 Hey everyone, we're back. I hope you can hear me. My microphone's a little a little messed up here, but In fixing it they mangled it. But anyway, we're live in Austin at the Linux Foundation open source security summit I am joined by David a wheeler not to be confused with any of the other many David wheelers out there But David welcome. Thanks for joining us. Thank you very much. So Well, I'm not gonna introduce you. I'm gonna let you introduce yourself. I've given them your name, but tell tell our audience Who who's David a wheeler? Okay? Well Many ways to answer that one, but I guess what you're probably looking for a family show. Okay So I work for the Linux Foundation and my title tells me that I'm the director of open source supply chain security And what the heck does that mean quickly? It's I'm a subject matter expert I go around to the various foundations within the Linux Foundation And really in some guys with with other foundations and projects as well trying to help improve the security of Open-source software, which we all depend on all around the world got it And I should say I mean soup to nuts anywhere from it's in the developer's head Getting into version control built Turn into a package just all the way top operations. Absolutely. So look as I was kidding around before we went live We've had no shortage of open-source security Not open source here supply chain security Discussions in the last two days. It is the top of the line here and quite frankly We were at RSA conference two weeks ago doing similar interviews on broadcast alley And and so for a supply chain security was top top of mine there as well sensibly so yeah, I put on the Mark Miller and I put on the DevSec Ops event every year at RSA at Moscone and Not surprisingly open source Supply not open source supply chain security was top there Just ran in on my way before sitting back down here into the men's room. I ran into Alan Friedman. Mm-hmm Yes, he's he's the yes bomb ma'am. Mr. S bomb. Yes, sir S bomb and so all good It's certainly a very relevant topic. So I got to ask you an honest question. How long have you had this title? Well, I only joined the Linux Foundation in 2020 April 2020. So you've been some supply chain security Well, that's been my title since I joined in 2020. Was it after solar winds? no as before solar winds in fact, I wrote an essay about solar winds as Linux Foundation employee that was pretty pre-essing then Well, you know what? I don't I really some people are surprised and you know, where's the supply chain coming from? But you know, all you have to do is look at some of the numbers There are several studies that look at just open source and they're finding anywhere from 70 to 90 percent of The components within an application are actually open source. That's not including any proprietary software. They're reusing So I I've been around the software industry for a while There was a time when software was pretty much you developed the entire application from scratch all by itself That's right. And the big concern then was how do we enable reuse? How can we make it so that we don't have to rewrite it once right? It we don't write something once and reuse it and the good news is we have solved that problem But like the bad news is the bad news is The bad news is fundamentally is that the causes of today's problems are often Yes, and so that's very much so what we're seeing is we have now Mostly solve the reuse problem But now we have to deal with the because software is mostly other software We now didn't need to deal with that other software as a potential source of Defects in general including security problems. So, you know David, I've been in security 20 almost 25 years and I have Been in tech 30 years, you know what I started devops.com right back in 2014 one of the reasons was because I thought it was a great thing for security What I will say that Supply chain security software supply chain security We wouldn't have that had it not been for devops Because I think we've always had and I'll explain to you what I mean. So you don't think okay. Okay, okay, go on I think we've always had to worry about what is the security posture of any components or Scripts or artifacts or whatever we're using in our software, but one of the unique or one of the great contributions to Software and and the way we do technology today that devops has made has been the introduction of sort of lean IT Lean manufacturing concepts in the building software and and it's result. It's not the only thing But it's resulted one of the things that has contributed towards resulting in this idea of a software factory Mm-hmm, right. We didn't think of software factories before even though. Oh, yes We did my University of Maryland had such programs. I think in the 80s. Yeah. Yeah, so I mean that concept's been around for a while But that wasn't commercial. No, like when we talked about People developing software was very much a custom Developers they they you know, they started with a I'll never forget Like one of the first companies I started we go in to meet with Time Warner and they wanted a It was a customer service after their cable customers or something like that and and they said well They asked my partner. Well, what I did you use what I did you use what you know all the people this one You's Borlin this one used the semantic one and my my partner who was a stone-cold coder said why use vi He just he developed in vi. So everybody in those days. I mean, that's That's how software was done. Mm-hmm now today. We really do for the first time on a commercially scalable scale Have this concept of software factories where software moves along a pipeline, right? Right. I mean the whole idea of a CI pipeline isn't really new. It's just finally it's it's become widely adopted That's I would argue that's not the problem. That's part of a solution That the the supply chain problem is I would argue finally comes down to you've got all these reused components That enables you to not have to rebuild everything from scratch But now you're dependent on all those tears and tears and you know all those The software that it depends on and the software that depends on and so on but things like CI pipelines can help us address But again, let's go back to the factory piece. Yes What made that assembly line work is the model T Every gear shift on the model T was the same ball with the same threads So I could I could sit here and just screw balls on stick shifts all day, right? And that's how an assembly line and factory work. It wasn't you know, whether it was third-party products that were putting in cars or Building appliances or whatever you build on your pipeline assembly line You can't have too much customization if you're gonna do that at scale you had to have that Yeah, you had to agree on some things we just have to make sure you agree on the right things. So for example I think vast numbers you mentioned ID ease. I think nowadays most we don't care what ID you use Why care Basically focusing on figure first figure out what matters. That's always a easier thing to see after the fact It's much harder to figure it out when you're in the midst of the problem And then okay, this is the part we need to agree on and coming back to the CI pipelines You know after I make a proposed change Making it go through stages and doing Automated tests running various kinds of scanners to look for various kinds of potential problems so that by the time you bring it in You have very high confidence The result is going to be is going to be better than what you had before Yep, but you know So there was an argument. I forgot what presidential election it was already But you know cars made in America and cars assembled in America. Yes, but I was different, right? Parts made in Mexico or wherever sure Today I think our software is like that. They may be assembled by any Software, you know whoever thunder is doing that, but the parts are made all over the place It's frankly in many ways even more than the rest of the physical world because at least in the physical world There's a cost of physical movement, right? Whereas the bits are essentially free to copy around exactly. So yeah, so yes the world of software development is Internationalized it has been for a while. It's just that some policymakers haven't noticed you know But now we but the other thing that's given rise to is the repos and I don't mean repo cards, right? Yes, I mean the repositories of these software like get hub and get lab and those kinds of facilities. Yes, well Get hub certainly but get in general the control system. Yes of Yes, we are we are storing reusable code and In some cases let you look at the Docker Repos and you look at an Artifactory or the Nessus one some Sun attack. We are storing reusable components That you could be sitting whether you're sitting here with me or in Ukraine Right, you could pull it down and assemble right and that is That's power. That's look. It's been a an igniter for all kinds of software development It's also been a security and you know, it's been a bit of a security issue because now we're pulling down What version are you pulling down? Right? And are you updating because there's a vulnerability found in that version? Are you keeping things up to date? So I mean, I think we both agree on that. Here's my take. Mm-hmm. I always thought That's a choke point if we can use that word would be at those repos because that's where people are getting these Reusable components. Mm-hmm. Why wouldn't a repo? have a tollgate or a Nets bomb checker or something whatever you want to call it, right? That says, oh wait, David. You're pulling down the old version of this. Yep You need the new version to be fair that people are actually working on those sorts of things The open SSF has something called package analysis. Yes. I actually just spoke to you a little bit about it Great, great. So, you know, there are some efforts to do that And I think in many cases not so much the repo as the package manager, you know Making it easy to say hey, wait a minute. That's a vulnerable version. You know, please update There is any and by the way, the open SSF has a number of working groups and the newest one is specifically for the folks who manage Repositories, I think that's that's where we got a big. Yeah, you know, the package repositories and the package managers and I mean, they're just starting but already I have I think there's there's great promise The challenge that they have is scale though In particular a lot of people, you know, why don't you just tech detect all malicious software? Good. Wow, you know, there are there are tools we can use to detect them in some cases It cannot be helpful. Yes, that better not be your only mechanism that exists No, and frankly the big one of the biggest problems now because most software is actually the software you bring in One of the biggest problems now is old out-of-date Software that's known to be vulnerable that needs to be updated if you're already out there by the way Oh, yeah. And and the good news is that there are tools to help you identify tools to help you update But people have to basically automate it is here Oh, you know a lot of the automations there, you know a thing I a lesson I learned in security to over the last 25 years People talk automation they get scared when it comes time to automate because they're afraid they're gonna Break something else with by doing it automatically. This is where the CI pipelines come in Yeah, but fundamentally, you know, I tell people, you know There's some really excellent academic research software testing and that sort of thing But you know what you can make this much simpler. How good how you need automated tests? How many tests you need you need to have tests to be confident that what you release is gonna be okay to use If your automated tests aren't good enough, then if your automated tests can't do that then they're not a problem Once your automated tests are good enough now you can do things like Fearlessly upgrade to a newer package because I ran my tests everything works You know what about the dependency of that software on others same same thing your you know as those get updated You immediately notice does it work or not? And and so and so this this combination of basically see I pipelines including Automated tests various tools to analyze the software looking for vulnerabilities looking for issues It's it's it's very simple. It's not complex, but it's powerful. Yeah, there's no no doubt about it I had something and I went too straight out of my mind It's getting old but you know that back to the this whole concept of that with software supply chain Look Mark Miller was its owner type right when when struts to Was it echo effects, right? Mm-hmm came out And what was an interesting thing is him and Derek weeks who was that sounded type at the time to they did a Survey and some research like six to eight months after echo effects Yeah, so we already everyone would with top of the news for charts, right? People are still downloading and using the old version right of struts to in their packages Instead of the new version, right and there's been a lot of discussion about how do you Deal with that. You don't want to break somebody's system and Yet this is a real problem for a lot of folks So there are various discussions about how to deal with this anywhere from maybe slowing down those those bad downloads You know, but so to give a hint without really breaking some of the system But there's various ideas, but you know, it's it's a real issue Right now I think the goal is to just try to make it easier and easier and easier to do the right thing We want to try to make the default the right thing and then if we truly for the true stragglers We're gonna need to find other approaches, but let's make it really easy to do that He's a little carrot and a little stick is what I'm hearing in some sense You can call making it easy a carrot, but I think fundamentally generally people do what is the easy thing to do So we make the right thing easy. That's right. We make the right thing the easy thing We don't have to worry so much about the sticks. Yep. All right So David, this is all we've set the table. We used our whole 15 minutes, but we've set the table Let me go now to the next part You're the first person we've had on from around open source security That actually is a Linux foundation employee. Oh, so I got to ask you the question beyond giving the open SSF a home Mm-hmm, right you were doing this before there was open SSF Yes, what is the role of the Linux foundation in your mind? Okay in making open source security open source software more secure Well, actually, let me step back further because there's the question of what is the purpose of the lens foundation Yeah, absolutely period right there and then and then we'll take part because in fact I think the security question follows Yeah, the fundamental goal of the Linux foundation and really any good open source software foundation is to enable collaboration There's all sorts of Legal wickets that you can get in trouble with There's there are many things that you that a project often needs beyond just hey, I need a repo With version control and so a lot of organizations have decided that it's a lot easier to to get things done to get Collaboration done if they can create a project within a foundation There are some organizations that you know create foundation specifically for a particular project I mean the Python software foundation, you know, it's focused on Python Absolutely, and there's many other foundation in the lens foundation is basically a foundation that creates foundations so we create foundations to Quickly get going and why do we create foundations or and more specifically why create projects? The answer is to solve a problem. Yep, so That now so that's the general now the more specific. What about security? Same kind of thing Don't we need to make things more secure and specifically open-source offer it more secure Oh, how do we do that collab? We want to do collaboration to because it's too hard for any one organization to do it themselves Oh, that makes sense for the next foundation to do because as soon as you say we want to enable Collaboration to solve a problem. That's what the next foundation is for and really I would say any foundation I mean I worked on this foundation. I like them Yeah, but you know, but really You know, I work for the links foundation But it really that should be the job of any foundation is trying to help enable collaboration in terms of open-source offer foundation and in this particular issue though In the links foundation is one of the largest maybe the largest open-source offer foundation and just kind of made sense for The many many many people that have to deal with security because this is this is truly an industry wide issue So it made sense to put this in the Linux foundation to work on industry-wide solutions. I love it I love it. Hey, man. We're over time. Okay. Can I make a couple of quick points? Go. All right, so Yeah, just you know before we head off. I would love to encourage anybody who sees this thing Talk to them. Talk to them. Okay. Hello them. Okay So if you develop open-source software I would love for you to take advantage of some of the stuff that we've already developed within the Linux foundation Especially the open SSF. So there's a free course on how to develop secure software if you haven't taken a course take that course We have all sorts of guidance on best practices on how to develop secure software more securely You know best practices badge. There's a scorecards evaluate projects There's something called salsa to help identify some key requirements for the supply chain and build and bro And so we've got some good stuff. Take a look. I think you know your users will be grateful Absolutely anything else. I'm sure there is but we're out of time. All right. Hey, look, you're invited back anytime you want Thank you David a Wheeler Linux Foundation open source software supply chain security Director I got a little lot of order, but I think I got all the words