 Hi, this is your host in Bhartya today. We have with us once again David Aviler director of open source supplies change security at the Linux Foundation. David is great to have you back on the show Thank you so very much. It's really great to have you back on the show because the kind of you know Word view if I can use the word you have when it comes to security that's incredible So I want to hear from you if you look at you know modern word You can also compare it with the legacy or you can say traditional IT word How have you seen? Security evolve from those days to today's multi-cloud hybrid cloud cloud center cloud edward I've wide variety of changes have taken place some good some well not so good I think one of the big positive changes is that more and more Developers are taking security seriously and that in my mind is probably the most positive viewpoint because Much of the information about how to develop secure software It exists, but the first step is for someone to say oh, I need to look for that and learn from that I think that's by far and away the most important step and There's more and more information. That's more easily available I'm sure we'll talk about more but for example the open SSF We have a free course on how online course on how to help secure software and So to the you know people are interested the information is becoming more easily accessible There are more tools. I think tools are big help. They're not you know Tools will miss things to you know tools sometimes have false positives in general So tools are not the end of the story, but they are a helpful part of the toolbox Probably the big negative is the increasing monetization of Security attacks it's not like that hasn't happened before but more and more attackers have found that either because they're part of criminal Ecosystems or because they work for or with governments which desire attacks Has basically meant that the attacks have become much harsher more serious And so that's a probably a negative side of the story But I think overall the good news is that yes You know the attackers are upping their game But the good news is that a lot of the defenders have realized that there is a game and they have to play What is the ground reality that you're seeing because we're also seeing a lot of attacks You know every week we see something new attack and these are not mom-and-pop shops with their well established tech companies Who are getting compromised so between something is wrong there and security is not an easy thing It's complicated. So I understand that what is the ground reality that you're seeing that just Developers are putting effort companies wanted, but there are some big gaps as well like many such things the The the reality on the ground is complicated Okay, let me be that's the best way to start. I agree with you that You know if the only goal is hey developers deliver some security I don't even know what that means because security is an emergent attribute. It's not you know You deliver functionality and it has to have these qualities including reliability including security So that that said I actually don't agree that it's always harder That's oh, you know indeed many of the mechanisms for countering attacks are Doing things in ways that once you know how to do them make many things easier You know for example sequel injections are very very well known attack It's it's one of the top attacks against web applications And yet the mechanisms for countering that you know if the solution is hey never make a mistake Boy, that's that's kind of a rough. I don't know how to solve that one but on the other hand there are certain interfaces like prepared statements and similar tech techniques which if they're used they Immediately counter that kind of attack full stop They're also once you learn how to use them in general easier to use easier understand often faster in performance And and so you know for many many these things. It's simply knowing don't do x do y It performs the same task and oh by the way, it's far more secure now. There are areas where it's much harder You know if you're writing in C It's very very challenging to write software that doesn't have undefined behavior things like in particular memory safety problems things like buffer overflows You know that is a challenge Frankly the simplest solution in many many cases is maybe that's not the language you should write new programs in Because 70% of the vulnerabilities are going to have in those kinds of applications on average I mean there's there's are going to be memory safety problems because your language doesn't protect you Maybe you should look at alternatives now some places that doesn't make sense and if you've got existing software You may not have billions of dollars of effort available to just instantly switch and often there are reasons that people use those but in many many cases there are alternatives where you can make a decision to Eliminate entire classes of problems and make them far far less likely to succeed What kind of new patterns you are seeing there which you are like hey, these are the concerns These are the things that we should address. I have to admit There's a whole lot of the everything old is new again. You know people want to talk about oh, it's new It's new like it was the first time we saw this was the 1970s. Wait, this isn't very new All these a lot of these quote new attacks are just you know They're relabelings of old practices that we've seen many many times before Certainly people are taking steps to try to insert malicious code into open-source software for example It's not that that's new per se. There's just more efforts doing this But I mean the good news is in part people are trying to do that because increasingly some of the other methods are becoming less effective and Indeed although everybody's all very very worried about you know, it's malicious insertion into the open source It's widely used right now. That's by far the minority kinds of attacks by far and away The most common kinds of attacks are when people are downloading the wrong software It doesn't matter how good a developer does in their development if you don't don't download their software But someone else's software So this involves things like typosquadding dependency confusion where attackers basically trick people into downloading the wrong things And for that frankly Although there are efforts to try to counter these and the various repos and I think we're going to see more of that The number one most effective technique frankly is a little village vigilance Before you say I'm going to add this new software as a dependency to my system Double check. Is that what you actually wanted and make sure you're getting it from the right repository many many systems by the way Have mechanisms to say it must be from this repo. It must not be from that one And you know double check that mean if you're using this I've used this program before It's really widely used and you do a double check and hey, it just appeared last week That's not the one you want Okay, and and so really just a little bit of double checking Frankly whole lot like when we're countering social engineering attacks Hey, when somebody calls me up and says I won the lottery because and there are prints or they send me You know it sent me some emails I'm probably going to double check that before I just assume Whatever i'm being told on the phone or an email is true and I think the same You know not that you have to be paranoid, but just kind of the the due diligence Let's do a double check of that Eliminates a vast number of these problems right from the get go Security as much as as you were earlier talking about is about tools But it's also about processes and people What kind of cultural changes you are seeing in organizations today that not only encourages You know kind of organization wide because security is everybody's problem Kind of organization wide approach to security, but also kind of build a culture Where it's like either it's developer or operators team that security first is their strategy or policy Uh, well several different things. I mean People are you know, some people say oh dev sec ops. Oh, that's new. No, this is old stuff It's a new name for an old practice that you should have already been doing but you work So um at the very very least I think the increasing you mentioned process the increasing embedding of many many tools to analyze the software the dependencies and so on Um at every change and as and doing things like automatic reporting of wait a minute The dependency you've got is old. It's got a known security vulnerability. Here's the push this button to update that component I think is very very much In line with with all that and I think What's you mentioned changes over time? One thing that's changed over time is the decreasing costs of cpus Where you know, unless you're using an incredible amount of cpu, but cpu bandwidth is essentially free And so, you know all the historical efforts of wow We want to minimize the number of tests because it costs, you know, you know, it takes so long to run a test That doesn't make any sense. Oh, oh my goodness, you know, we're going to run a security tool but we'll only run it every once in a great while because um, you know, it you know, we may have to take an incredible long time You can run a lot of these tools, you know, either ever commit or most once a day and as a result Again, you have to be careful here tools don't solve all problems, but tools are absolutely a critical part Of that and there's no reason why not to run the run, you know Traditional tests many other kinds of verification techniques like sass tools, dash tools and so on because they can help detect problems before They get out the door And you know the whole notion of you know having ops completely isolated and never talking to the development never made sense um And so having that feedback of here's what we're seeing out in the real world Here are the problems here are the attacks. Let's update our systems so that you know during development, they're developed for use in real operations Uh based on the lessons learned from real operations is a critical part of it Um, and you could have said that years ago, but it is easier now Uh because of the various things I've just talked about to make that a reality Do you also see that when we do talk about cultural change? A lot of organizations still have the same mindset of hey security is someone else's problem Security is you know, uh an afterthought Or do you think that those cultural changes are already in place? It's just you know That security is you know, it's always a cat and mouse game. So that will always there Uh, let me separate that to a separate question It's here so I can answer them one at a time. Uh, first of all as far as organizations go I think the reality is that organizations are all over You'll see organizations that are essentially doing the same thing. They've been doing for decades with general failures And you know, they'll repeat the failures Uh again, um, I think a lot of organizations have at least made uh lip service And some really have drawn closer towards that If not a full devs dev sec ops at least trying to make sure that the ops and devs are not so disconnected Um, so on the one hand, I think that there is progress towards more connection On the other hand, we have we have the pressure of scale Um, historically you people You know, if you follow the amount of code in systems today, um, you know, the best estimates basically go off the charts Now there's um, now many ways, of course, this is great for the end users because they're getting far more capable functionality than they had before Now, how do we doing that? Well, one of the main ways we're doing that now is by dividing up the work Um, and in particular using a vast amount of open source offer components Um, you know, uh, the latest numbers I have is anywhere from 78 to 90 percent on average of all the code in a system It's actually open source offer components. That's for the and that includes the proprietary systems You know, when you open them up, it's almost all open source components. That's a good thing. That's enabled things to scale um, the the side effect however, though is that we're far more dependent on far more software um, and that can be more of a challenge to uh, secure and Because it's much more efficient for different organizations to specialize on this component versus that component Once again, they may not be aware of how it's being used in operations because in fact They are they're in charge of building this narrow component Which is brought in by a bigger component, which is brought you'll brought a bigger component and suddenly you have many many many tiers and so um, this has been helpful in terms of it enables the scale and capability of systems that we see today The challenge is reporting back to these to the developers of those individual components Hey, wait a minute. You're using situations. You may not be aware of Here's some feedback The solution to meet my mind by the way is increasing feedback from the developer and operations Back to the those that they're bringing in as supply. I do see a little bit of that. I think we need more of that Because I don't think we're going to go to you know, one organization builds all the software. That's just not a sensible approach And so you need to have different organizations interacting And that's why by the way out the open source security foundation, which I support I'm supporting with you We're very much focused on helping various open source software projects, which know that they are important But not necessarily knowing exactly what they're being used Helping them up their game get information look for vulnerabilities fix them ahead of time So that they're not um, so that there are far fewer problems out in operations What advice you have for organizations to improve Their security posture and once again, I'll throw two questions as you Bundle together one would be just to improve their security posture Which actually we touched upon a lot in this discussion today But second as the open short adoption is growing as you're talking earlier also So that they also become open source cities and not necessarily not everybody has resources to contribute back to open source But at least they can do a bit minimum so that they can help You know improve the code that they're also using in their products and services Sure. I love those questions. I'm I'm looking forward to trying to answer them. So, uh, first of all, how do I you know How do I develop more secure software? There's no grand mystery Unfortunately, the biggest problem I view is that most software developers have never been told how to develop secure software I don't know why we should expect anything different. What I tell people is we get more secure software than we deserve Because of that this problem. So how do we fix that? Uh step one education if you're if you're developing software Go take a course and how to develop secure software with the open ssf We've got a free course takes about two days online to go through Um, and uh, it'll tell you a whole lot about the basics about how to do that tooling Get tools into your pipeline get them to look for vulnerabilities Get tests, uh, you know, so that you know when you know to make sure that the software is doing what's supposed to do You know automated tests automated tests if you're depending on manual testing to tell you anything about your software You're already in trouble. You're already getting left behind that that's this does not and more generally if you're going to depend on Software use package managers, which are the way of automatically managing your dependencies um When you bring in new dependencies double check before you bring in something there's probably options Check and see there's uh open ssf has a guide on how to evaluate uh software before you bring it in um, take a quick check because that can turn out to avoid some problems like typo squatting as well as just Encourage you to move towards the software that's more likely to be fit for purpose more secure um, okay And so there's there's a whole lot to unpack there, but at least I think that gets it gets you going a little bit there And you know what um, I think to me this may seem strange, but self-interest can be a really helpful guiding principle here um If you were building let me let me give an analogy because maybe this will help if you are building a car And you just buy random engines and random other parts and hope for the best from your suppliers You're probably not going to produce a good product Even if you don't build all the parts you are probably going to try to figure out one of the most important components And the suppliers of those and I'm going to go back and work with them Because it is in my interest to make sure that the components i'm bringing in Are really going to work in my system and that doesn't mean they have to do everything exactly just for yours Your purpose but more than likely they can make changes that will be better not just for you But for everyone else and this gets us actually back to the question you asked earlier about how do we feedback Operational information to organizations outside yourself and the answer is really communication But I'm including communication in a very broad way that can include anything like hey, I'm using in this way Here's a bug. I see here's the bug all the way to I'm going to sit down and collaborate and work with you because What you have is is mostly great But I need some additional capabilities or I need to have a security review to make sure that's fit for my purpose The OpenSSF has already funded a number of for example security evaluations Where we go out and look at the software and look for vulnerabilities and get them fixed And organizations can do the same for the components that they most depend on And if you say man, I bet there's lots of other organizations who do that great They're you know Sounds like a good opportunity for collaboration and actually that's what the OpenSSF is for is to enable organizations to work together To figure out hey, wait a minute. These are the same kinds of problems We're seeing over and over again instead of funding something once won't we pool our resources be it people or dollars or euros or anything else and Pull it together to make things better Not just for themselves and not just for their customers, but also for the world more generally I would love to have you back on the show. Thank you. Thank you very very much