 Hey everyone, we're back here live in Austin streaming out at you from the open source summit We're having a great time. This is our third day of coverage here though. Technically, it's only day two of the event It's a long story, but We'll talk about it later. Let me introduce you to our next two guests because this is a Conversation I was really looking forward to to my left here is a gentleman who's been on on texture on TV a few times with us in person great person. He's the VP of research. Yes for Linux foundation Steven Hendrick and Steven welcome. Thanks. Thanks Alan and joining Steven and I from our friends at sneak Matt Jauvers and Matt if I'm not mistaken your head of developer relations director of developer relations Welcome. Thank you. So Steven and Matt presented was it yesterday? Yeah, yesterday. Yeah on a new survey. Mm-hmm that you guys recently announced and revealed and Report Why don't you if you don't mind share with your audience sure how we have to so Open SSF is a very big project inside of Linux foundation As we've seen Brian Bellendorf. Yeah, and so at his request We went out and did a survey into sort of what's happening in the open source space as far as secure software development So we put together a survey in March. We fielded it in April. We wrote it up Analyzed it wrote it up in May and had it produced in June. And so it's being released here at the event I think that happened yesterday morning. Yeah, yeah, we did it in partnership with sneak Great. So that's why we've been working together with the messaging on all of this And it's it was not a surprise from the standpoint of what the results were but it wasn't I was a little disappointed in kind of where we are at this point from the standpoint of the uptake of You know the attention to security when it comes to open source So anyway, so we've got information that to talk a little bit about, you know, where we are, you know How to sort of to understand the context of the problem and then we have information about what people are doing about it And it's it's that's more exciting in many respects because good things are happening. I agree So first of all look, I think we're always disappointed when we do these surveys that we find out, you know Beyond the lip service that gets paid to security What actually is going on under the covers and we're always wishing for and hoping for more that being said Yeah, I don't want to be pessimistic. I am of the glass half full Opinion that we are doing Better and more security now than we probably ever have done. Yeah, yeah, I agree That being said before we dive into it, I just want to really just quickly so open SSF is I open SSF.org is I believe the website and I'm gonna assume that the reporters there for anyone who wants to download it That's right. Let's take let's say that up front for people at home following along Whether it's live or you're watching this it's on the sneak site. It's on the next foundation site and it's on open Yeah, there's all that's everywhere night. I think we might have covered it via sneak over on security Boulevard I think I did some I did some press interviews on it before flying out here Yeah, so it may very well be on our security Boulevard site, but nevertheless, it's out there for people Yeah, let's dive in now though. What was some of the findings Stephen? Sure well, let's see what we'll start with this this whole issue of Do organizations have an open source security policy and What we found was 49% said they had one. That's good. That's good 34% did not and 17% we don't use open source. No, no, everybody uses up with 98% of organizations use it So and 17% said they don't know so we don't even know they don't know if they have one or not So if you take put aside that don't knows at this point, you got about a 6040 split between use I don't have a have a policy and don't have a policy I mean and if you look at a little more deeply into that what you find is that small companies are more likely to not have a policy And that's not surprising. They have resource constrained so it's harder for them to have CISOs and OSPOs and Policies be it for either just software development or open source software development. So I can understand the challenges there So but the idea of when you even if you look at company size we still ended up with about 30% of large in very large organizations that don't have a policy for open source software development So a couple of thoughts first of all, I Empathize with small SMB businesses. We're an SMB business But in today's day and age And maybe it's when you're hammer everything looks like a nail, but in today's day and age. How do you not have? Security policies, how do you not have security? You know, I mean, I think that there's a couple of different things at play there. I mean You know addressing Addressing open source security, you know, is it is it is more complex than it seems because it's not just about the the code itself you've kind of got to understand how open sources is is Created how projects are governed because governance can have a big play into, you know, whether If you look at some of those recent things around the sort of protest where movement where we've seen maintainers kind of go in Row, you know, and this comes down as single maintainer governance Projects and you need to take those things like governance into account if you're gonna base your business on something, right? So, but you would you just said and that's a complex loaded a loaded question. I would bet If I was a betting man, right that a lot at the large enterprise level, you're a hundred percent correct at the SMB level if you ask most of these people a Threshold question of where is your open source software? You know, it's 10 o'clock. Where's your open source software? A lot of them don't know because they're sassops companies. Mm-hmm, right? They don't they don't have a server closet. They're cloud insulation. It's this they're running on sass That's right. And so the beautiful part about sass is one of the nice things about sentence You don't know what's behind the curtain You just know you log in on the website and you've got all your information there that you need Are they using an open source database? Are they using? You know, what's what is what are they using behind the curtain? A lot of smaller companies don't know and as part of their Do diligence? They don't dig that deep So I could again I can empathize the larger ones the larger enterprises though That's a problem. I think you know you in a lot of those larger enterprises you you've got that kind of In-grain culture over a long time in terms of Security and about how you consume software and you know the the hardest problem in security isn't really about technology at all Right is always about people and culture and I think you know probably in a lot of larger organizations You've got a kind of you know that sort of friction of Well, we've always done it like that Well, you also have a lot of change going on from step on up how software is being developed Yeah, sure, and I think that's part of the problem as well, which is that you know change It's it's changes always hard for people. Yeah, and especially with given the rapid evolution of tools and Standards in essence around how we should do security for software. Yeah, it's everything's changing so quickly It's I think it's probably hard for people to keep up because we've got these two kind of things happening almost a perfect storm at the same Time we've got this massive rise in in supply chain attacks on open source because you know It's a victim of its own success right and attackers have realized It's a lot easier to get into the supply chain than it is to to find zero days in in Endure applications so you've got that going on where all of a sudden folks are going well Everything we do is based on open source like what do I do about security and then as Steve pointed out? You've got this this ongoing massive transformation of how we develop software, you know, this super fast high-velocity Unless you do unless you can transform You know someone's gonna eat your lunch right because there's there's some hungry competitor behind you Who's disruptive and who's who does have a super fast software delivery pipeline they can deliver new features They know how to analyze the data and so for for a lot of big organizations They've got these two big problems happening right at the same time because that change in software development requires a completely different approach to security You know the space that it's the thing that sneaks about all the time about developer first Yeah, I mean you look at let's say the Phoenix project for Jean Kim, right and and that's based on a book called the goal Yeah, right and the thing about so the goal is about manufacturing But really the principle behind the goal, and I think Jean tried to capture that in the Phoenix project is that look as soon as we Kind of erase one bottleneck. We see that next model neck right behind it And don't think that once you get rid of that bottleneck, right? Yeah, it's sailing. It's not we have massively Revolutionarily speeded up the pace of software development We did it in large part by creating this this software factory with pipeline. Yep CICD DevOps kind of things That in the enabler of that was having this massive library of open source Yes, indeed. That's right pieces that we can assemble into a very high quality software that's that's so man We blew through that roadblock at a hundred and fifty miles an hour and The wall we hit right after is wait a second now. That's become a huge security Problem right so for companies that are developing their own code. This is this is a major thing, right? Knowing that though and still telling me that 30% of the companies don't have a policy around it scary Yeah, it is well. That's we should we should talk about what people are doing about I'm trying to deal with this Hey, here's the good news. Yeah So we asked a question which was okay, so how do you intend to improve on the situation? What do you what are you doing? And we had quite a long list of responses top of the list was Organizations were looking for more intelligent tools from that we're had a security focus So we're talking SCA SAS DAST IAC, you know all the usual suspects and Looking really to those those tools to be able to help them improve their security posture So that was top of the list that was 59% and then right behind that a 52% was a strong desire to Understand and essentially codify best practices for how to do secure software development That was really encouraging because we know all about best practices Yep, no exactly, you know what they all are in fact David Wheeler at a left. I should we had David a Wheeler Yeah, David a Wheeler. We Follow my mistake. I Learned that you want to see the marks I'm kidding But okay, but yes David. Yeah, so you know he and I had lunch yesterday and we were talking about this because I said You know how many best practices do you have so we know Canada wallop. He's got like 150 160 So that's kind of daunting and he said like the last 25 to get to the highest level Can take in some cases years to master So this is this is despite understanding what these best practices are It's still very challenging to wrap your head around. What is necessary to be successful there? It'd be an unpartly because you know as we were just talking about that that Culture change is such a big part of how you make that transition from you know You kind of old-school get security as gatekeeper kind of function to this thing where we're all in it To the developers because the developers are the ones who you know You fix it at the developer eyeball before it's got anywhere near, you know Well, it's cheap and next he's right. I say 10 to 100 x cheaper to do there I mean we look at the other interesting thing here. That's a slightly tangential to this But it is like how many developers there are in the world right and how many we anticipate there being you know there's something like I think that the the Anticipation is something like 30 million developers in the world and there's only like a tiny proportion of Security folk so I go by github accounts Right, okay, there's about 70 plus million github accounts right now So let's assume it's not one-to-one, but I think it's safe to say this 40 to 45 million developers Probably growing it somewhere in the area of 10% here. I'm gonna go and security Professionals aren't aren't growing at that rate So security professionals are growing because we're starting to see look when I came up You didn't have a cybersecurity major in college We're seeing schools churn out cyber security majors Are they security professionals? I'll leave it to you, but but there are people coming out here Who want to work in security, but not anywhere near I mean you're talking here in here Here's an interesting thing though. I and I think it's like it's what's turning up the heat on all of this Is that this is getting major focus from the White House? Yeah, from the federal government the whole world is saying hey, this is a problem Right is a big problem. Well, you know, you got to do something. You know, I did a report last year Survey on S-bombs. Yep, and I gotta tell you that factors right into this Oh, of course because you know we did some stats in this survey on dependencies, you know both direct and transitive and found really sort of low levels of strong security Around, you know organizations understanding the security posture of all these different You know dependencies and dependencies of dependencies. Yeah, you know really low numbers there S-bombs would go so far in helping sort all that out. Yes, you know S-bombs are going to give you knowledge about the metadata It's going to give you usability So you know that you're licensed to use this stuff Yep, and it's going to know it was giving you trust that not only what you're looking at for metadata is non falsified But also understanding quite clearly, you know, what's been fixed what hasn't been fixed from a vulnerability standpoint So I'll tell you over the last two days here. We've we've done a lot of interviews But no shortage of people talking about S-bombs and S-bombs solutions I think we're going to see just like everything else in technology We're going to see sort of a came came bring an explosion of S-bom Solutions out there, and then the market will figure out which ones make sense. Yeah, one's done sure My fear is that we we think S-bombs are a magic bullet for so far supply chain security because we have a tendency of doing that You know, I mean ultimately when we I think the real challenge here is going to be the chain of trust part of that right because I'm what's an S-bomb at The end of the day. It's text file with some yeah with some stuff. Well, no, but they they're building some elaborate text files in this state. It's a lot of good metadata Yeah, but one more point I want to touch on though is that The number three issue from the standpoint of doing improvements to your software security posture was more automation So IAC tools ended up ranking very highly from a standpoint of helping you address that particular need And just for our audience IAC infrastructure as code, right? Okay, so that that one Actually surprised me because the whole idea of you know developers manual activities Not only that is a great way to invite in Problems and so more animation ultimately is is better We did some some work last year as part of our cloud native application security report And what was really interesting there was You know, we kind of use high levels of development automation I Automated to see ICD pipelines and all that stuff as a as a proxy for how Far along your cloud native journey you are right? I think that it's a pretty reasonable proxy to take and in Organizations with those high levels of deployment automation for a start We see much higher levels of adoption of security tooling because automation gives you lots of places where you can hook in other automation, but Most importantly we see a massive reduction in the time to fix of vulnerabilities Because through directly through a direct correlation to look I've been yeah, I've been in security a long time We had a vulnerability Solution in a company. I found it back in 2005 And back then I there was a company called Hercules Citadel was the company Hercules was the product, right? They were doing you know, they were pushing Automated remediation. There's several companies today that have automated remediation for whatever reason up until now Organizations have been hesitant to adopt automated remediation Because they're afraid it's going to break something else if it in a totally automated situation now doing this for the left in the in the development pipeline If it's broken supposedly that should come up in testing I mean this is this is again what we see when when companies adopt sneak is like, you know The the automated remediation part of in terms of automated fixed PRs, you know Is it's probably not where people start, but very quickly they they go Come their hesitancy. Yeah, look, this is a no-brainer. Yeah, absolutely Because it goes back to what I said before blame blame DevOps, right? If we are going to automate the CICD pipeline, we're going to automate building software The answer cannot be that we're going to manually do so. That's right. Yeah, that's right. It just it doesn't work It's a disconnect. Yeah, I mean it's an anti-pattern in terms of velocity, right? I mean velocity is the the key differentiator for whether Sort of Businesses in the cloud area are going to survive. Absolutely because and and if you don't have velocity, you know, but no But a lesson you're probably learned in security or we should have learned over the last 25 years Is if we are going to drag our heels and dig our heels in and say no, no, no, no, you know what? The train leaves the station without you. Yeah, so either get on board and figure out yes We can and here's how Or get out of the way right leave follow get out of the way the security cannot be the drag Right on this because velocity is and what where we see our folks who've successfully made this transition to to develop a first You see this sort of this change in in security teams from kind of being gatekeepers to being Enables of the paved. I agree. You know sort of tool Smith. That's that's a cops right there Yeah, you just the gist the the heart of it. That's it Steven anything else so so What's the answer to this issue of not having a security policy? I mean is it Do you need to start with a CISO? Do you need to start with an Ospo? Do you need or at least part-time roles in people and organizations? You know in those functions if you were small, I mean is that a I mean, I think I'm not sure what the answer is but I mean it we need one I think when people think about policies, they think oh this needs to be like a hundred page document of some kind You know this is and it becomes overwhelming, but really a policy can be a one-liners I mean we We have this conversation a lot when people start to adopt security scanner They've done no security scanning before and they scan this software and they go oh my god I've got like 500 vulnerabilities. What do I do? But you've got to just pick pick a starting point, right? I mean usually, you know a sensible place would be no critical vulnerabilities that have got a fix in production Well, there's a policy right there, right? It's three lines I and it's better than having he's a hundred percent right, right? I I've run into this firsthand people they hear Oh, we need a security policy They think I need the employee handbook. Yeah, that comes from you know, that's this thick Yeah, you know it could be one page of five bullet points anything that's critical is Worthy to stop production Anything not critical does not doesn't stop production, but you have to get fixed within 30 days That's a policy and I mean there's plenty of great templated stuff. There certainly are terms of of usage of open source By the way, I'd love to see you open the OSSF have a library of that kind of thing Right and actually the good news is once you have policy then automation can follow pretty quickly That's that's the right path. You're right guys. We've got our next guest here in the wings We could talk about this all day. I'm sure I'd love to but it wouldn't be fair to them Again, we could you can get this survey over on the sneak site, which is snyk.com. I oh, I oh excuse me Or on the open SSF. I think it's that order SSF.org right is the website there Steven good work again. I love your surveys and very good