 Hey, everyone. We're back here live at the Linux Foundation Open Source Summit here in Austin, Texas. And as we mentioned earlier, today is a day of, I don't know if you want to call it Daughter Sister Foundations or Satellite Conferences. The main event really starts tomorrow, but there's several important foundations who are holding conferences today, one of which and kind of the one probably nearest to me is the Open Source Security Foundation, OSSF. And we are really happy to be joined by Janie Thomas, who is the governing chair or the chair of the governing board of OSSF. Exactly. Got it. Janie, welcome to our show. Thanks for joining us. So look, when you're not busy running or being chair of the board for OSSF, you have a day job as well. If you want to share with our audience, feel free. Well, first of all, Alan, thanks for having me. I'm really pleased to be here to talk about Open SSF. But I am a general manager at IBM responsible for systems development and delivery, as well as IBM's enterprise security program. And enterprise security, of course, is how I got involved in this particular topic. Absolutely. And that, look, that is a world and job unto itself. And we could probably do a few hours on that, but we're going to focus on OSSF today. So, you know, for most of our audiences familiar, we've covered, we've had the pleasure of speaking with Brian from OSSF a few times. It was a nice idea, I think, when it was first conceived about, yes, we need to do something about security, about the security of Open Source tools specifically. And then kind of all hell broke loose, you know, sometimes, sometimes things just work like that, right? History runs in currents. So we started the Open, you know, the OSSF, and then we had this spate of supply chain, security issues, and the whole S-bomb thing with the White House. And then like kind of the cherry on top was log four J. I guess I was around one January or December of last year. And that's really, I guess, accelerated. Has it accelerated? Maybe you had big plans to begin with. Talk to us a little bit about kind of the whole OSSF, how this whole OSSF, how it all came together and what's happened. Well, I think it was very fortuitous that the industry did come together last year with the Linux Foundation to create a new governing body around open source security called the Open SSF. Because as you say, not long after that, we had this industry compelling event, log four J. And realize the industry had already had, we'd already had SolarWinds the year before, which also ruined our holiday in December. We had Kaseya, we had a number of these big supply chain attacks. But the difference I would say in log four J is just the predominance of the asset in code. It had been out there for over 20 years. It was a very utilized, a very popular piece of code. And so it affected a lot of software. So one of the things that you realize when this kind of thing happens, it's not just about your fidelity of being able to identify it and get it patched, but for all those downstream consuming organizations, how fast do they roll out these patches? Because we're talking about a huge amount of affected software. So I think that there's nothing like a true test of your governing body. And this was actually a real test run of what we needed to do in Open SSF. And of course, it garnered a lot of tension from the US government and other entities that we can we can talk more about. Sure can. So let's talk a little bit about the charter or the mission of the Open SSF. And it's something I brought up to you off camera, which is, okay, log four J. Let's make that the poster child for a second. So log four J is basically this open source component, if you will, right, that many, many, many, many, many applications have incorporated into their package, if you will, into their source code. And it's not, look, I'm not blaming the log four J developers or anything. There was a defect. I don't even want to, you know, it became a vulnerability, but there's a defect. What a software has defects that we haven't even found yet. But nevertheless, this one kind of went public. And then we saw exploits with it in the wild. And such is the world of security we both live in. What is the choice? Is that what OSSF is about to prevent or not prevent, but deal with future log four J kind of events? Well, I think first and foremost Open SSF is focused on a proactive posture, right? So how do we prevent these kinds of events? And so to do that, we think there's a number of things we have to do. First and foremost is education, of course, in terms of basic security education for developers. Another key tenant is how do you put automation on steroids? So the automation and best practices that are reflected in that automation that open source projects can consume. How do you get that out to the most critical projects and then provide some support for the long tail projects, if you will? It's also about working, frankly, with other industry consortia, as well as the government, particularly we've been working with the US government and in the open SSF to define what are some actions that are really going to make a difference. And I think critical to all of this is getting collaboration across the different insights from the governing body, which includes a lot of technology firms, as well as commercial firms, like there's a lot of financial firms actually involved in the governing body. What are the key elements that we really need to address first? So getting those priorities set and then having an execution agenda and really getting something done in the short term, I think is really going to be important for this group. Well, look, a lot of people look out at what you guys have done and you've gotten stuff done, right? There's been a tremendous groundswell of support and granted, Y4J didn't hurt you in that regard, as much as there are others. But there's been a tremendous groundswell, right? There's been, you know, I think about $30 million raised, right, between some of the biggest names of tech kicking in here. There's been the White House and the CISA involvement. So it's certainly for a relatively new foundation, it has really garnered a lot of, I don't want to say market share, but a lot of publicity, a lot of attention. Now, of course, the question is, okay, how does this translate to rubber meets the road? How do we prevent the next log forward? I don't know if we can prevent the next log 4J, but how do we minimize the next log 4J? How do you minimize the impact? Exactly. Because I would say, if you look at what happened with log 4J, the level of preparedness was not there. So, you know, how do you get it remediated fast enough? How do you identify it? How do you help the open source projects be more effective in this case? It was, of course, tied to the Apache Foundation. But not only that, how do the commercial entities then take advantage of that patch and act expeditiously to benefit the clients? So I think there's a real opportunity here in the world of cybersecurity. You often learn that no one pays attention to a lot of things unless there's a huge compelling event. And that's what this was. So while it was not desired, it was helpful in that vein. So coming out of all of the meetings that we've had, the collaboration that we've had across the industry, it's going to be imperative that we execute. And that the things that we have identified as top priorities that we make measurable progress on those projects this year. And I think that's the importance of this Open SSF Day here today in Austin, which is allowing us with a key set of stakeholders to start to share perspectives of the projects that are underway and how others can engage in those projects and how, once again, working together, we can actually make a difference. I think this ongoing level of engagement, making sure that we have the right stakeholders engaged, is going to be important to make progress. And as you know, in the world of open source, the nice thing about Open SSF is we do have the ability to hire critical roles that can focus on this full time because the nature of open source typically is that it's a volunteer army, right? And there's thousands and thousands of volunteers out there, but then how do we help with these resources enable those volunteers to be more effective? And frankly, that's been one of, I think, the key ingredients to the Linux Foundation's formula for success is, you know, herding, it's a bit like herding cats, herding the open source community, it's vast, so it has thousands, hundreds of thousands, millions, but you need a few full timers who are, this is their day job, right? This is what they do. Jenny, I want to talk a little bit to people who are watching this now at home or maybe, you know, recorded later on. They weren't here. They didn't get what was happening, especially today, which is kind of, you know, the OSSF's day. Give them, if you don't mind, a little bit of maybe a synopsis of what they're missing. Well, we just got started, of course, so we have a little bit more to go today, of course, in terms of the actual kickoff of Open SSF Day, but I think what I see is real commitment, particularly from the presenters I've seen so far, a commitment that they've all personally made and outside of their day jobs, frankly, to make a difference in security for open source software. And that's really the key here. Are we turning the corner on a new level of commitment around security? There's always been a commitment in open source around innovation, around feature function. I mean, that's what's allowed it, you know, that's what's driven open source and allowed it to be so successful. And for others, other corporations like IBM, we've taken enormous advantage out of that, right? We've all gotten a huge advantage in productivity out of that. But now it's really about turning the focus a little bit more, getting that focus on security, so that we can use open source and continue to have that productivity, but with confidence as we go forward. And I really have been impressed with all the speakers today and their personal commitment to this topic. And that's really impressive. And I think we'll see that for the rest of the day as well. I'm going to come back to with that to you in one second. I want to touch on something else, though. And that is this, look, I've been in security for 25, going on 30 years. Well, security 25, IT 30 plus years. And, you know, if I had a nickel for every survey I read that said security is one of the top three priorities of IT or the CIO or an organization, I'd be a rich, rich person right now. But as like I always said, their arms were too short to reach their pockets oftentimes. And it wasn't until something bad happened, like a log 4j or, you know, some incident code read, I could go through a whole history of these things that people kind of get religion, right? Excuse me, sometimes it takes that for them to get religion. I don't, I don't know why. I hope, I always hope that it changes, that people finally do start taking it seriously. I think for the OSSF though, the important thing to remember, especially in our audience, this is a fact we give them all the time, today's applications, there's 75%, 80% open source components that are kind of stitched together with maybe 20-25% of, you know, sort of original code, if you will. And so if someone's not watching the store on those open source components, whether they're artifacts or scripts or whatever, it's only a matter of time. It's not if, it's when, right? And so that's why I think this is such a vital, such a vital function, this foundation, something needed to happen here. And this is the perfect, I think, place for it. Anyway, I'll step off the soapbox. You mentioned a couple of the speakers. Anything stand out to you or that you can kind of clue our audience into? Well, I think other than the commitment, there's a keen focus on making it easy for the developers, right? How do we make it easy for the maintainers of these open source projects? How do we make it easy for the contributors? Because without doing that, it will not have the consumption by developers at large, right? And I know this even inside a corporation, we have the same challenge. Really, it's all about codifying the best practices in an automation framework. And, you know, whatever that is for your organization, that's going to be critical. And that's why it's so critical for these open source projects. You know, I think that with the right approach, we will make a difference. But it also, as you said, requires stakeholders involved to continue to educate their organizations. About why is it important? Because all of us actually have the ability to increase the number of contributors we have on these projects to contribute our expertise. And that's going to be very important, I think, that we, as the governing body and other organizations, really create a sustaining promise around open source. So it's not just what the open SSF is doing itself, but how we enable that to be successful in the long run. Because we're all getting the advantage from open source. And like IBM, we, of course, it's IBM plus our company Red Hat. It has a little bit to do with open source. But those kinds of efforts and keeping that keen focus are going to be very, very important as we go forward. No, there's no doubt about it. It also goes back to what we said before is, look, there's a new log for J kind of horizon, event horizon out there every day. Yeah, there it is. So you're not going to prevent them. You've got to put in your response. You've got to have your protocols in place. And this is the kind of stuff. Yeah, absolutely. I will tell you that, you know, I have a window into cyber operations, which is my job every day at IBM. And we're getting over 100 billion events a day. So that gives you kind of the context for what you got to deal with in landscape. And product security, of course, is one of those triggers. If it's not, if you've got malware, if you've got issues, they're going to be one of your events, right? So it's a little bit of a reflection on our responsibility to enable effective cyber operations for organizations. I mean, we have a huge responsibility, but we have a huge opportunity here. Absolutely. And I think I want to make heroes out of developers for really worrying about security. That's kind of one of the goals. You know what? Look, you're preaching to the choir here because, you know, I started DevOps.com in 2013, 2014. And I did it because as a security person, I thought it was the best thing to happen to security. If we could get developers security aware, security conscious, half the battle, half the battle. And, you know, for a long time, it was an uphill battle, let me say this. But this whole notion of what we call DevSecOps and making security for developers, it's really gone mainstream, right? And I think part of that is realizing is developers, securities, everyone's responsibility is a very overused thing. Developers are not security people, but I've never met a developer in my life who says, yeah, I'd like to develop insecure software, right? I want to use, I want to use an old version of an open source, you know, component that has some known vulnerabilities. None of them want to. We all have pride in our work. It's just we need to make it easier for them to do. And I think that's something OSSF can really help with. Anyway, I know you're busy as heck. I want to thank you for coming down and hanging out with us a little bit. To you, Brian, the whole OSSF team, keep up the great work. Well, we're expecting big things. No pressure, but we're expecting big things from you guys to really make the difference. Well, thank you, Alan. I'm really pleased to be here today and immerse myself in this topic and get to know many of the players that are here today. And thanks for the opportunity to chat. No problem.