 Hey everyone, wow what a morning. I don't even I lost count, but we did a lot of Great interviews great conversations this morning a lot of it as we've been doing all week has been around security I think we're gonna continue talking a little bit about security with our next guest here Let me introduce you and if I mess up his name, he'll correct me Amir Montessori Amir Montessori. Yes Montessori, okay Then I've got that New York accent, but anyway Amir man. Welcome. Welcome to TechStruckTV. Thank you So happy to be here. Yep. So, you know, I guess we'll start with the obvious question of what brings you here Yeah, absolutely. So I co-founded OSTIF the open-source technology improvement fund Which was designed to solve the classic problem in open source of how do we make open source more secure? How do we do it in a way that doesn't disrupt? open-source project maintainers and the great work that they do and how do we do it in a way that's impactful and so we started exploring this problem and So when when did you sort of been over seven years ago now? Wow? Yeah, so it was about seven years ago Some of the inspiration came from the CII the core infrastructure initiative yeah, that was also attempting to solve this problem as well and It's a very big and complex problem So it needs all the all the help it can get a lot of hands. Yes, and so So since then we have honed in on a method for helping projects and the organizations that support those projects with auditing and improving Security holistically and we champion that audit process from start to finish So a project can come to us and say we want this project audited and we get it done And what are you auditing it for for security for stability viability? Correct mostly for security and sustainability So a lot of research suggests that a lot of those deep-seated problems Vulnerabilities and bugs aren't on the surface level when you look at the code. They are deep into the code So deeper auditing more logic review So you're really doing code audit that correct not not auditing how many maintainers there are exactly Like what scorecard does exactly. This is really looking at the code and seeing how How safe is the code how secure exactly? Yes, and so part of this process that we've developed and the method that we've developed is finding the best suited teams out there folks from all around the world audit teams from all around the world Finding the best suited ones the most specialized ones That can do this kind of work resulted in It's been very successful. Thankfully we found over 40 critical or high vulnerability risk vulnerabilities These are those deep-seated problems that when exploited in the wild can cause headlines cause those kind of things you read about log for shell or bleed all that good stuff so we're going out and proactively finding these problems and fixing them of course because a Great part of our method is not only finding these problems But our auditors work with this the maintainers to fix them as well Love it. I have a few questions on that before we jump into that. I want to give our people at home So it's owed open source Technology improvement fund. Yes, where did they go on the web? Ostef org That's what we were wanting. Okay. Now. I hear the word find and I'm thinking well, maybe there's fundraising involved here Yes, so the fundraising typically comes from the Organizations and foundations that are stewards of these open source projects or kind of the the supporters or maintainers of it So they they pay you to Do to perform this service correct? Yes, and another Really nice thing about our method to is that instead of just working with one or two audit teams we're able to actually go to a large number of them and Effectively have them bid against each other as well So we're able to do it for almost a third of the cost that kind of more traditional audits in this space cost That's great. And by being that kind of that champion to manage this process It makes the quality bar much higher as well of these reviews got it So let me go back to what we were talking about before I wanted to just give people a sense right away Yeah, I want to check this. No people are while they're listening. They'll go check the side out But you know we find a deep-seated Vulnerability defect whatever you want to call it Come up with a way to fix it. So let's take sort of struts struts too as an example Okay, so now we fixed it and we need to update to the new version and all the repositories out there where people download This this open source Code from and not only do we need to update all those repositories But we've got to somehow notify all of the people who have incorporated that Code into their projects into their applications. They're using it To hey, we got a problem here. You need to update this, right? It's one thing when we're talking about an OS Right and you can kind of you know hit people like that or a phone app that you can do but how how do you do it? So That's a great question. That's a really good question I would say the what we do to help with that is we really focus on Transparency, so once all of the work is done fixes have been made Remedy they've been tested. We know that that the fixes are in fact fixed We put all of that into an audit report that is then published publicly to the for free for anyone to review and We're also Publishing those out onto the open SSF security reviews repo Which is a collection of these types of this type of work to really get the word out there And I think the one of the biggest value ads that that provides is being able to show the open-source community at large What was done how we fixed it so that they can take that back to their teams and And learn from them service case studies and really just raise the bar as a whole of open-source security I love it. So it sounds to me that look the mission of Your group is to undertake this audit Uncover if there's any kind of you know Vulnerability defects and that we got a fix fix it publish the fix Publish the background on it and then we need the community It sounds like to get involved from that point on and the users of you the consumers of this stuff, right? You know the old saying you could leave the horse to water exactly But they need to go update and do their thing. Have you thought about maybe adding that aspect to? the the charter of your organization um I'm I don't think we have no we've been so hyper focused on Well, it's a big job. Yes. Yes, and there's a lot of big jobs involved unfortunately in this whole thing indeed yes But part of I think why we've been so successful is focusing on Solving the problem the way right. This is what you guys do someone else tends to do that Exactly, but a couple a couple great things that are happening are as there's more awareness in the space There's more funding being put into security auditing and more attention being drawn to it I'm hoping that that will basically improve the landscape as a whole and We can take lessons from what else is going on out in the space and incorporate that into our processes too But I think by focusing Our focus really I think has led to our success and that you know We'd had lots of folks early on say a while. Why don't you do this? Why don't you do that? Why don't you try this? Why don't you try that and while you know What will gladly take any feedback and advice? I think just being really hyper focused on Facilitating executing on these audits improving the software parts are the security posture rather of these projects We've been able to be pretty successful excellent Wanted pivot a little bit and ask you I mean look you started this seven years ago There wasn't an open SSF then over the last I I guess it's been about two years now a year and a half We open SSF, you know from the Linux Foundation. How has the the advent of the open SSF kind of Helped her Boosted, you know, what what effect is it at? Mm-hmm on your organization? Yeah, that's a great question I would say overall it's helped because as you know open source is largely relatively decentralized and Having a strong consortium of Organizations foundations individuals who are Focused on solving this problem kind of giving them a platform or a forum to to talk about this stuff Has been really helpful and I think another way open SSF has helped is by Going out and actually doing some of the fundraising getting more money into security And and more awareness, you know from both generally and in government as well With the with the executive order responses and those and those efforts. I mean it certainly brought a big spotlight Yeah, to the whole area and You know, we're a lot stronger together than we are individually, so you know, I think that obvious yes But you know, there's a there's a little bit of a chicken and an egg question here, which is You know if not for the solar winds and some of these really high profile Supply software supply chain issues would open SSF and the whole open source software You know market got the attention that it has Unfortunately because of these things, right? I mean, you obviously believe this was a problem seven years ago, right? And you went out and did this so it's not a new problem since whenever solar winds was December of or January It was December. I believe so. Yeah of 2021 or something right or 20 or one of them. I don't even remember but 20 so This has been an ongoing problem. So certainly, right, you know, sometimes Sometimes things just come together, right? It's like fate and it and it just boom it blows up You know in many ways You're the you're one of the benefactors because you were here You know kind of shouting in the wilderness, right? Yes about this issue before it was you know with the cool kids Yes Where do you see it going in the future? Yeah So I do think it's it's human nature to to react right to be reactive and I think largely What has been driving the the the progress made in the space has been reactive and one thing that we're trying to do with our with our audits and with the With getting the word out about the work that we're doing is to try and shift to be more proactive Because we can you know wait for the problems to happen or we can proactively go out there and fix the problems And so I I hope I think and I hope that the focus shifts more towards proactive security as opposed to reactive security and Because the benefits of proactive security are You don't see it as much, you know when you prevent a problem from happening in the future that never happened It's hard to to attribute that to the that pro that action you get it But when something happens like you scrape your knee or something you you have something very real that happens You can react to it, you know much stronger So in general I'd like the shift to focus more towards proactive security Which definitely seems to be where the open SSF and Organizations that are a part of open SSF seem to be going and it's something that I would love to really help take the organization take open SSF to the forefront of that and Really be one of the premier organizations in the world that is actually going out and proactively fixing problems Yeah, look I I think with the open SSF behind you with it. You have every Expectation of being able to do that right there's no in fact you should do that But you know what it's great and it's Look on a personal level. I'm great. Grateful to hear about people like you're doing this Before you know as I said before the cool kids got involved because we needed this. This isn't a problem since solo wins Yeah, and and I think the beauty is is especially now that it's more action is being called for We have been doing this for seven years now. So we had a lot of lessons learned. Yep A lot of what a idiot taxes paid. Yes, exactly and we've all done this point. We've gotten to a pretty good Level where we we are confident that we can do this But as always, you know open source in general is largely underfunded and us as an organization You know, we need funding as well, you know to continue doing this. Yeah to scale up. It's money. Yeah, exactly So to scale up even and to do more work that I know we're capable of doing So hopefully again as more funding goes into the space as a whole More funding goes into open SSF and other foundations doing this work and us supporting those goals I'm hoping more funding will come our way as well. I hope so too. Hey man. Thank you so much Good to keep up the great work. We're gonna take a break here for lunch in Austin. I think we'll be back in about an hour great Stay tuned where we are live here at open source summit. Thank you everyone. Thank you Alan. Thank you man. That was great