 Hey everyone back here live in Austin at the Linux Foundation open source summit, you know, we've had a very security heavy Line up this past week and for good reason security is top of mind here with everyone the open SSF Of course Monday was open SSF day, but it's been more than that More than Monday. We really talked a lot about software supply chains and S bombs and just securing open source software my next my next guest is Crob Crob or C Rob. No, no, you know, I had C Rob in my mind and that's what messed me up. Let's go back to Crob Excuse me. That's sick. Just had a little thing in my throat. So Crob Crob was actually the emcee of Open SSF day on Monday. I had an amazing hat You did and you didn't wear it here. I came from outside with tacos and it was all sweaty. Now. We just have two bald guys here Anyway safety and numbers. Well, yeah, that's true. That's true. We're the hat next time But anyway, um, first of all Crob, welcome man. Thank you. It's wonderful to be here I'm excited to have this little chat. We are excited to have you on here So before we jump into Monday and open SSF day in that whole thing You you're with intel. I am full disclosure. What what do you do in your day job? So my day job I am the director of security communications So primarily our function is as incidents happen So there's a new vulnerability discovered or researchers find some report on our portfolio I help kind of evaluate that and kind of determine how we're going to communicate it love it and Your role within open SSF. So I've been with the open SSF for over two years almost from the beginning and Currently I am the working group lead for the developer best practices working group Love it and the vulnerability disclosures working group I'm I sit on the technical advisory committee. So we help kind of shape steer the strategy for the foundation I'm on the public policy and government affairs committee And I'm just now the owner of two brand new SIGs Special interest groups underneath the working groups. So I'm in charge of the education SIG And the open source cert SIG. So we're going to create a p-cert for open source. That's beautiful, man Um That is really and let's talk about that cert. Yeah, that'll be through linux foundation. Yeah, we are still So back in may the the foundation and some Contributors created the mobilization plan. I'm sure people have talked about it this week a 10-point plan right addressing trying to help respond to things like the white house executive order and it's a Plan that says these 10 different work streams. We feel we can improve the security posture of open source software and The open source cert was stream 5 and the idea is to try to find a collection of experts From around the industry that understand how to do incident response And also understand how to get things fixed within open source communities So we're we have our first meeting for the SIG the first week of july And we're going to try to refine the initial plan and kind of spec it out And see how we want to react But I think it ultimately it's going to be Kind of a mentorship program for upstream communities to teach them how to do incident response You know and help them you know work with security researchers and reporters And also help make sure that you know, they've got tools and process in place so they can be successful I love it. Yeah It is but let's be honest. This is this is a piece of work you cut out for yourself here Yes, I'm one of my other groups I work with is a group called first The form of incident response and security teams And I'm one of the authors of the p-cert services framework So I have a little help so I understand how then roll back on that right So we're going to lean into that as kind of a model to start with And kind of see what we need to change to make it work for open source communities I actually love that good then when when do you think we might see something on this? No, no pressure No pressure definitely The meetings will be public So all of that will go up into youtube So you'll be able to observe kind of the progress of the group. I expect we're going to take Uh, probably at least a month to refine the current plan and submit a proposal back to the governing board We think this is actionable. So hopefully before the end of the year Maybe uh late fall will actually be able to start taking action. I love it. I love it Um, I got to ask you where's the name come from? So the name comes from, uh Novel group wise I'm that old. Yeah. So back in the day our network was run by an hp vax But our email system plugged into the vax and you were limited by the characters of your your name So my name, uh, chris robinson is so his first letter first letter first name Uh, next seven of your last so I ended up being crowbin zoe And we hired a developer that walked in and he looked at it and he's like, uh crowbin zoe the crowbin crowbin zone that got shortened to crowb Okay, very cool. So thank you. No, no crowb. That's right. Thank you. Novel is right Man, those were interesting days. Remember that's good. I love that stuff. I used to love. I was a novella engineer for many years That's when certs really meant something if you were certified novella engineer, man you were Where are they now? Oh, they're gone I think the last time I was out in utah And now I was out. I think it was 2005 I was out in utah. They were doing there was something they were working on They bought susie and we thought that that would be pretty amazing to kind of incorporate This is no, no, it's an amazing tools. Absolutely. So we thought that would be pretty awesome And then you know my nds was the best But we were hoping that you know through susie They'd be able to channel these tools and kind of get broader adoption. No, I I I think for whatever reason the By luck there's a lot of companies from back in those days, right that we think about indeed. Uh-huh. I um Yeah, anyway So my other working group so we have more but wait there's more we have more So the developer best practices working group is spinning off an education sing So a lot of the conference this week is talking about how we need to get more training and certification And education into the hands of developers So again, we've created another kind of tiger team where we're going to be focusing on this and my friend dr. David wheeler David a wheeler david a wheeler He had a big announcement where we have an existing body of material the uh, lennon the uh, secure coding fundamentals class and he was able to Transform that into scorn. So now that anybody has a scorn learning management system has the ability to leverage this free developers secure software training Really? Yes And that's the scorn system if you have scorn you could leverage this free. Yeah, there's some rules behind it But yeah, absolutely. It's plugged in. We're looking to get that donated to higher education Historically black colleges and universities Yeah trade schools like devry trying to get this everywhere into people's hands. That's that's the thing to do So that get that kind of stuff gets me really excited. I'll be honest with you You know all too often we're good in the tech industry for forming a foundation and and a sig and an advisory board But rubber meets the road when you can teach people coming up Right so they come in with the right habits Because you know, it's harder to teach the old dogs the new chicks, right? I can't I can't take the class I know the brain's full. Yeah. No, I I hear you. But no, but It's not only that look if you've been developing software for 25 years And I'm going to come and tell you well, what you're doing is wrong and I need you to start doing it this way now I'm going to make some progress because no one Wants to say I know everything and I'm not changing people don't say that But it's just almost subconsciously. It's a lot harder It definitely is and that's kind of informing our approach So we have a traditional about a 20 hours worth of traditional class material So we're looking at how we can transform that material into Things like webinars and podcasts and maybe a boot camp. So maybe next year at the open source summit We might be able to offer a training class where you walk in Take the class and walk out with a certification That would be pretty cool. And then thinking about, you know, we have a lot of different learners We have, you know, brand new students. We have people in the middle of their careers People are making career changes So we have to kind of serve all these different constituents and that's absolutely we're trying That is one of the problems Kind of the user journeys we're trying to fulfill is this i'm an existing developer. How do I Gain new skills or refine what I have Let me ask you a question. So I come from the security side of the house for years and years Nothing a man was putting the emphasis on developers developing More secure software, but shouldn't we also be developing For security people to better secure open source software And the foundation itself does have many it's multi-pronged And so to help like a practitioner We have things like our scorecard and all stars and there we have a project criticality score and actually be just There was a great session just a couple hours ago by one of my peers Jacques Chester and it was kind of a If you're a risk guy, it was kind of based off of open fair, which is a risk management methodology Kind of explaining how we can evaluate open source projects Share that information with downstream consumers and risk management teams or procurement teams and kind of give them a While quantitative assessment of this is what risks you could incur by these projects So if you have two projects that do the same thing One might have a higher or lower score will provide you the data that you could You know make your own assessment off of that make your own judgment So the the foundation is also looking at just many different avenues to get this out there focused on practitioners and developers And uh, hopefully by this kind of hydra like approach, it'll be successful. It'll stick You know what you just put as much stuff on the wall and whatever sticks sticks, man I hope so anyway. Hey crop, right? I got it, right? Yep. All right Thank you for stopping by. Thank you. So thank you for all you do, right? I mean It's a community thing. These are not paid type of gigs, right? Sure. Yeah, no and and uh, I thank you for your for your time and efforts on that. Thank you very much