how we enable that to be successful in the long run. Because we’re all getting the advantage from open source, and, like IBM we of course, it’s IBM plus our company, Red Hat, it has a little bit to do with open source. But those kinds of efforts and keeping that keen focus are going to be very, very important as we go forward.

Alan Shimel 14:38
There’s no doubt about it. It also goes back to what we said before is, look there’s a new lock log4j kind of horizon out there every day where there is so you’re not going to prevent them. You’ve you’ve got to put in your response. You’ve got to have your protocols in place.

Jamie Thomas 14:59
I will tell you that It, you know, I have a window into cyber operations, which is my job every day at IBM. And we’re getting over 100 billion events a day. So that gives you kind of the context for what you got to deal with and landscape. And product security, of course, is one of those triggers. If it’s not, if you’ve got malware, if you got issues, they’re going to be one of your events, right? So it’s a little bit of a reflection on our responsibility to enable effective cyber operations for organizations. I mean, we have a huge responsibility. But we have a huge opportunity here. And I think I want to make heroes out of developers for really worrying about security. That’s kind of one of the goals.

Alan Shimel 15:41
You know, look, you’re preaching to the choir here, because, you know, I started devops.com in 2013, 2014. And I did it because, as a security person, I thought it was the best thing that happened in security. If we can get developers security, aware, security conscious, that’s half the battle. And, you know, for a long time it was it was an uphill battle. Let me say that. But this whole notion of what we call DevSecOps and making security for developers, it’s really gone mainstream. Right. And I think part of that is realizing is developers, security is everyone’s responsibility is a very overused thing.

Alan Shimel 16:24
Developers are not security people, but I’ve never met a developer in my life who says, I’d like to develop insecure software, right. I want to use an old version of an open source, you know, component that has some known vulnerabilities. None of them want to, we don’t have pride in our work. It’s just we need to make it easier for them to do, and I think that’s something OpenSSF can really help with.

Alan Shimel 16:55
Anyway, I know you’re busy as heck, I want to thank you for coming down and hanging out with us a little bit. To you, Brian, the whole OpenSSF team, keep up the great work well, we’re expecting big things. No pressure. We’re expecting big things from you guys. You really make make a difference.

Jamie Thomas 17:11
Thank you, Alan. I’m really pleased to be here today and immerse myself in this topic and get to know many of the players that are here today. And thanks. Thanks for the opportunity to chat. No problem.

Alan Shimel 17:20
Just before we leave real quickly, the OpenSSF website. I think it’s openssf.org. So go check it out. If you’re not here in person, I believe it is virtual, as well. We love to see you as part of it in support the OpenSSF. We’re gonna take a break here in Austin. We’ll be back in a bit.