 Hey everyone, we just took a quick little break here for lunch, but we're back in Austin at the Linux Foundation's Open Security Summit. I'm really happy to join by our next guest. His name is Andrew Akin. Andrew works for Wipro, Wipro, W-I-P-R-O, and and he is sort of well, he is the Wipro rep to the Linux Foundation in all and various aspects and sub-foundations of the LF, as well as open source in general. We're gonna dive into that in a little bit here. Andrew, welcome to Textron TV. Thanks for joining us. Thank you for inviting me. Happy to be here. I'm glad to have you. So Andrew, I mean I did my best, right? But you can do better. Explain to the audience, you know, what what you do is as part of Wipro, and I think most of our audience knows who Wipro is, but it probably wouldn't hurt to give them a little background on that too. Sure. For those of you who may not be familiar with Wipro, we are one of the large global systems integrators. Somewhere around 240,000 employees across the planet today. We are a fairly traditional systems integrator. We provide resources, solutions, technology, innovation to our to our clients again across the globe and across all industry sectors. My role, I am the head of open source for Wipro. I am in the office of CTO, my team and I, and really we are the the face of open source for for Wipro and for the this community, the analyst community, clients, and so on. And I'm here representing Wipro at the Open Source Summit and as the board observer for OpenSSF. Excellent. So let's talk about Wipro a little bit. Look, you don't get 240,000 odd people without being deeply embedded into, you know, a good chunk of the global 2000, global 2000 and beyond. Yeah. And you know, with that kind of coverage, with that kind of footprint, when we talk about being the head of open source or what Wipro's you know, open source strategies and tools and everything are, there's a big, there's a big chunk of business, right? When you think about how much software and so forth is based or is open source or contains open source today. You know, this is important. It's very important. Depending upon which of the analysts or reports that you subscribe to, over 90% of production software in the world today is either completely based on open source or has a portion of open source on it. So it's it's very critical software. Absolutely. So, you know, this isn't some dusty corner in the office of the CTO where people are mulling through source licenses or something like that. This is this really dynamic kind of stuff. Secondly, you mentioned you were an observer on the OSSF board, but I thought you were on another board or two as well. I am, I'm on a few. The other one, the main one that I am, the board member of is FENOS, the Fintech open source foundation, one of the very first vertically oriented industry foundations out there. Most foundations or projects or communities are horizontal based on a technology. This is more vertically or industry oriented. So that's not the FENOS people who know about cloud costs. Right. No, this is FENOS with an S. Fintech open source. Yeah, so it was founded, I think, about six years ago now by eight of the world's largest banks and now they're they have dozens and dozens of members and organizations like Wipro and non-bank vendors. And it really was set up to provide an environment where financial services organizations can open source their own software in kind of a safe and compliant environment with a group of peers who understand what it means to develop software in such a highly regulated environment. Got it. Excellent. And I, I, forgive me if I didn't catch it. Was there a meaning of them here? No, they have their own event. They have the open source strategy summit in London in three weeks. I think that's kind of their version of this event. They are also under the Linux Foundation umbrella. They're a sub foundation as is open SSF and the other foundation. Well, yeah, that's the umbrella. Right. It's the the legal kind of format that I think L.F. favors. Yeah, I always try it. I always call them for some reason daughter foundations and I don't know if that's today's world if that's still after calm sub foundations sub foundations sound good. Yeah You know, it's funny. I thought I knew about a lot of the foundations, but I wasn't I'm not as familiar with Finnaz. It's it's one to take a look at they're becoming a real industry driver more and more global banks are joining them along with a number of the large Tech vendors, so they're really and they're getting involved with some other interesting standards bodies So they're beginning to promote open source as a standard within financial services Excellent. Excellent. Well, what's the website for people? Maybe you wanted to find out just Finnaz.org Okay, check it out. Yep. All right, let's go to open SSF. They had a big day here yesterday Yep, we've interviewed a number of people from the open SSF over the last two days What what's been you are a board observer there on behalf of we probably what what's your take? Our CTO Subba Tatevarte is our board representative, but on the day-to-day basis I'm the board observer and drive a lot of the programs So and today's obviously continuing more and more open SSF related activities I just spoke on a panel about an hour ago My takeaways I'm glad to see more and more people are taking paying attention to the to this effort Recently I and my peers were in Washington DC for a number of meetings with agencies different agencies who are again also really beginning to pay attention to this issue Obviously driven by a Biden's executive orders of a year over a year ago But my takeaway is it's interesting to see the overall industry momentum and the collaboration between public and private sector On some of these software supply chain security initiatives Absolutely So let me play devil's advocate So I've been in I've been in security for 25 years. I've been in technology for 30 plus years You know and in security we always had open source tools that we use to secure all software The open SSS charter is to secure open source software Which is great right when 90% of software contains open source. Yep. That's important. It's an important thing What I'm worried about with the whole supply chain s-bombs and all of these things is Will we focus so much on open source that maybe Something else sneaks through that's not open source That's likely to happen right sneaks through. I don't know well I by definition it's not by definition. It kind of sneaks through right matter whether it's open source or proprietary But will it do that because there's too much attention on open source? I I don't know that that's the case I don't know that that can be the case. The fact is there's not enough attention Today we've heard there's a whole bunch of initiatives for example around s-bom Everywhere s-bom anywhere, right? We did our own survey of our customers and about 65 responses I think and of those You know Does and we're actually asking for s-bombs Far fewer we're getting s-bombs and then even the s-bombs they they receive they couldn't really do much with them So the fact that we're there's a lot of talk around s-bombs and Biden's executive orders Doesn't mean that there's actually a lot going on at the end user consumer Point. Mm-hmm. It's it's we have a long long long way to go. Yeah Yeah, I Don't I don't doubt it right and especially when you're gonna be 90% of the sofa has open source Look if you could cover 90% that's pretty damn good. Yes I think Also part of it is We spent so long Kind of fight and when I say we I mean at the enterprise level Right for so long a lot of enterprises sort of fought Open source software was like, oh, no Who are you gonna call for support? Why are you gonna get training? I get it? And then there was this there was this also this especially as I was coming up, right? Mm-hmm It was this like two-faced argument, which is well open source software is secure by some more secure by design Because there's more I both are And You know how could something be insecure and everyone's but the fact of the matter is who the heck looks at the source code You know very few people are actually Unfortunately, we're testing these open source Tools components, whatever that you just so you use Andrew used it right for me I use it to and and so we you know it really became You know, it was a fallacy about the open ice Or do you know how many that survives the not necessarily fallacy? It's it was actually the impact was maybe not what That truism says, right? because People and I've been an open source for 22 years. I was probably one of the very first people to be wearing a suit in open source And I fought many many many of those early early battles and I think the issue is That developers open-source developers people who are creating all this new innovative technology, right? They don't they don't grow up thinking about Secure by design right or secure from the ground up They just wanted to get good code out there or code and make it good over time and make it innovative and make it Useful to themselves and to others right they weren't worrying about the security issues and today That's one of the the challenges for the open SSF and its members is Working with the projects and helping them understand why it's important to implement secure coding best practices and providing them the resources To do so because open SSF represents big big brother, right? If you look at who the members are That's just the reality or the perception that many open source projects have is Okay, we should be improving our the way we develop software, but we don't want you to tell us how And so you have to find this balance as the open SSF has to find this balance in Working with the projects and communities and saying we're we're we're here to help And we truly are and we're not going to try and change the way you develop software. Totally We're going to try and help you improve it Good agreed Now The other thing that I spent a lot of today talking to a bunch of folks from open SSF I've spoken to a bunch of other people as well on various Subfoundations with subgroups within Lenox Foundation In it's amazing and maybe it's just because when you're hammer everything looks like a nail, but it's amazing to me how much Oxygen open SSF is attracting right now. Absolutely. I mean and I Mean I think it speaks to just how important it is Does But the security guy in me says yeah, I've heard this story before Top three priority top three priority. Yeah, and here we are still with issues That we have an address so open SSF is still primarily vendor driven There are some end user consumer organizations like JP Morgan and city and a few others right that's going to change You know over time I expect more end users to join But it's a vendor driven organization who understands the issue because we're the ones that that actually Use the open source to build our products and then bring those products to market sell them to our consumers I mean our customers, right? So we know at at kind of a core level that this is a huge issue That doesn't necessarily mean that the end user consumer one even if they recognize it as an issue Has the ability to actually do anything about it One of the things I shared during my talk is how many titles that I have seen and our customers Just the title has gone from dev ops To dev sec ops and when you ask those people so what does that mean now that you have those additional three letters in your title and they're like Not really much of anything Right. So you're preaching to the there's lip service You are dev ops.com. Okay But we're also security Boulevard and I've been bringing the dev sec ops event RSA for seven years. Yeah And I've said this publicly before to me There was always second dev ops. It was always part of it But by putting those three letters in there We clearly sent a message to the security community that hey, you're part of this too Not necessarily that shift left and rent security is everyone's responsibility wasn't already something we should be doing but it It gave the security folks who for a long time were a wandering tribe in the desert, right? Yeah, they weren't really part of it. They were kind of in risk in some places and other places they were I think They were clearly other Right not them other and and so it made them them Right, that was a good thing Excuse me. I do want to point out that adding those three letters Has it necessarily translated no to additional training additional headcount additional budget. It is you are now dev sec ops Figure it out without any additional resources So I'll tell you what and I spend a good chunk of my time talking to vendors Offered dev sec ops solutions and to end users who employ them. Here's the funny thing No, it hasn't necessarily added to budget And in fact most dev sec ops solutions Still come out of the security budget not out of the developer budget or dev ops if you want to call it that budget And that that's the fact right that's so that I understand is true But what we are seeing is it more traditional dev ops tools are now beginning to include security components to it So that's a very positive development. I think it's good It is now bringing Additional capabilities to the tools that many dev ops people have been using for years And a lot of that I'll tell you is to partnerships like the snake for instance does a great job with absolutely Partners another company shift left. There's a bunch of the dev sec ops vendors who Recognize that look in order to make tools for developers. You got to kind of embed this stuff in the tools they're using. Yep Well the platforms they're on or whatever you want to call it and Everyone today's a platform, but it's interesting and it bodes well, right? Yeah, that's my point I think it bodes well absolutely. Yeah, hey, we're over time, but I want to talk about weepro a little bit. We're pro I mean obviously CTO on the board of open SSF You are kind of the liaison to Linux Foundation open source Beyond the obvious why why is this so important to weepro it? It boils down to trust right we we talk about Being a trusted partner to our our clients How can you how can you do that if you're not paying attention to their security whether your customers are or not? Right, so that's one of that is at the end of the day the core reason that we're investing in this now There are all sorts of other benefits, but it's making sure that our trust Customers have real trust in us understand that we from a software security best perspective we have their best interests and There's all sorts again There's benefits in upskilling our resources by participating here and and through contributing through the training programs It helps with our branding and our differentiation our ability to recruit good good developers They're all other all these are a lot of benefits. These are core benefits, but the end of the day is trust excellent man Yeah, I want to thank you for coming on today. I don't want to thank you for all the work you're doing in the community Well, thank you and I appreciate the time all righty Andrew Aiken from weepro here board observer at open SSF board member of finnaz another Linux foundation and Would you say about three weeks there's a big finnax the conference finnaz. Yeah in one