 Welcome to the CUBE's coverage of KubeCon EU 2024, live from Paris, France. Join hosts Savannah Peterson, Dustin Kirkland, and Rob Strecce, as they interview some of the brightest minds in cloud-native computing. Coverage of KubeCon cloud-native con is brought to you by Red Hat, CNCF, and its ecosystem partners. The CUBE's coverage of KubeCon EU 2024 begins right now. And welcome back to Paris. We're here at KubeCon cloud-native con, EU really digging deep into what's going on in a lot of different projects and foundations around Kubernetes and cloud-native technology. I'm here joined by Dustin Kirkland, helping me out with analyzing things, and Amkar, who's the GM of OpenSSF, has joined us as well, you were on a little bit ago when it was your second day as GM. I was shocked, there was a big conference, you guys were very accommodating. Lovely to be back. You feel more settled in now? A little, a little. It's great to have you here, because I know we were just talking beforehand, and you're running all over the place, advocating for what has to happen, and regulations, and where things are going, and not only working with the groups here, but groups outside, like small groups like the UN, and others, and things of that nature. Little groups like that. I mean, when we think about this mission of securing open-source software, which, you know, it's easy, we're going to be done by the end of the year, there's three main stakeholders, right? Which is private sector, so the larger organizations that make up our premier membership and our board. The public sector, so US government, the EU, the UN, all these organizations that are accountable for setting policy and providing direction and protecting their citizens, and then the community. So how do we help the community who, you know, you may not be a security expert, but gosh, you really want to make sure that your code is secure, or the provenance is good. So those are our stakeholders, and by engaging with those three stakeholders, we believe we can help improve the security of open-source software. Yeah, I think for us, we've been talking about S-bombs and attestation and signing of containers with the Notary Project who was just on. And I think it's, people are looking to get beyond S-bombs. And where do you see us in that journey? To be, you know, because again, you had the federal directive and things of that nature, but that only gets you so far. Where do you see the state of things? S-bombs are great, but S-bombs on their own aren't a security property per se. They allow you to do a lot of interesting security things, but on their own, they don't provide security utility. So one of the things that we're going to be doing, we're going to be at open-source summit North America, we're having our source, securing open-source software community day on the 15th of April, just before that. And in addition to all the wonderful talks that we normally have, we're going to be having three workshops. The first workshop is on Scorecard. So if you always wanted to contribute to Scorecard, but didn't know how, come in, learn about the code base, raise your first PR, do great things. The second is a Salsa workshop. So if you want to adopt Salsa and you want to be Salsa two or three level, a lot of people don't know how to do that and the documentation is extensive. The Salsa team will be there and they will help contributors and maintainers achieve Salsa levels within that workshop. And then the third, the one I'm most excited about, I was on Wall Street for about 10 years and our regulators always made us do these simulation exercises called tabletops. And it was to exercise your security operations team, engineering team, general council comms team so that when an event happens, everybody knows their marks, they know what's going to happen. You're not reading the process book for the first time when things are melting down. We're going to do a tabletop exercise with maintainers, cloud providers and the community at Open Source Summit North America to really exercise that, okay, so I have an S-bomb, security incident happened, what the heck am I going to do? How am I going to use Sigstore in an incident? So all of that's going to be exercised and the output of that is going to be a guide that we're going to provide to the community to help us whenever the next log for J should occur, to have a playbook by which we can operate. Amazing, so you're going to help develop and share that process for organizations that may not have a tabletop exercise process in place today. Absolutely, and this isn't a one and done, right? So this is going to be the base artifact. From there, we're going to continue to iterate at our events and explore one of the things I'd love to see after each of these kind of exercises, we typically, when I was on Wall Street, do a hot wash where we sit back and we reflect what went well, what didn't. I really want to hear from the community where they feel we're a little bit soft in our incident response so that we as OpenSSF can start advocating for whether it be technology, education, additional guidance to help make that better next time. Where do you see kind of the scorecard playing out and then kind of describe the scorecard because there's a lot of organizations who don't know about it and I know you've released it and you actually had some findings that you published at the end of the year or the beginning of this year about what had happened last year and the scorecard is something that I think organizations should be looking at to your point about, hey, they should also be doing tabletops and we advocate for tabletops all the time but I think so that's awesome because I think getting involved in understanding that process because having been someplace, we're logged for J and we had to figure out, okay, where is this in all of our software, which was not a trivial thing to put in my whole play. How does the scorecard really help organizations and what really is it? Absolutely, so scorecard as the name implies is literally a report card that you can run against the open source dependencies that you have in your project and it will take a set of known-to-be-good security properties and test the repo either in GitHub or GitLab to validate that they're present. Could be things like branch protection, well, I guess two-factor authentication's a default now but it checks all these security properties and pops out a score for you. As a consumer of open source and there's two different perspectives here but as a consumer of open source that allows you to reason over, I need to use an SSL library. Should I use open SSL, polar SSL, boring SSL and it allows you to make a risk-based assessment based on the criteria as to which one you should take on. The second perspective is that of a maintainer. All maintainers want their projects to be adopted by the world. What better way to do that than to have this scorecard badge that says, hey, open SSF has checked my security properties and... I'm safe to adopt. Exactly, yeah, exactly. You mentioned in your sort of list of three, the scorecard of getting more people involved and contributing to that. Do you have a list of GitHub issues? Oh, yeah. There's a longer list of GitHub issues that are open. Our TPM's going to have a burn-down list ahead of our contributor workshop. And we're looking forward to getting everybody out there and helping build scorecard out. How do you see the community kind of coming together because there's a lot of projects out there aimed at different aspects of security? Yeah. How do you see that all coming together? Again, looking at there's 114 or so sandboxed, there's like another 50 or so in incubation and 27 graduated, how does the community, how do you see them all working together? It's, I mean, like many open source projects, it's all bottoms up. We find that a lot of the most avid users of open SSF technologies are CNCF projects. So I believe there was a talk just earlier, it was either today or yesterday on how one of the projects was using SigStore in order to attest provenance of their lineage. The other opportunity that we have or the other thing that we saw as an opportunity, and I'm speaking as somebody has been doing both open source and security for a really long time. The open source community has their events and their watering holes. The security community has theirs, right? So on the open source side, it's Fozdom, it's CNCF, KubeCon, it's open source North America and EU. And similarly on the security side, we have the trade shows, right? RSA, Black Hat, we have the hacker community at DEF CON, we have the academics at Usenix and Real World Crypto and stuff like that. And one of the safe spaces we want to make for the intermingling of the open source and security communities is a conference we're going to be hosting this year in Atlanta in October called Sauce Fusion. And it is focused on that cross pollination between our communities to make sure the security folks and the open source folks are working hand in hand. So we're really looking forward to that. I think that's a great idea. Wow, OpenSSF is the organizers of that? We are the organizers, it is called Sauce Securing Open Source Software Fusion. Really cool, I think that, and also we'll be at Open Source Summit in Seattle. So be great to have you on after you've done the tabletop and have some, you know, just, you know, I would say qualitative output that you found because I think that organizations need to see this is how they have to do it. I mean, we go to a lot of the different security conferences and I think one of the things is that if you haven't done a tabletop in two years, the last two years, you're pretty screwed. And I mean, because, and having run DR for a major financial company, I know where you're coming from. I know where you're coming from because I had the book. And you didn't want it to be the first day. You're blowing the dust off the cover. Yeah, when the fiber got backcoded by people, it's like, you're sitting there like, okay, now what? It's like, okay, I'm getting the page at two in the morning, now what do I do to shut down all these servers, stuff like that? Well rehearsed incident response. I mean, you can see the results when that's well rehearsed and everyone knows what they're doing. It's still a tough situation, but at least people knowing, you know, how to address and what their responsibility is. It's going to be a tough situation, but it shouldn't be a panic. Right, right. It should be not routine, but you should not be worried about going into executing. One of my neighbors is a paramedic and there's an analog with how paramedics operate. You'll never see a paramedic running through an accident scene. They will move deliberately, they'll move quickly, but they will always follow their steps because rush and panic in an incident can actually cause more damage to what you're trying to rectify. Absolutely. Where do you see OpenSSF beyond, okay, so we get to the Sauce Fusion. Where do you see by next year this time when we're sitting somewhere up north of here? So, I mean, I already told you we're going to fix all the open source problems in security by the end of the year, so we're going to be done. There we go, awesome. Mission accomplished. Yes. So, a lot of the stuff we're working on really hard this year, focuses in three main areas. One, convening. We talked a lot about bringing the communities together, talking with public sector and ensuring that they're advocating for things that'll support better security and open source. We're also really strong believers in education. We're right now in the middle of revamping our secure developer education. There's a survey that Linux Foundation Research is putting out right now where we've asked the community, hey, based on your incidents, based on the issues you have in your code base, where could we be doing better in terms of providing you instruction? And in addition to that, if we think about the watering holes of our security community, it's really the security repos, or the package repos. It's PyPI, it's Rust Cargo, it's NPM. We recently put out some guidance along with CISA talking about how to secure repositories because we believe that's a great choke point in which we can positively affect the security properties of open source software that everyone consumes. We're going to be putting a lot more effort behind that over the course of the year. And to the point that we're going to develop some much more specific security standards that repos owners and maintainers should be adhering to. So that there's an even bar that when you choose to enter the business of being a repository, you know that there's good provenance, you know that there's good production quality control and access control, all of these different properties. So we're looking forward to doing that as well. Reproducibility maybe, and being able to be able to verify those attestations. Verify the attestations, a well-formed S-bomb perhaps, yeah. So I think it's, you also get to see this from a different level because you are interacting with governments and things of that nature. Kind of give us an idea of what you're seeing. Are there differences between what's happening in the US and what's happening over here in Europe or in Asia? What are you seeing from a, how people are putting themselves out there and really trying to work always in a secure manner? So from our perspective as the foundation, we're here to ensure technical correctness. And the reason that I start there is I'm a software engineer, and most of the folks that work on OpenSSF are technical. We're not lawyers and we're not politicians. And we are quite happy for those folks to invoke the appropriate legislative processes that are the cultural norms of where they are. We're here for technical correctness. So what we see in the US is the US politically has generally let innovation occur. And then when things start trending badly, come in with a bit of a heavy hammer around legislation and regulation. In Europe, culturally, it seems like the EU wants to get ahead of that. So they're trying to look beyond the next horizon and figure out what's coming up. Examples being things like the CRA, as well as the AI Act that they recently passed. So culturally, I think the top down versus bottoms up approach to legislation is different, but the intent's the same. Like everybody recognizes security is incredibly important and we can't keep getting burned with supply chain issues and ransomware attacks on such a regular basis. Otherwise, not only will our economies collapse, but our citizens won't be safe anyway. So you hit on it there and we'll kind of end on this question, but AI, I mean, you know, signing models, trying to understand where models came from in their lineage and the data, securing the data, making sure that PII is protected. Where do you see open SSF playing a role from an open source perspective with that? Two perspectives on that. One, I think AI itself can be a great enabler of security for open source. So we're partnered with DARPA on the AI cyber challenge in which DARPA has challenged the community and researchers to, I think that's up to $18 million now in prize money. The open competition is occurring right now, midpoint check-in at DEF CON 2024, finals DEF CON 2025, and we challenged the community to say, hey, how can you apply large language models to solve entire class of vulnerabilities in open source? As for the security of LLMs, a lot of the existing open source, open SSF security software can be used. So if you're talking about model provenance, you can sign using Sigstore and assure the provenance of the model. If you're talking about some of the basic open source components that go into the LLM, again, you can use security, or you can use open SF scorecard and tools such as that. We have an AI and ML workgroup that's currently working on some of the higher order challenges around AI and machine learning, but I'd love to see us produce something like a responsible disclosure guidance for large language models and things of that nature. Well, Omkar, thank you for coming on. I think, again, even two days in, you were great, but I always learn something when I talk to you and I really appreciate you coming on board today and being with Dustin and I to talk about this. Thank you. It's a pleasure, look forward to seeing you in Seattle and talking about the tabletop. Absolutely, we'll see you there. And we'll see you here, so keep it tuned from KubeCon, CloudNativeCon, EU, live from Paris, here on theCUBE, the leader in high tech news and analysis. Stay tuned.